Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

DSPM for GenAI: where should teams enforce policy and drift controls?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: DSPM shifts security from perimeter controls to data discovery, lineage, access governance, drift monitoring, automated remediation, and audit evidence, while GenAI introduces prompt-injection, credential-leak, and oversharing risk at retrieval and answer time, according to Knostic and cited research. The strategic gap is no longer visibility alone, but enforcing policy where data is recombined and disclosed.

NHIMG editorial — based on content published by Knostic: Key Findings on Data Security Posture Management Strategy

By the numbers:

Questions worth separating out

Q: How should security teams enforce data policy in GenAI search and chat tools?

A: Security teams should enforce policy at retrieval and answer time, not only at storage time.

Q: Why do traditional access controls miss oversharing in AI workflows?

A: Traditional controls miss oversharing because they usually govern files, tables, or accounts, while AI workflows recombine data into new outputs.

Q: What breaks when data lineage is incomplete in a DSPM programme?

A: When lineage is incomplete, teams cannot prove where sensitive data came from, where it moved, or which exposure path created the risk.

Practitioner guidance

  • Extend controls to answer-time enforcement Apply policy checks at retrieval and response generation so GenAI tools cannot surface data simply because it is reachable in a connected repository.
  • Build a continuous lineage map Track sensitive data from source systems through transformations, indexes, prompts, and downstream answers so you can see where exposure can occur.
  • Automate remediation for repeatable exposure patterns Use policy-bound automation to revoke public access, correct misclassifications, and remove risky secrets from common leakage locations.

What's in the full article

Knostic's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step DSPM adoption sequence from inventory and lineage through policy and drift controls.
  • Specific examples of how GenAI search and answer-time controls are positioned alongside RBAC and PBAC.
  • The 30-60-90 day rollout structure for operationalising discovery, monitoring, and evidence generation.
  • The article's own framing of how compliance, cloud complexity, and shadow data shape implementation priorities.

👉 Read Knostic's analysis of DSPM strategy for GenAI and data exposure →

DSPM for GenAI: where should teams enforce policy and drift controls?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Data posture now has to follow the answer, not just the asset: The core failure in legacy DSPM thinking is that it assumes data risk is bounded by storage location and static permissions. GenAI collapses that boundary because sensitive information can reappear at retrieval and answer time after passing through systems that look compliant on paper. Practitioners should treat disclosure paths as first-class governance objects, not downstream accidents.

A few things that frame the scale:

  • 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
  • Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.

A question worth separating out:

Q: Who should own remediation when DSPM finds risky GenAI exposure?

A: Ownership should sit with the team that can change both the data path and the policy decision, usually identity, data security, or platform governance depending on the control. If remediation is split across too many teams, exposure lingers while everyone assumes someone else is fixing it. Clear ownership is part of the control.

👉 Read our full editorial: Data security posture management must extend to GenAI answer time



   
ReplyQuote
Share: