COMMENTARY: The AI boom triggered a new wave of complexity — especially for organizations that rely on multiple clouds and Software-as-a-Service (SaaS) platforms.Every major SaaS provider now offers some form of embedded or Agentic AI capability. Each of those tools requires data. And since enterprise data already lives across a patchwork of clouds, databases, and SaaS environments, organizations find themselves building bridges between platforms at an unprecedented rate.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]This interconnectivity drives AI-fueled multi-cloud sprawl — and with it comes a new generation of data governance and security risks.AI apps rely on data. But enterprise data rarely sits in one place. A single company may have hundreds of cloud-based tools, each with its own data stores, logs, and policy frameworks. To make AI useful, businesses are connecting these disparate environments so models can draw insights from across them.The result has been a web of interdependencies that are nearly impossible to govern consistently. Each cloud provider or SaaS vendor speaks its own language when it comes to configuration, visibility, and access control. What counts as a “policy,” a “role,” or a “permission” in one environment may mean something entirely different in another.This isn’t a new challenge, but AI accelerates it. Multi-cloud strategies that worked for traditional workloads are breaking down as AI workloads introduce new kinds of data movement, new access models, and entirely new types of identities.The governance and identity multiplierData governance lies at the center of this issue. Organizations need strong classification, control, and visibility into their data no matter where it resides. Yet when that same dataset gets replicated or accessed across multiple AI platforms, it’s extremely difficult to maintain consistency.While the need for non-human identities (NHIs) — agents, connectors, and service accounts — is not new, the explosion of AI has driven the need for more of them across every layer of the enterprise stack, multiplying the identity and access management (IAM) burden.Least-privilege principles are hard enough to enforce for human users. Now imagine extending them to a fleet of AI agents that run on different schedules, access multiple environments, and often make decisions dynamically. Without strict governance and inventory of where these identities live, what they can access, and how they behave, the attack surface expands exponentially.Visibility gaps and Shadow AIThreat visibility has become another casualty of multi-cloud sprawl. Every cloud and SaaS environment has unique logging capabilities, formats, and pricing structures. Some vendors require customers to pay for access to logs, while other vendors don’t provide the depth of visibility a security team would expect in a regulated environment. That inconsistency leaves organizations in the dark. And when AI systems are moving data between platforms — or reasoning and acting autonomously — the potential blind spots multiply.We’ve long talked about “Shadow IT,” where employees adopt new SaaS tools outside of governance processes. We’re now entering an era of Shadow AI, where anyone in the business can connect generative tools or agentic workflows to core data systems without understanding the risks.Three pillars for securing AI across cloudsThree foundational principles can help organizations secure AI workloads across multi-cloud environments.The coming consolidationHere’s the good news: market forces will likely drive consolidation over time. Enterprises will eventually narrow the number of platforms they use for sensitive workloads.Meanwhile, organizations should focus on where their core data resides and bring their AI workloads closer to that data. Fewer control boundaries mean fewer opportunities for misconfiguration or exploitation. Every new platform adds complexity — and therefore risk.While this innovation offers flexibility, it also makes it trivially easy for users to create unsanctioned connections. It’s a reminder that the very mechanisms designed to improve efficiency can also magnify exposure if not properly governed.We understand why companies are rushing to deploy AI apps. The productivity and insight gains are real. But if organizations move too fast without the right guardrails, they’ll accumulate technical debt in the form of fragmented governance, inconsistent visibility, and uncontrolled access.Enterprises can’t afford to treat AI as a special case or bolt-on capability. They must integrate it into the same governance, identity, and observability frameworks that secure the rest of the environment — just at a larger, faster scale.Every organization will need to find its own balance between innovation and control. But the ones that succeed will recognize a simple truth: speed without governance isn’t progress — it’s exposure.Brad Jones, chief information security officer, SnowflakeSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Data Governance: Start with a clear understanding of the data — where it lives, how it’s classified, and which policies apply to it. Then, make sure those definitions carry across every environment where that data might appear. Governance isn’t just about policy: it’s about translation and enforcement at scale.
- Identity and Access: Ensure the team’s IAM strategy and processes are equipped to scale with the growing demands of NHIs powering agentic workloads. Keep an inventory of every agent, connector, or service account that has access to data. Apply least-privilege rigorously. Agents should have access only to the data and functions necessary to complete their assigned tasks, and nothing more. If an agent only needs to run once a day, limit its access accordingly and monitor for deviations.
- Visibility and Observability: Teams can’t secure what they can’t see. Require robust logging and telemetry as a non-negotiable when adopting any new AI or cloud platform. Look for tools that let the team unify logs from different sources into a single analytics layer. As AI systems become more autonomous, the company will also need observability into why they’re making decisions, not just what they’re doing.
