Defense in Depth
Data Governance in the Age of AI

We're collecting more data than ever before. Data governance regulations are not going away, and they're not getting any easier. How the heck are we supposed to keep up?

Check out this post for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, the producer of CISO Series, and Dan Walsh, CISO, Datavant. Joining them is their sponsored guest, Ash Hunt, vp, strategy, EMEA, Cyera.

Listen to the full episode here.

The access creep challenge

Traditional identity and access management fall short when employees change roles within organizations. "Data governance is extremely hard," explained Ross Young of CISO Tradecraft, pointing to a common scenario: "Let's say someone joins the accounting team and has access to emails, share folders,Sharepoint, OneDrive, and accounting applications. Three years later they move to the procurement team and don't require access to any of these things. Most organizations would struggle to remove access to all of these things except the accounting applications." This creates compounded risk. Meanwhile, Raj Singh of Sagility emphasized that while "traditional data governance isn't obsolete — it's incomplete," organizations need systems that can "continuously classify new datasets, flag when regulated data shows up in an AI training pipeline, and alert when access patterns drift from policy."

Bridging intent and execution

The disconnect between governance and real-world implementation continues to plague organizations as they race to adapt to AI-driven environments. "What's working in data governance today is the intent," said Chris Fontaine of Arctic Wolf. "Companies keep pouring money into catalogs, lineage tools, and access controls because they know trust and transparency matter." However, he pointed to a fundamental execution gap: "What's not working is the execution." Rigid frameworks can't keep up with the velocity of AI data. Organizations need to leverage AI itself to meet the challenge. Kapil Raina of Bedrock Data envisions this evolution as "a metadata-driven, always-on governance layer that uses AI for continuous visibility, classification, and control - automatically with dynamic policy enforcement."

Looking for integrity

Not everyone agrees that AI fundamentally changes data governance requirements. But new risks are emerging that challenge traditional approaches. Dustin Sachs of CyberRisk Collaborative argued for continuity: "I don't think AI has changed the data governance approaches... The data going into AI or coming out isn't fundamentally different from 'pre-AI data.'" However, Hadas Cassorla of SideChannel sees integrity as the biggest failure in AI governance, saying, "Because people are heavily relying on LLMs and not necessarily understanding that the output can be incorrect or hallucinated, they are relying on output as though it is true. That denigrates the integrity of data." The tools designed to help manage data complexity may themselves become sources of data integrity risk.

Racing against exponential complexity

Data governance faces an existential scaling challenge. Traditional human oversight is insufficient for the exponentially growing complexity of data. "Most data governance efforts seem to oscillate between decentralized efforts where the work is spread out to Departments but unevenly applied, or centralized, where people who don't understand the data make ill-informed decisions about it," noted Duane Gran of Pellera Technologies. Scaling data governance is only going to become increasingly challenging. "It's not ever going to get easier than it is right now. As the AI systems grow on their own, at a pace we as humans can barely comprehend, how can we manage data that moves in the world of AI and quantum computing?" wondered Mike Elkins of Humanis Technologies.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Cyera

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Steve Zalewski, co-host, Defense in Depth.

Thanks to our Cyber Security Headlines sponsor, Nudge Security

We’ll be back Friday [10-17-25], for "Hacking Next Gen Data Threats"

Join us again on Friday, October 17, 2025, for “Hacking Next Gen Data Threats: An hour of critical thinking about what you need to setup your AI guardrails.”

Joining us will be Abhi Sharma, CEO and co-founder, Relyance AI. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Relyance AI

Cyber chatter from around the web...
Jump in on these conversations

“20 Years in IT/InfoSec, Over 1000 Applications In One Year, No Offers, What The ACTUAL Heck Is Going On?” (More here)

“What are your unpopular cybersecurity opinions?” (More here)

“What is a subfield of cyber that no one really knows/talks about?” (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.