AI data visibility: what IAM teams need to do now

TL;DR: Boards are increasingly treating AI strategy and data protection as one governance problem because AI systems retrieve whatever they can access, and a joint study cited in the source found 96% of enterprise permissions go unused while 91% of sensitive data accessible to workers is untouched, according to Cyera. That makes visibility, access mapping, and control of dormant access the prerequisite for safe AI adoption, not a downstream cleanup task.

NHIMG editorial — based on content published by Cyera: Why Boards Are Asking About AI and Data in the Same Breath

By the numbers:

• 96% of enterprise permissions granted to employees are never actually used.
• 91% of sensitive data available to workers goes untouched.
• A single user had a co-pilot tool enabled with access to over 400 million sensitive records.

Questions worth separating out

Q: How should security teams govern AI access to sensitive data sources?

A: Security teams should inventory every AI-connected identity, map the exact data sources it can reach, and validate that each connection is approved for the intended use case.

Q: Why do over-permissioned identities create outsized risk for AI systems?

A: Over-permissioned identities matter because AI systems can operationalise broad access instantly and at machine speed.

Q: What breaks when organisations enable copilots without data visibility?

A: What breaks is the organisation's ability to predict and defend the system's real attack surface.

Practitioner guidance

• Map AI-connected identities to reachable data sources Catalogue every co-pilot, retrieval pipeline, and agentic workflow, then record the exact datasets, indexes, APIs, and record classes each can reach.
• Separate read-only from write-capable AI identities Design distinct identities and approvals for systems that only retrieve information versus systems that can update records, send messages, or trigger downstream workflows.
• Review dormant permissions before enabling AI access Identify privileged but unused access on the human and machine side, then remove or narrow it before AI tools are connected.

What's in the full article

Cyera's full analysis covers the operational detail this post intentionally leaves for the source:

• The specific discovery workflows used to identify AI tools, copilots, and connected identities across large enterprise environments.
• The assessment logic for measuring reachable data, sensitive record classes, and overexposed permissions before AI deployment.
• The board-level framing used by security leaders to connect AI adoption decisions to data visibility and control readiness.
• The AI Security Readiness Assessment structure that breaks the problem into eight security domains.

👉 Read Cyera's analysis of why boards are linking AI strategy with data protection →

AI data visibility: what IAM teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →