AI ITSELF ASSISTS GOVERNANCE AND SECURITY
While the rise of AI presents new challenges to governance and security, it’s important to note that AI itself can serve—to an extent—as a highly effective tool for locking down data and applications.
“Turn AI applications back onto data for maximum impact,” said Gentile. “For example, AI-powered data governance and security software can automatically identify shadow data and then align it with an enterprise’s governance framework.”
AI can be used to improve data governance “by automating previously manual processes, for example, by automatically identifying personally identifiable information and other forms of sensitive data and flagging potentially inappropriate uses,” said Aslett. “Additionally, AI is increasingly being incorporated into data quality software to automate and enhance data quality checks and has a role to play in automating data classification, metadata management, and data lineage.”
AI-driven governance can help with “bias detection and mitigation, fairness assessments, and observability, to name a few,” Tiell added. At the same time, he cautioned, “Operational aspects are but one leg of the four-legged stool of governance. Good governance for AI also requires human oversight, compliance, and culture change to be effective.”
Still, AI can help ease the burden on human overseers as large volumes of data wash through enterprises. “Many governance and security problems are data problems that we’ve historically relied on people to address,” said Khawaja. “Scaling an enterprise workforce can be expensive, and people do not enjoy working on tasks that involve significant toil. AI can help lighten the lift on some of these activities, such as tagging assets, identifying unstructured confidential data, detecting anomalous behavior, and sensing data quality deviations.”
AI agents show significant promise for data security, said Christian. “Security operations centers are grappling with increasing demands and overwhelming alert volumes. AI agents can autonomously monitor threats in real time, automate routine tasks with minimal human intervention, and provide contextual decision-making support.”
Ultimately, the role of AI in governance and security “is an uncertain space,” Vanover acknowledged. “AI offers an incredibly powerful set of capabilities that organizations should absolutely leverage to solve specific challenges or improve existing processes. However, there are risks in organizations going into areas of unexplainable behavior, limited institutional knowledge, and gaps in accountability. AI responsible for AI creates a slippery slope in terms of accountability and compliance for many organizations.”
TRUST EXERCISES
As mentioned above, organizational culture is an important foundation for data governance and security—as it has been for decades.
“The best place to start is with organizational values,” said Tiell. “Every organization has them, and these values help organizations to articulate their concepts of justice—how will customers and stakeholders be treated in a way that builds trust?”
Data quality is even more important than in traditional use cases, said Kashalikarm. “Quality needs to be democratized and performed continuously, shifting from the traditional, preplanned quality to an observability angle, and it is active, where the system reacts automatically to a drop or shift in quality.”
Another key consideration for governance and security is the growing prevalence of agentic AI. Governing and securing AI agents require data to be available “where there is no human buffer between output of AI and the end consumer,” said Kashalikarm. Another side of the coin is the rise of self-service, “where a user is able to get access to the right data, right analytics, and AI tools; is data literate; and able to use the analytics and AI to make a business decision with no manual intervention.”
Additional measures for achieving trust “include doubling down on data governance by establishing clear guardrails around the development and deployment of AI systems,” said Christian. He also recommended “applying existing access controls to AI applications by embedding LLMs into a private data platform and establishing feedback loops to ensure response accuracy.”
When implementing these practices, “The focus should come back to a few key areas like transparency, mitigating biases, maintaining data security, and enforcing accountability at every stage of the AI lifecycle,” Christian continued. “As AI governance continues to develop, we expect to see more standardized frameworks that integrate these best practices into model development and deployment processes.”
Data observability is also becoming a necessity, Aslett pointed out. ISG predicts that through 2027, more than two-thirds of enterprises will invest in initiatives to improve trust in data through adoption of data observability tools to address the detection, resolution, and prevention of data reliability issues.
“Data observability will automate the monitoring of data freshness, distribution, volume, schema, and lineage and the reliability and health of the overall data environment,” he added.
Also important to this process is aligning data standards across a growing array of databases and technologies. This is a process that isn’t necessarily new to data environments but takes on greater urgency in this age of data saturation.
This includes “administration, protection, compliance, identification, and governance—across the organization,” said Vanover. “By applying consistent practices to all databases, they can close gaps, strengthen oversight, and ensure greater responsibility.”
The bottom line is a need for “consistency, consistency, and consistency,” Vanover continued. “We’ve all seen data managers, DBAs, and more get into the business of providing a full offering of services for their databases. However, there are other databases in an organization that do not get the full attention, maintenance, and care by the DBAs. On top of that, there are databases the DBAs do not know about. While this is a simplified scenario, it highlights the inconsistency in how database environments are managed.”