



















Todd Moore is Vice President of Data Security Products at Thales.

getty
Imagine an employee asking a generative AI assistant to summarize internal documents before a meeting. To provide context, the employee pastes excerpts from customer records, financial reports and internal emails.
The AI quickly produces a useful summary, but it also creates prompt logs, cached context, outputs and stored responses across multiple systems behind the scenes. None of these artifacts is classified or governed, yet many may contain sensitive information.
Multiply this interaction across hundreds of employees and thousands of daily prompts, and organizations begin to accumulate a growing layer of small fragments of sensitive information like “data dust” scattered across the environment, existing outside normal security controls.
This is an urgent and growing problem for every enterprise using generative AI.
The rapid growth of unstructured data across cloud, SaaS and on-premises environments has already made it difficult to locate and classify sensitive information, and the rise of AI is accelerating the problem. Prompts, agentic workflow logs and automated processes all create new fragments of sensitive information, much of which is unlabeled and untracked.
Data governance frameworks were built for a world where humans created most data. AI has changed that equation, generating information at a scale those models were never designed to manage.
The result is a growing gap between data creation and the ability to identify, classify and protect it. It’s introducing risk that is difficult to detect and it’s quietly accumulating over time.
The 2026 Thales Data Threat Report shows that only 34% of organizations have complete knowledge of where their data resides, and just 39% can fully classify it. On top of that, nearly half of all sensitive data stored in the cloud remains unencrypted, leaving it exposed if systems or accounts are compromised.
At the same time, AI systems are ingesting and processing data and producing outputs that exist without an owner, classification or policy attached to them.
Classification remains the foundation of data security. Without it, organizations cannot apply access controls, enforce encryption or audit data flows. Least-privilege access becomes difficult to enforce, leaving a gap between policy and real-world protection.
The longer this governance problem goes unaddressed, the harder it will become to close.
Ungoverned data creates compliance challenges and a compounding security risk that increases over time, often unnoticed. AI agents and generative systems now regularly operate as high-privilege identities within enterprises.
They have broad access to data, connect to multiple systems and act on behalf of users and workflows. Often, these systems access more sensitive information than most employees and operate with less oversight.
Identity infrastructure is increasingly a primary target for attackers. In fact, according to IBM’s research, 97% of organizations reported an AI-related security incident and lacked proper AI access controls, and 63% lacked AI governance policies to manage AI.
Credential theft remains a leading attack vector against cloud environments, allowing attackers to bypass perimeter defenses entirely. When unclassified data and over-permissioned AI systems intersect with weak identity controls, risk increases and accountability suffers. Breaches become harder to detect and contain, and organizations using AI without proper governance are left exposed.
Gartner research cited by TechRadar found that 60% of organizations will fail to realize the value they expected from AI use cases by 2027 because of incohesive governance.
Building a strong classification foundation is a major aspect of AI governance. Solving this challenge is not about deploying a single tool. It requires rethinking how organizations classify, understand and govern data in environments where AI is constantly creating, transforming and moving it.
In practice, modern data classification strategies are evolving across several key areas, including:
• Continuous Data Discovery: Organizations can no longer rely on periodic scans or static inventories. Data is being created and modified in real time by users, systems and AI. Continuous discovery provides the visibility needed to understand what data exists, where it resides and how it is changing.
• Contextual Classification: Visibility alone is not enough. Organizations must understand the sensitivity, regulatory requirements and business value of their data. In AI environments, this becomes more complex as data is often unstructured, recombined or embedded in model inputs and outputs.
• Policy-Driven Governance: Classification only matters if it drives action. Organizations need governance frameworks that connect classification to enforcement regarding who can access data, how it can be used and how it must be protected across its lifecycle.
• AI-Aware Oversight: Traditional classification models were not designed for systems that generate new data or act autonomously. Organizations must account for how AI systems interact with sensitive data, including how outputs are stored, reused and shared. Human oversight remains critical to ensure these systems operate within defined boundaries.
These capabilities can come together to create a different outcome than the one where employees are using AI without governance.
An employee can still ask an AI assistant to summarize internal documents and paste in sensitive information. As the system processes the request, new data artifacts like prompt logs, intermediate outputs and summaries are identified, classified and governed in real time.
The employee gets the insight they need, while the organization maintains visibility and control over the data created in the process. Instead of accumulating unmanaged “data dust,” each fragment becomes part of a governed system that can be tracked, protected and audited.
Getting there requires more than technology alone. Organizations must also align teams, define ownership and ensure governance policies extend to AI-driven workflows. They must evaluate trade-offs between automation and oversight, and ensure new capabilities integrate with existing identity and security architectures.
As AI accelerates the creation and movement of data, classification must also evolve alongside it for organizations to use AI with confidence and control. Security, done right, becomes the foundation for trustworthy innovation rather than a barrier to it.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。