TL;DR: Unstructured data now represents 80% to 90% of enterprise information, and much of it sits in email, collaboration tools, and cloud storage where access, retention, and policy enforcement are hard to govern at scale, according to OneTrust. The real issue is not data discovery alone, but continuous control over who can reach sensitive content and how long it remains usable.
NHIMG editorial — based on content published by OneTrust: How to Govern Unstructured Data in the Age of AI
By the numbers:
- Unstructured data now represents 80% to 90% of the world’s data.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams govern unstructured data in collaboration platforms?
A: Security teams should treat collaboration platforms as governed access environments, not simple file stores.
Q: Why does unstructured data create so much governance risk?
A: Unstructured data creates risk because it can contain sensitive information in many formats, move across many repositories, and remain accessible far longer than intended.
Q: How do organisations know if unstructured data controls are working?
A: They should look for three signals: high-confidence classification coverage, reduced broad or inherited access, and retention schedules that remove stale content on time.
Practitioner guidance
- Map unstructured data repositories to owners and access paths Inventory email, collaboration platforms, cloud storage, and file-sharing systems, then assign accountable owners for both the data and the access model.
- Automate sensitive content discovery and classification Deploy classification workflows that scan documents, messages, images, and attachments for regulated or confidential content, then feed those labels into policy enforcement and access decisions.
- Tie retention rules to business purpose and legal basis Set retention periods by data category, then prove why each category must remain available.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Practical examples of how unstructured data appears across email, file-sharing, and collaboration systems.
- The retention and governance issues OneTrust links to GDPR and enterprise compliance obligations.
- How the vendor positions automation for discovery, classification, and policy enforcement across data repositories.
- The AI governance context behind treating unstructured content as a live input to copilots and retrieval systems.
👉 Read OneTrust's analysis of governing unstructured data for AI →
Unstructured data governance - what IAM and security teams need to know?
Explore further
Unstructured data governance is now an identity-adjacent control problem, not just a records problem. The article correctly shows that visibility into content is only half the issue. Who can access the content, whether that access is still justified, and whether AI systems can reuse it are the questions that define governance quality. For identity teams, the conclusion is clear: data control and access control are now inseparable.
A question worth separating out:
Q: Who is accountable when unstructured data is reused by AI systems?
A: Accountability should sit with the data owner, the platform owner, and the governance function together. AI teams can consume content, but they should not own the decision to expose sensitive material. Organisations need documented approval paths for retention, classification, and access before content is reused by AI.
👉 Read our full editorial: Unstructured data governance is becoming an AI control problem