DSPM for AI and the governance gap teams are missing

TL;DR: AI adoption is outpacing AI security and governance, with IBM reporting that 97% of businesses suffering an AI-related breach had no proper AI access controls in place, while Cyera argues that extending DSPM into AI workflows is the practical way to restore visibility over data, access, and usage. The underlying issue is not just data sprawl, but governance built for static environments now being asked to control dynamic AI workflows.

NHIMG editorial — based on content published by Cyera: Navigating the World of DSPM for AI and Why It Is Mission Critical for Enterprise Organizations

By the numbers:

• 97% of businesses that suffered an AI-related breach reported they had no proper AI access controls in place.
• 72% of data breaches involved data stored in cloud environments, and 30% of breached data spanned multiple computing environments.

Questions worth separating out

Q: How should security teams govern sensitive data used in AI workflows?

A: Security teams should treat AI workflows as governed data paths, not just model activity.

Q: Why do shadow AI tools create such a large governance gap?

A: Shadow AI creates a gap because sensitive data can move into tools that are outside normal approval, logging, and retention controls.

Q: What breaks when DSPM only covers static data stores?

A: When DSPM stops at static repositories, it misses the highest-risk part of AI use: data in motion through prompts, outputs, and training flows.

Practitioner guidance

• Extend DSPM coverage into AI workflows Inventory sanctioned, shadow, and third-party AI systems, then verify that discovery reaches training data, prompts, outputs, and retention locations across cloud and SaaS environments.
• Classify AI data by purpose and regulatory scope Tag sensitive datasets with owner, purpose, and compliance context so model training and inference decisions can be enforced against policy rather than file location alone.
• Tie AI monitoring to identity context Correlate prompts, outputs, and access activity with user identity and dataset sensitivity so investigators can distinguish normal use from policy violation or data exfiltration.

What's in the full article

Cyera's full research covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdowns of AI-aware data discovery and classification across structured and unstructured datasets.
• Microsoft Purview coverage and limitation examples for Microsoft-centric AI environments.
• Policy enforcement patterns for integrating DSPM with DLP, IAM, and SIEM across AI workflows.
• Data minimisation and retention handling for AI training and inference pipelines.

👉 Read Cyera's full research on DSPM for AI and enterprise data governance →

DSPM for AI and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →