AI data security visibility gap: are your controls keeping up?

TL;DR: AI use is now mainstream in enterprises, but only 13% of organisations report strong visibility into how it touches data, while 66% have already caught AI over-accessing sensitive information, according to Cyera’s 2025 State of AI Data Security Report. The real problem is not adoption, it is that governance still treats AI like an ordinary app or user and therefore misses prompt-layer risk and over-permissioned access.

NHIMG editorial — based on content published by Cyera: 2025 State of AI Data Security Report

By the numbers:

• 66% have caught AI over-accessing sensitive data, while just 11% can automatically block risky activity.

Questions worth separating out

Q: How should security teams govern AI systems that access sensitive data?

A: Treat the AI as a governed non-human identity, not as a normal application.

Q: Why do AI deployments over-access data so easily?

A: They often inherit broad permissions designed for convenience, not for machine behaviour.

Q: How do organisations know whether AI controls are actually working?

A: Look for evidence at the point of use, not just policy approval.

Practitioner guidance

• Instrument AI access as identity telemetry Log prompts, retrievals, tool calls, and outputs as access events so you can reconstruct what data the AI touched and when.
• Assign AI a distinct identity class Stop inheriting broad application permissions by default and define task-scoped entitlements by data classification, environment, and approved use case.
• Enforce pre-output policy controls Apply redaction, approval gates, and kill switches before sensitive content leaves the AI workflow, especially where public prompts or external models are involved.

What's in the full report

Cyera's full research covers the operational detail this post intentionally leaves for the source:

• Survey methodology and respondent breakdown across 921 IT and security practitioners
• Detailed percentages for visibility, real-time monitoring, and auto-blocking maturity
• Prompt-layer control patterns for discovery, logging, and containment
• Board-ready benchmarking data on AI governance readiness across industries

👉 Read Cyera's 2025 State of AI Data Security Report →

AI data security visibility gap: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →