Notifications
Clear all
Topic starter
02/06/2026 6:58 pm
TL;DR: NIST’s SP 1800-39 draft shows how automated tools can discover, identify, and label unstructured data at scale, using a synthetic corpus of 25,884 files and 12 target data types, according to Cyera’s analysis of the guide. Manual classification is no longer a viable control model when visibility, accuracy, and speed must hold across modern enterprise estates.
NHIMG editorial — based on content published by Cyera: The Era of Manual Data Classification is Officially Over
By the numbers:
- The dataset included 12 target data types, including names, addresses, birthdates, patient IDs, passport numbers, and synthetic customer and billing numbers.
Questions worth separating out
Q: How should security teams implement automated data classification for unstructured data?
A: Start with a complete inventory of repositories, then test classification on representative unstructured samples before wiring labels into policy.
Q: When does manual data classification become too risky to rely on?
A: Manual classification becomes too risky when data is spread across many systems, changes frequently, or exists mostly as unstructured content.
Q: What do organisations get wrong about automated data classification?
A: The most common mistake is treating scan coverage as proof of control.
Practitioner guidance
- Implement continuous data discovery Map unstructured repositories across SaaS, cloud, and on-premises systems so classification starts from an actual inventory rather than assumed locations.
- Validate classification with measured accuracy Require precision, recall, and confusion-matrix reporting by data type before using labels to drive access, retention, or AI policy decisions.
- Test for context-heavy sensitive data Include business-specific and multilingual samples in evaluation sets so the model is assessed on meaning, not only on pattern matching.
Teams should treat precision, recall, and exception rates as operational signals, not lab metrics?
👉 Read Cyera's analysis of NIST SP 1800-39 and automated data classification →
Explore further
02/06/2026 7:13 pm
Manual classification is becoming a governance liability, not just an operational inefficiency. When unstructured data spans cloud, SaaS, and on-premises systems, manual labeling cannot keep pace with change. That creates blind spots for access review, retention, and monitoring, which are all foundational to NHI governance. Practitioners should treat classification debt as a control gap, not a documentation issue.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs , Why NHI Security Matters Now.
- Our research also shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: How can teams tell whether data classification is actually working?
A: Look for measurable evidence that labels match reality across different data types, locations, and business contexts. If precision drops, if review queues grow, or if label exceptions keep rising, the programme is not stable enough for policy enforcement. Reliable classification should reduce uncertainty, not simply produce more metadata.
👉 Read our full editorial: NIST SP 1800-39 shows why manual data classification no longer scales
