TL;DR: Continuous data use, AI adoption, and compliance pressure are outgrowing traditional access controls, and GigaOm placed Satori, a Commvault company, as the only mature, platform-centric leader in data access governance. The governance gap is now operational, not theoretical: policy enforcement must move to query time if organisations want defensible oversight.
NHIMG editorial — based on content published by Commvault: GigaOm recognition for Satori and the case for data access governance
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities
Questions worth separating out
Q: What breaks when data access governance is missing in AI-heavy environments?
A: Access decisions become fragmented across engineering, data, and security teams, and no one can reliably prove whether sensitive data was used appropriately.
Q: Why do AI agents complicate data access governance?
A: AI agents can request, chain, and reuse data access in ways that do not resemble a normal human workflow.
Q: How do you know if data access controls are actually working?
A: You know they are working when you can show continuous evidence of who accessed which data, under what policy, and whether the access was allowed in context.
Practitioner guidance
- Map data access by identity class Classify access paths by human user, service account, automation, and AI agent so policy can reflect different risk levels and approval needs.
- Move enforcement to query time Apply policy at the moment data is requested, not only in upstream approvals or storage permissions.
- Separate evidence from assumption Capture who accessed what, when, and why directly from the access path so auditors are not relying on tickets or verbal attestations.
What's in the full article
Commvault's full post covers the operational detail this analysis intentionally leaves for the source:
- GigaOm's evaluation criteria and how the platform-centric category was assessed in practice
- How query-time policy enforcement is implemented across modern data platforms and AI workflows
- The recovery and resilience angle that links governance to backup and restore operations
- The vendor's own explanation of how security teams can keep access control close to the data
👉 Read Commvault's analysis of data access governance and AI-era data security →
Data access governance and AI-era data sprawl: are controls keeping up?
Explore further
Data access governance is now an identity governance issue, not just a data tooling issue. The article describes a world where access decisions are made across engineering, analytics, and AI workflows, which means the identity layer is already part of the control problem. When service accounts, human users, and AI agents all touch the same sensitive datasets, access governance has to become identity-aware or it will remain incomplete. Practitioners should treat data access policy as an extension of IAM and PAM, not a separate reporting exercise.
A question worth separating out:
Q: Who is accountable when governed data still leaks or is misused?
A: Accountability usually sits across identity, data, and platform teams, but the business owner of the data remains responsible for the access model. Security teams need the authority to enforce runtime rules, while compliance teams need evidence that the rules were active. If those responsibilities are split without clear ownership, governance fails in practice.
👉 Read our full editorial: Data access governance is becoming essential for AI-era security