Notifications
Clear all
Topic starter
08/06/2026 4:24 pm
TL;DR: Federal agencies have more than doubled AI use since 2023, with HHS, VA, DHS, and DOI representing half of reported use cases, while cloud sprawl and legacy systems keep data visibility patchy, according to Cyera. The core issue is no longer just compliance, but proving continuous control over sensitive data as AI expands access paths.
NHIMG editorial — based on content published by Cyera: Trust in the Age of AI: Why Cyera Is Bringing Data Security to the Federal Frontlines
By the numbers:
- Federal agencies have more than doubled their use of AI since 2023.
Questions worth separating out
Q: How should agencies govern sensitive data used by AI systems?
A: They should govern it as a combined data and identity problem.
Q: Why do AI programmes create more risk around sensitive federal data?
A: AI programmes increase risk because they multiply the number of access paths to the same information.
Q: What do security teams get wrong about compliance in federal AI environments?
A: They often treat compliance as proof of security, when it is only evidence that controls existed at a point in time.
Practitioner guidance
- Map AI data access paths end to end Document every identity, service account, API, and connector that can reach sensitive datasets used in AI workflows.
- Tie data classification to identity policy Require sensitive federal datasets to carry policy labels that drive access decisions, logging, and review scope.
- Make continuous proof part of governance evidence Collect runtime evidence for who accessed what, through which identity, and under which control set.
What's in the full article
Cyera's full commentary covers the operational detail this post intentionally leaves for the source:
- How the FedRAMP process maps to federal trust and oversight expectations in AI-enabled environments
- Why unified visibility into sensitive data matters for agencies operating across legacy and cloud systems
- How AI can be used to understand data sensitivity, purpose, and risk in operational workflows
- What Cyera says its federal posture means for agencies seeking mission-ready security
👉 Read Cyera's commentary on trust, AI, and federal data security →
Federal AI data security: what IAM teams need to change now?
Explore further
08/06/2026 6:01 pm
Continuous proof of control is now the real federal trust boundary. Cyera’s framing is correct that compliance alone does not answer the operational question federal agencies now face: can they prove data is protected while AI systems are actively using it? In federal missions, the risk is not simply exposure, but the inability to demonstrate control across a distributed data path. Practitioners should treat evidence of control as a runtime requirement, not an audit artifact.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, showing how quickly governance gaps can widen around delegated access.
A question worth separating out:
Q: What should organisations do before expanding AI access to sensitive records?
A: They should validate classification, entitlement scope, and logging for every identity that can touch the records. If service accounts or delegated workflows already have broad access, reduce that reach first. Otherwise the AI programme inherits pre-existing overexposure and turns it into a higher-frequency governance problem.
👉 Read our full editorial: AI data security for federal agencies is becoming an access problem
