COMMENTARY: AI has broken the privacy controls in organizations around the world. Modern privacy risks are not always tied to external breaches or malicious insiders.More often, they stem from something quieter and more pervasive: well-meaning employees using AI tools on top of a legacy data infrastructure.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]As security and privacy teams focus on protecting their data from last year’s threats, AI systems have accessed and acted on sensitive data without governance, accountability, or traceability.In the age of AI, if we have not secured our data, attackers will exploit it. There’s no more privacy through obscurity.How AI changes the shape of riskAI does not behave like a human user. For example, people don’t know how to navigate across data sprawl, but AI looks at everything. People can only access a limited amount of information, but AI systems operate at-scale. People don’t try to access data that they shouldn’t have permission to, but AI systems can read everything. AI has become the terrifying “user” that can access, analyze, and summarize large volumes of private data in seconds.When data access gets overly permissive, there’s nothing to stop these AI processes. No alerts fire. No warning lights flash. No klaxons sound. Yet sensitive data may get exposed, reused, or propagated in ways that are difficult to detect and even harder to justify.It’s what makes AI-driven privacy risk so challenging. The exposure often gets authorized, automated, and runs invisibly until an auditor or customer poses uncomfortable questions.Questions security teams need to askHere are four questions teams need to ask about modernizing their data privacy environments with AI:If top management lacks clear answers to those questions, innovation and ambition will fall short, and the organization will sign up for enormous corporate risk. It’s time to redesign the company’s data environment with AI in mind. AI gets built on corporate data, so it requires stronger foundations.Traditional data governance was built around people. Users logged in. Actions were reviewed. Exceptions were investigated. That model breaks down when systems operate continuously and autonomously.In an AI-driven environment, governance must evolve to reflect machine-driven access. Organizations need to define what data automated systems can access by default, under what conditions they can take action, and how that activity gets monitored and explained over time.Strong governance starts with clarity. Clear ownership of data. Clear classification of sensitive information. Clear limits on what the company will let automation do. We’ll also need ongoing visibility into how data gets accessed and used, not only by people, but by AI systems acting on their behalf.Without those guardrails, AI adoption increases risk instead of reducing it.Why historical context mattersAI governance requires context – and that’s one of the larger challenges in the AI era. Today, it’s not enough to know what data exists. Organizations also need to understand how that data has changed over time, who has had access to it, and how it has been used.It’s a critical perspective to have the data history when investigating incidents, responding to audits, or validating automated decisions. It lets teams reconstruct what happened and why, rather than relying on assumptions or incomplete records.In an AI-driven environment, governance without context becomes guesswork. Context makes governance defensible.As AI becomes embedded into everyday workflows, privacy leadership has shifted. It’s no longer just about preventing misuse after the fact, it’s about preparing systems, policies, and data environments so automation can operate safely from the start.Organizations that invest in modern governance can move faster with AI because they trust the foundations beneath it. Those that do not often face a constant tradeoff between innovation and risk, slowing adoption to avoid exposure.Over time, that gap will widen. AI will reward organizations that treat governance as an enabler, not an obstacle.The path forwardAI does not introduce entirely new privacy challenges. It magnifies the ones that already exist. Weak data governance that was manageable in a human-centric world becomes a serious liability when machines are involved.Moving forward, we can strengthen governance before AI turns small gaps into large exposures. Modernizing for an AI era means defining clear boundaries for what agents can access and do, and making outcomes traceable, auditable, and explainable.We do not have to tackle this challenge alone. Organizations can begin with the NIST AI Risk Management Framework (AI RMF 1.0) or something similar. It offers a structured approach that addresses how to handle the AI systems and ensures that risk management gets integrated into the entire lifecycle.In the age of AI, strong data governance has become a core requirement for privacy, trust, and responsible innovation, not something the back-office people quietly handle.Stephen Manley, chief technology officer, DruvaSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Where does sensitive data actually live?
- Which employees are accountable for it?
- What decisions should we let machines make on their own?
- How can we audit or explain AI-driven outcomes?




