Farrah Gamboa, Senior Director Of Product Management, Netwrix On AI, DSPM, And Zero Trust

Farrah Gamboa: Organisations often struggle to understand the full extent of their data footprint: where sensitive data resides, who has access and how it's being used. Data is spread out in more places than ever, with the issue exacerbated by SaaS applications and shadow IT, which is now extended to shadow AI. This data sprawl makes traditional governance models ineffective. In fact, 35% of breaches in 2024 involved data stored in unmanaged data sources (aka “shadow data”).

To tackle this challenge, organisations should shift their perspective from the more familiar data access governance (DAG) to data security posture management (DSPM). This approach focuses on identifying misconfigurations, exposure risks and compliance issues as they emerge, not just at a single point in time. And it often goes a step further by helping teams remediate those issues.

Farrah Gamboa: One common pitfall is implementing and using AI in an IT environment that is not ready to securely leverage it. AI models are only as secure and reliable as the data they are given to train on. Poorly governed, biased or unverified data can lead to inaccurate or even harmful outcomes. In addition, unless adequate controls are in place, AI-driven automation can inadvertently increase security blind spots by increasing the volume and velocity of data generation.

Farrah Gamboa: When IT, security and compliance teams each operate with different priorities, gaps form. These gaps expose sensitive data, delay remediation and invite regulatory risk.

But when organisations align around shared outcomes, such as reducing data exposure, enforcing least privilege and ensuring regulatory readiness, everything changes. Suddenly, data governance becomes not just a policy but a strategic advantage. Security becomes proactive, not reactive. Compliance is built in, not bolted on. And IT becomes an enabler of trust, not just an operator of systems.

This alignment fosters a culture of joint ownership and accountability, creates a common language around data risk, unlocks cross-functional workflows and automation, and empowers data owners to actively participate in protecting information. The result is a smarter, more unified approach where sensitive data is visible, governed and secure.

Farrah Gamboa: Manual governance is simply not sustainable at scale, especially in cloud-first or hybrid environments where data is constantly moving, growing and being accessed by different identities. Organisations that rely on static policies, infrequent audits and human-driven controls are playing a losing game: They chase risk instead of getting ahead of it.

Modern data governance isn’t just about having policies, it’s about enforcing them continuously, at scale and in real time. Automation is the engine that makes this possible. It shifts data protection from being reactive and labour-intensive to proactive, intelligent and self-sustaining. IT can build, security can defend, and compliance can assure — without stepping on each other’s toes.

Done right, automation isn’t just efficiency. It’s resilience. It’s how organisations embed data protection into the DNA of their operations so that governance happens not because people remember to do it, but because the system is built to do it for them.

Farrah Gamboa: First, data managers need to adopt a risk-based approach that prioritises high-value and high-risk data. This starts with continuous data discovery, classification and risk assessment to ensure they know what data they have and who has access to it, and any risks to that data.

Second, data managers should adopt a Zero Trust security model. A core principle is enforcing least privilege access, including just-in-time access controls that grant access for a limited time only when needed. In addition, Zero Trust requires behavioural analytics to promptly spot anomalous activity that can indicate insider threats, such as when the adversary leverages compromised credentials.

In addition to having the appropriate security controls in place, organisations should establish policies for responsible AI usage that ensure data integrity and model transparency. Data governance shouldn’t be a siloed IT function but rather a strategic business initiative. 

Farrah Gamboa: I strongly believe that success in data governance must be defined by real-world outcomes, not paperwork. The most effective organisations don’t just ask, “Did we implement the policy?” They ask, “Is sensitive data actually protected? Do we know who has access, whether that access is appropriate and how it is being used?”

In other words, success in data governance means an organisation’s control of data and ability to prove that control continuously. In practice, examples could include having fewer users with excessive access or a larger percentage of data repositories scanned, classified and monitored.

These aren’t just security metrics — they are business enablers. When governance is done well:

• The legal team can sign off on regulatory filings with confidence.
• The board can evaluate risk posture with clarity.
• Security teams spend less time chasing false alarms and more time preventing real threats.

As a result, the business can move faster because it knows its data is properly governed and secure.