AI data security readiness gap: what IAM teams need to know

TL;DR: Across a survey of more than 900 IT and security leaders, 83% of enterprises said they are already using AI, but only 13% reported strong visibility into how AI interacts with sensitive data, according to Cyera and CyberSecurity Insiders. The gap shows that governance, monitoring, and access control are still trailing AI adoption, especially where AI behaves like an identity with data access.

NHIMG editorial — based on content published by Cyera: Cyera Research Labs and the 2025 State of AI Data Security Report

By the numbers:

• 83% of enterprises are already using AI, while only 13% report strong visibility into how AI interacts with sensitive data.
• 66% of respondents have already caught AI over-accessing sensitive data, but only 11% can automatically block risky activity.

Questions worth separating out

Q: How should security teams govern AI systems that access sensitive data?

A: Security teams should govern AI systems as identities with explicit entitlements, owners, and audit trails.

Q: Why do autonomous AI agents increase data security risk?

A: Autonomous AI agents increase risk because they can choose actions, chain tools, and continue execution without waiting for a human to approve each step.

Q: What do organisations get wrong about AI access controls?

A: The most common mistake is treating AI access as a one-time entitlement issue instead of a runtime governance problem.

Practitioner guidance

• Classify AI as a governed identity class Assign ownership, access boundaries, and audit requirements to each AI system that can retrieve sensitive data.
• Separate supervised assistants from autonomous agents Use distinct policies for tools that respond under human supervision and tools that can continue execution without a person approving each step.
• Enforce monitoring at the prompt and connector layer Log what data sources AI can query, what it retrieves, and when it returns sensitive content.

What's in the full report

Cyera's full research covers the operational detail this post intentionally leaves for the source:

• Survey methodology and respondent breakdown across 900-plus IT and security leaders
• The report's full mapping of AI readiness findings to the OWASP Top 10 for LLM Applications
• Guidance on how security leaders can translate visibility findings into program controls
• The supporting blog post and research-lab framing for teams that want the original data set

👉 Read Cyera's research on AI data security readiness and governance gaps →

AI data security readiness gap: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →