AI adoption is outpacing existing data security controls and creating new exposure patterns. Fragmented tools and siloed platforms are primary drivers of blind spots when it comes to data classification, access control and incident detection. And limited or non-unified visibility across hybrid and multi-cloud environments is increasingly challenging to manage, especially as AI-driven workflows move data between the cloud, SaaS and on-premises systems. In the enterprise setting, most of the meaningful AI risk doesn’t originate in the model, but rather in the data the model is given access to, the permissions that govern that access, and the security and governance policies that were (or not) in place prior to AI integration.
The Microsoft 2026 Data Security Index found that 32% of the surveyed companies across multiple countries and companies had experienced a data security incident involving generative AI1. The Index also found that inconsistencies in policies and governance across tools and environments makes it hard for companies to enforce a coherent set of controls for AI scenarios. In short, the decisive risk surface for AI is the data estate and the controls around it.
Key takeaways
- 32% of organizations surveyed in the Microsoft 2026 Data Security Index experienced a data security incident involving generative AI, with inconsistent governance and fragmented tools identified as the primary drivers.
- In enterprise environments, the most material AI risks are typically driven less by the model itself and more by the data it can access, the permissions governing that access, and the strength of existing data governance and security controls. Generative AI tends to amplify pre‑existing weaknesses in data classification, ownership, and access management rather than introduce entirely new categories of risk at the model layer.
- Governance and security are not the same discipline. Governance defines ownership, accountability and policy. Security enforces controls and detects threats. Weakness in either creates exposure that the other cannot compensate for.
- Assessing the current data estate, including classification maturity, access control gaps, data lineage and governance policy drift, is the first and most critical step before any AI programme goes live.
- Mint’s approach to secure AI deployment addresses both governance and security architecture before deployment begins, ensuring AI operates on a data estate that is classified, controlled and auditable.
The AI security risk rests in the model
AI adoption and data security can’t be treated as separate initiatives. As generative AI becomes increasingly embedded in daily operations, it is equally critical that companies prioritize visibility, governance and protection and apply these consistently at the data layer.
Data underpins how AI functions and the value it provides. AI systems reason over whatever they can access, so a model operating on ungoverned, over-permissioned or poorly classified data will produce outputs that reflect those failures. Agents that are insufficiently governed can expose sensitive data, act on malicious prompts or leak information in ways that are difficult to detect and expensive to repair.
This challenge is particularly relevant in environments where AI interacts with structured financial, operational and workforce data and where employees are accessing AI tools through personal devices and bypassing corporate controls.
How do governance and security change the narrative?
Governance and security are related, but not interchangeable. Governance defines ownership, accountability, policy and oversight. Security enforces controls, protects access and detects threats. A company with strong security tooling and weak data governance will have well-protected access to data it doesn’t fully understand. An organization with clear governance policies and weak security will have well-classified data that’s inadequately protected. The gap between the two is where AI risk rests.
It also doesn’t mean that your organization is now stuck between an endpoint and a tough data governance place. There are strategies you can adopt to change how you approach AI to ensure it doesn’t end up causing more problems than it solves, and the first step is to assess your current data estate. This means understanding key factors such as ownership, classification maturity, access control gaps, lineage and governance policy drift. Over-permissioned content needs to be identified, unlabeled data flagged, and you need to develop a shared governance model across IT, compliance and business ownership.
How does Mint simplify data governance for AI?
Mint has developed a customized approach to secure AI deployment that ensures your data governance and security are aligned before AI has signed on the dotted line. From assessing your data estate to implementing rigorous controls to building an agile and comprehensive data governance architecture, Mint ensures you have the depth and accountability your enterprise AI program needs to ensure it delivers the value you want.
Speak to Mint about assessing your data governance posture and building a secure foundation your AI program can rely on.