AI, cybersecurity risk, and regulation – the new triad shaping data governance

By Manuel Sanchez, Information Security and Compliance Specialist, iManage.

  • 1 month ago Posted in

In 2025, data governance will take center stage. This is only to be expected in the wake of 2024, a year marked by advances in AI, waves of hacks and data breaches, and an onslaught of new regulations around the globe dictating how data must be handled. For effective risk management, organisations must ensure that they have a plan for addressing this new triad that is shaping data governance.

Generative AI creates new governance challenges

Perhaps more than any other trend or development, the race to adopt generative AI technologies has added a layer of complexity to the data governance challenge.

In large part, this is due to the heaps of data that organisations are using to train the large language models (LLMs) powering AI tools. What data is being fed to the LLMs, and where does that data ultimately reside? And where does the AI processing take place? If you’re an EU-based company using an AI tool that resides in the United States, you could be creating some serious data governance concerns as far as data sovereignty or geolocation requirements.

That’s to say nothing around the confidentiality of data being fed to generative AI, including documents with sensitive or privileged information.

To minimise data governance risk around usage of generative AI, there are several steps organisations can take. Having a single, centralised repository for files – such as a document management system – provides a level of control over the items that might be used to train a generative AI model. Security policies ensure that no one has access to a level of documents that they shouldn’t, while also enabling the careful, ongoing curation of a foundational set of knowledge assets that generative AI can safely tap into.

Moreover, taking a platform approach to AI and document management helps eliminate any data sovereignty or geolocation risk, since the AI is run without documents ever leaving the DMS and the specific datacenter in which those documents are hosted.

Phishing remains a potent threat

As much as generative AI can be a force for good, it can also be weaponised to deliver ever-more convincing phishing attacks at a scale that just wasn’t possible before. Simply clicking on the wrong link in a phishing email can quickly turn into a devastating data breach.

Having a zero trust framework for your data helps mitigate against this risk. More than just the particular technologies or platforms you use to handle your data, zero trust is a strategy around how you handle data, who has access to what data, and so on.

Alongside this framework there also needs to be an element of education throughout the organisation, because an ounce of prevention is worth a pound of cure. Practically speaking, this means creating end user awareness of the threat landscape and the types of threats (e.g., phishing

emails) that users are most likely to encounter in their day-to-day activities. Actual phishing simulations can be helpful to help provide “real world” awareness around this risk and to reinforce any learnings around good cybersecurity practices that are delivered during a one-off seminar or training session.

Regulatory requirements change the landscape

Aside from generative AI and the cybersecurity risk posed by phishing, organisations need to keep a careful eye on changing regulatory requirements if they hope to have an effective handle on data governance in the new year.

The EU introduced GDPR several years ago, and in the United States, California has been leading the way when it comes to data privacy laws. These directives are spreading as more and more states introduce their own laws along similar lines.

With public awareness of data rights growing, so is the volume of data subject access requests (DSARs). DSARs will put even more pressure on organisations to develop capabilities to manage and retrieve personal data efficiently.

Streamlined data management will be crucial not just for data security, but also for maintaining customer trust and regulatory compliance, in equal measures. Organisations need to know what data they have, where their data is, and what kind of data retention and data governance principles they have to effectively respond to these types of requests.

If the changing landscape weren’t motivation enough to put this kind of data governance front and center, a shout-out by the National Institute of Standards and Technology’s (NIST) ought to be: in their recently released Cybersecurity Framework 2.0 (CSF 2.0), NIST places a newfound emphasis on data governance as one of its foundational principles, alongside other more traditional cybersecurity measures like protection and detection.

To the forefront

In the face of this triad of data governance developments, the task of assessing vulnerabilities and developing robust data governance strategies will move to the forefront of security leaders’ agendas in 2025. Slap-dash solutions or quick fixes will not work. By giving data governance the attention it deserves, organisations will reshape their overall risk management profile and better position themselves to chart a secure path forward in the coming year.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.