Notifications
Clear all
Topic starter
07/06/2026 9:22 pm
TL;DR: AI use is now mainstream in enterprises, but only 13% of organisations report strong visibility into how it touches data, while 66% have already caught AI over-accessing sensitive information, according to Cyera’s 2025 State of AI Data Security Report. The real problem is not adoption, it is that governance still treats AI like an ordinary app or user and therefore misses prompt-layer risk and over-permissioned access.
NHIMG editorial — based on content published by Cyera: 2025 State of AI Data Security Report
By the numbers:
- 66% have caught AI over-accessing sensitive data, while just 11% can automatically block risky activity.
Questions worth separating out
Q: How should security teams govern AI systems that access sensitive data?
A: Treat the AI as a governed non-human identity, not as a normal application.
Q: Why do AI deployments over-access data so easily?
A: They often inherit broad permissions designed for convenience, not for machine behaviour.
Q: How do organisations know whether AI controls are actually working?
A: Look for evidence at the point of use, not just policy approval.
Practitioner guidance
- Instrument AI access as identity telemetry Log prompts, retrievals, tool calls, and outputs as access events so you can reconstruct what data the AI touched and when.
- Assign AI a distinct identity class Stop inheriting broad application permissions by default and define task-scoped entitlements by data classification, environment, and approved use case.
- Enforce pre-output policy controls Apply redaction, approval gates, and kill switches before sensitive content leaves the AI workflow, especially where public prompts or external models are involved.
What's in the full report
Cyera's full research covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent breakdown across 921 IT and security practitioners
- Detailed percentages for visibility, real-time monitoring, and auto-blocking maturity
- Prompt-layer control patterns for discovery, logging, and containment
- Board-ready benchmarking data on AI governance readiness across industries
👉 Read Cyera's 2025 State of AI Data Security Report →
AI data security visibility gap: are your controls keeping up?
Explore further
08/06/2026 9:17 am
AI data security is now an identity problem, not just a data problem. Once AI can search, retrieve, and surface enterprise information, it behaves like a governed non-human actor with access rights, audit obligations, and containment requirements. The article shows that the hard part is not model capability but access governance, because 83% use AI while visibility remains at 13%. Practitioners should treat AI access as identity-controlled data movement, not as a side effect of application design.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, which helps explain why over-permissioning persists even as deployment accelerates.
A question worth separating out:
Q: Who should own accountability for AI data access risk?
A: Accountability should sit with the teams that own identity, data governance, and security operations together. If AI can access enterprise data, then ownership must cover entitlement design, monitoring, and incident response across the full workflow. The governance gap is not just technical, because without a named owner, no one can prove who approved or contained the access.
👉 Read our full editorial: AI data security controls are lagging behind enterprise AI use
