Notifications
Clear all
Topic starter
03/06/2026 5:13 pm
TL;DR: Enterprise AI adoption is shifting from chatbot pilots to agentic workflows, and Cyera argues that data security and data context now determine whether AI can be deployed confidently. The governance assumption that model usage is enough has collapsed because agents take actions, not just answers, and they need access control around the data layer.
NHIMG editorial — based on content published by Cyera: RSAC Reflections, Data Is the Foundation for Successful AI
Questions worth separating out
Q: How should security teams govern data access for agentic AI workflows?
A: Security teams should treat data access as part of the agent’s decision boundary, not as a separate storage problem.
Q: Why do legacy IAM controls struggle with autonomous AI systems?
A: Legacy IAM controls assume stable identities, predictable requests, and access patterns that can be reviewed after the fact.
Q: What do organisations get wrong when they secure AI only at the model layer?
A: They often protect the model while leaving the data and action layer under-governed.
Practitioner guidance
- Define data context for agentic use cases Identify which datasets feed autonomous decisions and classify them by sensitivity, business function, and downstream action risk.
- Tie policy to runtime decision paths Validate that your controls can observe, constrain, and log the sequence of agent actions rather than only the initial authentication event.
- Consolidate identity, data, and policy checks Review whether fragmented tools leave gaps between classification, authorisation, and execution.
With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, teams should expect entitlement sprawl unless data access is re-scoped around use cases and runtime behaviour?
👉 Read Cyera's RSAC reflections on data security and agentic AI →
Explore further
03/06/2026 5:16 pm
Data context has become the new access boundary for AI governance. The article is right to place data security at the centre of AI adoption, but the deeper identity issue is that agents cannot be governed meaningfully if the data they can reach is treated as a passive asset. In practice, data now determines what an agent can infer, decide, and execute. Practitioners should treat data context as part of entitlement design, not as a separate downstream control.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How can teams tell whether AI access is actually under control?
A: Look for evidence that access is limited by purpose, not just by account. If you can show which data the system can reach, which actions it can trigger, and how policy changes when the use case changes, you have real governance. If you only have sign-off at deployment time, control is still mostly theoretical.
👉 Read our full editorial: Data security is becoming the control plane for enterprise AI adoption
