Data curation in AI governance: what IAM teams need to know

TL;DR: AI governance breaks when organisations treat data selection as an afterthought, because low-quality, poorly contextualised, or noncompliant data drives confident but flawed model outputs according to Collibra. The real governance risk starts upstream, where data is chosen, classified, and understood before deployment hardens bad assumptions into automated decisions.

NHIMG editorial — based on content published by Collibra: The AI connoisseur. Curating high-quality data for responsible innovation

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams govern the data used for AI models?

A: Security teams should govern AI data the same way they govern high-risk identity assets: inventory it, assign ownership, classify sensitivity, and require approval before use.

Q: Why does data context matter so much in AI governance?

A: Data context matters because AI systems learn patterns from the dataset, not just the field values.

Q: What do organisations get wrong about responsible AI governance?

A: A common mistake is assuming governance can begin after deployment.

Practitioner guidance

• Separate data approval from model approval Require explicit review of relevance, quality, context, and permitted use before any dataset reaches training or tuning.
• Create a governed data inventory with ownership attached Track the source, purpose, business owner, sensitivity, and downstream consumers for each dataset used in AI workflows.
• Treat policy propagation as a lifecycle control Verify that classification, retention, and usage restrictions stay attached as data moves between platforms, teams, and model pipelines.

What's in the full article

Collibra's full article covers the operational detail this post intentionally leaves for the source:

• The article expands the four-step AI governance framework and explains how step two fits between use-case definition and ongoing monitoring.
• It describes the four data judgment areas in more depth, including why relevance, quality, context, and compliance must be assessed separately.
• It explains the idea of data curation as a governance discipline and shows how unified governance supports consistent policy enforcement.
• It frames Data Confidence™ as the organisational outcome of knowing which data can be used, why it can be used, and how it should be used.

👉 Read Collibra's analysis of why data understanding comes first in AI governance →

Data curation in AI governance: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →