Notifications
Clear all
Topic starter
07/06/2026 8:50 pm
TL;DR: 83% of enterprises already use AI, but only 13% have strong visibility into how it touches their data, while 76% say autonomous AI agents are the hardest to secure, according to Cyera’s 2025 State of AI Data Security Report. The gap is no longer about model adoption, but about governance that can see and constrain data access in real time.
NHIMG editorial — based on content published by Cyera: AI Security Best Practices: Why a Data-Centric Approach Is the Foundation for Secure AI Innovation
By the numbers:
- 83% of enterprises already use AI, while only 13% report strong visibility into how it touches their data.
- 82.6% of phishing emails are now AI-crafted.
Questions worth separating out
Q: How should security teams govern AI agents that can access sensitive data?
A: Treat AI agents as non-human identities with explicit owners, scoped datasets, and continuous monitoring.
Q: Why do AI systems create new IAM and data governance problems?
A: AI systems can consume, transform, and expose sensitive data across multiple environments without the same human review loops used for staff access.
Q: What breaks when autonomous AI agents are given broad access?
A: Broad access turns every agent decision into a potential blast-radius event because the agent can fetch data, trigger actions, and amplify mistakes without direct human oversight.
Practitioner guidance
- Classify AI systems as identity-bearing actors Assign each model, copilot, and agent a named owner, a data scope, and a review path.
- Move from periodic audits to continuous AI-SPM Monitor AI tools, prompts, outputs, and connected datasets in real time so changes in policy, scope, or data movement are visible before incident response is needed.
- Limit agent reach by dataset and function Scope autonomous agents to the minimum dataset set required for the task and separate read, write, and trigger permissions.
What's in the full article
Cyera's full research covers the operational detail this post intentionally leaves for the source:
- The report's AI Security Posture Management guidance for continuous monitoring across AI tools and datasets
- Specific examples of how overprovisioned AI agents and shadow AI expand exposure in real environments
- The report's breakdown of regulatory, legal, and reputational risk tied to AI data handling
- The original survey findings behind the 83% adoption and 13% visibility gap
👉 Read Cyera's research on AI security best practices and data-centric governance →
AI security best practices: are data-centric controls enough?
Explore further
08/06/2026 8:31 am
AI security is becoming a data-governance problem before it is a model-governance problem. Cyera’s report reinforces a pattern NHIMG sees repeatedly: organisations can deploy AI faster than they can prove what data it can touch. That shifts the control question from model behaviour to identity, classification, and lineage. Practitioners should treat data visibility as the prerequisite control for everything else.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How can organisations tell whether AI security controls are actually working?
A: Look for real-time evidence that the organisation can identify AI tools, map their data access, and flag policy drift before incidents occur. If the team only discovers exposure during periodic audits or after a user reports a problem, the control is not operating at the speed of AI.
👉 Read our full editorial: AI security best practices show why data-centric controls matter
