Notifications
Clear all
Topic starter
07/06/2026 8:06 pm
TL;DR: Traditional perimeter and access controls no longer answer where sensitive data lives, who can access it, or how it is protected, according to Cyera’s report based on real-world data risk assessments. The finding is a reminder that data governance, identity control, and exposure management now have to be treated as one problem, not separate programmes.
NHIMG editorial — based on content published by Cyera: Top 5 Findings from Cyera Data Risk Assessments
Questions worth separating out
A: Start by linking datasets to the identities and applications that can touch them, then compare that access map with the data’s sensitivity and replication footprint.
Q: Why do traditional access controls fail to protect sensitive data in cloud and AI environments?
A: Access controls answer who is authorised, but not where the data lives, how it is copied, or whether downstream systems weaken protection.
A: They lose the ability to explain which non-human identities can move or duplicate sensitive data, and they cannot tell whether those identities are overprivileged.
Practitioner guidance
- Build a data-to-identity inventory Map sensitive datasets to the human users, service accounts, application identities, and AI-enabled workflows that can reach them.
- Pair classification with entitlement reviews Review access decisions alongside data sensitivity, not as separate exercises.
- Track application and service account pathways Pay close attention to non-human identities that move data across cloud and SaaS services.
What's in the full report
Cyera's full report covers the operational detail this post intentionally leaves for the source:
- The specific five data risk findings that emerged from the underlying assessments, including how each one was identified.
- The assessment context and remediation patterns that show how teams can move from visibility gaps to action.
- The report's practical guidance for reducing exposure across sensitive data, identities, and cloud-connected workflows.
- The original supporting material behind the findings, which is useful if you need implementation detail for internal planning.
👉 Read Cyera's report on the top 5 data risk findings from assessments →
Data risk assessments expose the gap teams are missing?
Explore further
07/06/2026 9:52 pm
Traditional data security has collapsed into an identity visibility problem. Cyera’s core finding is that perimeter and access controls cannot answer the most basic data questions once data moves through cloud, SaaS, and AI-enabled workflows. That is not just a tooling gap. It is a programme design gap, because data security now depends on knowing which identities, applications, and delegated workflows can reach sensitive assets. Practitioners should treat data exposure as an identity control issue, not a siloed DLP issue.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- That visibility gap is split across 38% with no or low visibility and 47% with only partial visibility, which shows the problem is structural, not isolated.
A question worth separating out:
Q: How should organisations prioritise remediation when data exposure findings are broad?
A: Focus first on the datasets with the widest identity reach, the weakest classification confidence, and the most downstream replication. Those are the places where a small control change can reduce the largest amount of risk. This approach is more effective than trying to fix every access path at once.
👉 Read our full editorial: Cyera data risk assessments expose gaps in data security
