Your Guide to Data Governance in an AI-Driven World

• If you’re thinking about deploying AI platforms, begin with a focus on data governance to ensure you’re not putting data at risk.
• Begin with higher reputation AI platforms, research their data and security posture or draw on independent reputation scores; even if you develop AI in-house, you’ll need to determine how to manage the ways content will be used and shared.
• Data loss prevention (DLP) solutions can simplify data governance for AI, making it easier to safely integrate AI tools and to protect the content AI tools generate.

With organizations of all sizes rushing to deploy AI platforms to streamline workflows and even assign tasks to AI agents, concerns about data governance should be top of mind for security teams.

Roughly a third of companies report that AI is fully integrated into their operations, while nearly half say that AI is core to their business strategy. The use cases vary, from streamlining workflows to adopting AI agents that offload multi-step tasks from workers. 

No matter the application, the opportunities for efficiencies and productivity gains are there: EY’s Annual AI Pulse Survey found 97% of business leaders at companies that have invested in AI say they’re already seeing positive ROI from those investments. No wonder 85% of C-suite executives plan to increase spending on AI initiatives in 2025.

GenAI comes with challenges

Generative AI (GenAI) is a subset of AI–and it’s often the first AI application many employees will knowingly use. But just as GenAI tools like ChatGPT and Copilot are boosting productivity, they’re also introducing new challenges to data governance policies. That’s in large part because GenAI gathers data from multiple sources, both internally and externally, and presents it for consumption. And without the right controls in place, your employees may not recognize that some of the information they’re looking for (or about to share) is sensitive. If AI systems modify and create new sensitive content, how are you adapting your data protection systems to accommodate this?

If you’re considering implementing an AI platform for your organization–or even if you already have–it’s critical to think through the various dimensions of your use of that platform, and to establish strategies and policies to monitor and manage data use and output.

How can organizations use AI tools without putting their data at risk?

Practices and tools to avoid

Executives at 95% of companies express worries about the need for enhanced security measures for AI adoption, particularly for protecting data used in GenAI applications. In 2023, Amazon, Apple and 12 other major companies restricted employees from using ChatGPT to avoid data leaks.

Others learned the hard way. Italy’s data protection authority recently fined OpenAI €15 million ($15.66 million USD) over how it handles personal data—over a year after OpenAI failed to call out a security breach.

To keep your business safe from the potential pitfalls of using AI systems, ditch these risky practices and tools:

Automatically assuming open-source AI tools are trustworthy. The major GenAI platforms are certainly famous, but can you trust them with your internal data? Adopting a platform without vetting it could be a big–and costly–mistake.

Unchecked vision. When’s the last time your team assessed your data discovery and monitoring capabilities? Blind spots in visibility across users, applications (including AI) and endpoints—and data at rest, in use and in motion—pose a huge business risk, especially if GenAI is on the table.

Limited or no access controls. AI systems leverage vast datasets—often sensitive—to deliver best results. Without strict access controls to the data, applications and systems feeding your AI, employees can inadvertently, carelessly or purposefully share confidential information. And don’t treat this as a one-off task. You’ll need a system and process in place to ensure that tomorrow’s new data is assessed and controlled in the same consistent way.

Assuming only external-moving data needs to be protected. Don’t assume only public or open source AI platforms pose a risk. Without the right controls in place, enterprise AI or internally developed AI tools can inadvertently expose sensitive data that should be confidential, such as employee compensation details or unannounced product launch plans. 

Disjointed data governance. Don’t invest in policies and guardrails for data that are enforced in one place and not in another. For instance, unified systems might prevent data from leaving your organization by email, yet may not restrict sharing of confidential data when it’s given to an AI tool. Are you inspecting the output of AI tools to identify and protect confidential data?

Secure practices and solutions for AI-ready data

According to Gartner, 2025 will bring a shift towards AI regulation and governance, agentic programs and disinformation security—a more plausible future organizations can start preparing for today.

These best practices and tools can help you reach those new frontiers securely:

Evaluate your needs and solutions. Don’t implement AI just for the sake of having it. AI isn’t a magic bullet, so ask your team: Where do you really need process improvements? What tools help solve those problems, and what are their information security policies?

Scrutinize your external AI options. Do some research to determine which platforms are trustworthy and which might pose problems. Take advantage of web intelligence to find the platform’s reputation score (the closer to 100, the better) and determine whether, and to what extent, public, open-source AI platforms may pull data from your organization into its large language model (LLM).

Measure your business risk. The types of data shared with AI solutions and how you intend to use them can drastically change your risk. Deep learning models also require a substantial amount of data for training. Do you have in place the policies and tools you need to decide what data is off-limits?  This applies to public, enterprise and private AI systems.

Establish your data policies for in-house GenAI. Half of companies use open-source AI. But even if you develop your own GenAI application or use an Enterprise AI tool like Copilot, it’s critical to set guardrails for data use and sharing. This is especially true if your GenAI platform is modifying files or creating new content using data from within your organization. Data loss prevention solutions can either alert users to risks before they make the mistake of sharing sensitive or proprietary data (more on that later), or just apply protection controls automatically.

Engage in risk modeling. Sandbox an AI tool to evaluate its data handling, visualize data loss  scenarios, assess risk and uncover security and visibility gaps.

Robust access controls. Unrestricted access to models means your data is at risk of tampering, theft or misuse. Apply granular, role-based access controls (RBAC), continuous authentication and a zero trust approach to all stages of AI workflows. 

Data Loss Prevention (DLP). To secure your employees’ AI use, look for a DLP solution that delivers comprehensive visibility and verifies data meets security and compliance policies before it enters AI systems. Be sure your DLP system is capable of alerting users when their GenAI results contain protected data. The best-case scenario is either to choose a solution that automatically gives users an opportunity to act on alerts, or to automatically protect the data while informing the user about the potential data loss event. Pairing DLP with user risk analytics can help you focus security education and action on the people that matter most.

Unify data management policies. Your DLP solution should be capable of consistently applying existing data governance policies to your applications, websites and tools that use AI—the same policies that exist on endpoints, networks and elsewhere across your entire environment.  Understand what data is being sent into, and coming out of, AI-based tools.

Website categories. With new AI-enabled SaaS applications appearing daily, no team could realistically keep up with an allow/block list approach. Here, AI website categories (which should be supported by your web security or CASB solution) can keep you on the straight and narrow. They’ll allow you to control the AI websites and applications you access while monitoring content against all your existing DLP rules to ensure nothing leaks.

Start here to safely implement AI 

Data governance in the age of AI doesn’t have to be daunting. DLP solutions can simplify the task of monitoring and managing how GenAI systems use your data, while incorporating guardrails for users so they don’t make a mistake everyone will regret. The right DLP solution can make it easy from the start by applying all your pre-existing DLP policies to AI platforms, so there’s no need to start from zero.

DLP does much more than that, however. It helps you discover your data, understand if it's sensitive, ensure it is classified and labeled, and set controls to stop sensitive data (or any other restricted data) being consumed by AI. An advanced DLP solution does this by:

• Identifying and tracking data and shadow data across AI tools, cloud applications, email, web, networks and endpoints
• Enforcing strict data security and compliance policies on AI systems
• Safeguarding confidential data from accidental exposure in AI-powered workflows
• Streamlining and automating incident response for faster resolution of AI-related data security incidents
• Helping organizations meet global data privacy and regulatory requirements, including emerging AI governance mandates

This is AI we’re talking about, so the list of innovations and benefits will just continue to grow. In time, DLP systems might even use AI to better educate users about the risks, and corrective actions they can take.

Don’t let AI jeopardize your data governance efforts. Mighty updates are coming this year to Symantec DLP to help organizations secure their data for AI use in 2025—and beyond. To see how DLP works to defend your most sensitive data, watch this quick video.