Notifications
Clear all
Topic starter
08/06/2026 5:05 pm
TL;DR: AI applications are expanding enterprise data exposure by pulling in emails, chat logs, legal documents, and cloud files, while legacy classification and access controls struggle to keep up, according to Cyera. The governance problem is now less about storing data than knowing what AI can reach, classify, and expose before that reach becomes a breach.
NHIMG editorial — based on content published by Cyera: The Role of AI and ML in DSPM
By the numbers:
- The total amount of data worldwide is expected to reach 181 zettabytes in 2025.
Questions worth separating out
Q: How should security teams govern AI systems that can access sensitive corporate data?
A: Security teams should govern AI systems as non-human identities with tightly scoped access, continuous discovery, and file-level classification of the data they can reach.
Q: Why do generative AI tools increase data security risk?
A: Generative AI tools increase risk because they expand the number of places where sensitive content can be ingested, copied, surfaced, or misused.
Q: What breaks when organisations rely on manual data classification for AI security?
A: Manual classification breaks when the data set is too large, too diverse, or too unstructured for human review to stay accurate.
Practitioner guidance
- Inventory AI-readable data paths Map where generative AI tools, copilots, and machine learning pipelines can reach corporate content across cloud, SaaS, and on-premise stores.
- Replace manual classification for AI-facing datasets Use automated classification for unstructured data at file level, especially in email, chat, document, image, and media repositories that feed AI models.
- Scope non-human access by data sensitivity Review which AI tools and other non-human identities can access sensitive information, then reduce permissions to the minimum data set needed for the workflow.
What's in the full article
Cyera's full research covers the operational detail this post intentionally leaves for the source:
- Examples of how Cyera maps AI data discovery across cloud, SaaS, and on-premise environments
- The 95% precision claim behind its automated classifiers and how that is positioned for AI data use cases
- The identity module details for finding non-human AI tools with access to sensitive data
- Implementation context for data detect and response signals across Microsoft 365 and AI-facing workflows
👉 Read Cyera’s research on how AI and ML are changing DSPM →
DSPM for AI data risk: are your controls keeping up?
Explore further
08/06/2026 7:04 pm
AI security has become a data governance problem, not a model-only problem. The article is correct to frame AI risk through data visibility, because the first failure is often not prompt abuse but uncontrolled access to content that should never have been reachable by the system. That shifts the governance centre of gravity toward discovery, classification, and entitlement context. Practitioners should treat AI security as a control-plane issue for data access, not as a separate AI-only domain.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- In the same report, 72% of organisations said they have experienced or suspect they have experienced a breach of non-human identities.
A question worth separating out:
Q: How do you know if AI data governance is actually working?
A: AI data governance is working when discovery is continuous, classification confidence is high, and access to sensitive data is consistently limited to the smallest necessary set of identities and applications. Teams should also be able to show where regulated content resides, how it is protected, and which AI tools can reach it.
👉 Read our full editorial: AI security depends on data visibility in DSPM and governance
