Data as a cybersecurity priority: new challenges in the age of AI
AI is reshaping cybersecurity. Gartner estimates that by 2028, 50% of incident response efforts in enterprises will focus on cases related to custom-built AI applications. In practice, this means that cybersecurity can no longer be separated from rigorous data management: what information goes into the models, who accesses it, how it is used and how it is controlled.
This change is not solely the responsibility of cybersecurity teams. It focuses on data, access and information management as a key component of the strategy, particularly in hybrid environments where proprietary software, third-party services and generative or agent-based AI solutions coexist.
AI expands the attack surface
In this context, Gartner warns that many custom-built AI applications are going live before they have been fully tested, a shortcut that makes it difficult to secure them over time.
AI is no longer just about innovation: it is also a risk
These are living systems: they evolve, learn, integrate with more data sources and are embedded into more processes.
And at that pace, new vulnerabilities are emerging, ranging from prompt injection to data misuse and, above all, a loss of visibility over what information is accessed, how it is transformed and where it ends up.
In practice, the game is no longer played solely on the perimeter or using the usual tactics. Success (or failure) depends on the ability to manage data: what goes into the model, with what permissions, under what rules, and with what traceability.
Data: an operational priority
The transformation is not limited to isolated incidents. The big change lies in the data. Gartner predicts that by 2030, 33% of IT work will be devoted to addressing AI-related ‘data debt’, a sign that many organisations still do not have the data ready for the secure and scalable use of artificial intelligence.
The second warning is even more direct. By 2027, manual AI compliance processes could leave 75% of regulated organisations vulnerable to fines exceeding 5% of their global turnover.
75% of regulated organisations could face fines exceeding 5% of their turnover
This pressure is driving the replacement of manual controls with automated governance, risk and compliance frameworks capable of keeping pace with the reality of AI.
Consequently, factors such as quality, classification, traceability and access control cease to be merely best practices and become operational requirements. If the data is poorly managed, AI exacerbates the problem.
If it is well structured, the organisation reduces risk and becomes more responsive.
Cloud sovereignty and identity: two fronts that are redefining risk
These forecasts point to a clear convergence: cybersecurity, data and AI are no longer separate. They share a perimeter and share the risk. And to that landscape are added two fronts that are gaining their own momentum: cloud sovereignty and identity visibility.
On the one hand, Gartner estimates that by 2027, 30% of organisations will require full sovereignty over their cloud security controls to respond to geopolitical instability and local regulatory requirements. This needs a review of architectures, dependencies on suppliers, and also the physical and logical location of the data, particularly in environments where the cloud is ‘tied’ to third parties and operational control does not always align with business requirements.
30% of companies will require full cloud security sovereignty by 2027
At the same time, it forecasts that by 2028, 70% of CISOs will use identity visibility and intelligence capabilities to reduce the IAM attack surface and the risk of credentials being stolen or compromised.
Identity is establishing itself as the gateway to data. And the problem is growing: more human and machine identities, more scattered tools and, consequently, more blind spots.
The solution lies in combining visibility, combining identity intelligence and automating corrections. Detect issues earlier, adjust access more quickly and close gaps with less friction.
Security and data: one and the same conversation
Gartner’s forecast reinforces a key point: cybersecurity, data and AI are converging. And they do so for a practical reason. According to the report, by 2028 more than 50% of companies will be using AI security platforms to protect both third-party AI and their own applications, thereby centralising visibility, enforcing consistent policies and strengthening control over AI activity.
This shift is changing the division of roles within organisations. Data teams are taking on a more strategic role, because without data governance there can be no sustainable security. Collaboration between data managers, AI leaders and cybersecurity specialists will be key to implementing data discovery, risk assessment, sovereignty management and access remediation before a problem escalates and becomes an incident.
A takeaway for business
The conclusion is clear: the challenge is no longer simply ‘having AI’, but operating it without losing control over data, identity and technological sovereignty.
Data, identity and sovereignty: the new decision-making triangle
Gartner identifies this intersection as a risk and predicts that AI security will become a higher priority on the operational agenda.
Organisations that integrate security, data governance and AI by design will be better positioned to respond to incidents, reduce exposure and scale with less friction.
In this context, AI safety is no longer merely a technical issue in isolation. It becomes a cornerstone of operational resilience. And that resilience is built on a simple yet strategic question: what data is used, who has access to it, where is it stored, and what can AI do with it?