The challenges around data governance are evolving rapidly, driven by the rapid adoption of generative AI, stringent regulatory requirements, and heightened cybersecurity risks. As we approach 2025, organisations are realising that traditional approaches to data governance are no longer sufficient.
At the same time, longtime aspects of cybersecurity such as Zero Trust and multifactor authentication (MFA) are taking on new importance, going from optional to imperative – and helping to underpin security, compliance, and governance efforts.
It’s worth taking a closer look at these areas to see what kind of impact they’re having and what steps organisations need to take in the coming year to stay ahead of the curve.
Generative AI spurs new data governance challenges
The swift uptake of generative AI has added complexity to data governance due to the vast amounts of data used to train the large language models (LLMs) that underpin these tools.
There are several key concerns here, including the location of data and the location of the actual AI processing of that data. The possibility of data being processed somewhere other than where it normally resides can create data sovereignty issues – think here of EU-based companies using US-based AI tools. Moreover, generative AI’s use of sensitive or privileged information raises confidentiality concerns.
To mitigate these risks, organisations should consider centralising data in a system like a document management system (DMS) to better control what is used for AI training. This is a more structured way to enforce security policies around documents, while effectively curating knowledge assets for the AI to tap into. Additionally, using a platform approach that brings together AI and document management helps ensure that the data being fed to AI remains within the specific data center that the DMS utilises, reducing data sovereignty and geolocation risks.
Regulations create new requirements
Beyond managing the data governance challenges created by generative AI, organisations must also carefully monitor changing regulatory requirements to maintain compliance with appropriate laws.
The European Union introduced GDPR several years ago, and in the United States, California has been at the forefront of implementing data privacy laws with its California Consumer Protection Act (CCPA). These directives are becoming more widespread as more states introduce similar legislation modeled on CCPA.
Additionally, the National Institute of Standards and Technology (NIST) placed a new emphasis on data governance as a foundational principle in its recently released Cybersecurity Framework 2.0 (CSF 2.0), underscoring the importance of proper data governance.
In this kind of environment, public awareness of data rights increases – and right along with it, the volume of Data Subject Access Requests (DSARs). DSARs will exert additional pressure on organisations to develop capabilities for managing and retrieving personal data efficiently.
Streamlined data management is crucial for ensuring regulatory compliance and maintaining customer trust. Organisations need to understand what data they possess, where it is located, and what data retention and data governance measures for disposition they have in place. Again, having a centralised location for data – rather than having it scattered across multiple systems – can help organisations wrap their arms around this problem.
Phishing threats persist
If generative AI and some of the more recent regulations seem like the “new kids on the block” when it comes to data governance challenges, phishing is more of “an oldie but a goodie” – but that doesn’t make it any less relevant for 2025.
Phishing remains a persistent threat for organisations of every stripe, and unfortunately, generative AI has only turbocharged the ability to launch phishing attacks at scale, and with a greater degree of sophistication than ever before.
To counter this threat, educating the entire organisation is crucial. End user awareness of what phishing looks like and most common types of attacks can make a significant difference in preventing data breaches. Phishing simulations go a step further to highlight vulnerable areas and ways to reinforce good cybersecurity practices.
Additionally, applying a Zero Trust framework mitigates this risk by strategically controlling data access. Zero Trust is an overarching strategy that focuses on allowing access to data and systems to only those users with legitimate authorisation –establishing a resilient defense system to help blunt the impact of phishing attacks.
MFA gathers momentum
The discussion of Zero Trust brings us to another element of cybersecurity that is expected to gain more traction in 2025: MFA.
While MFA has thus far been a slow-burning trend, it is expected to gather momentum in 2025 in no small part because Microsoft will be making MFA a default requirement for Azure. This move is part of their broader commitment to enhancing security across their services: By enforcing MFA, Microsoft aims to significantly reduce the risk of unauthorised access and account compromise.
As Microsoft goes, so too do other companies. And the catalyst for MFA adoption comes on other fronts as well.
Cyber insurance providers, recognising the critical role of MFA in risk mitigation, are already making it a non-negotiable requirement for policy coverage. Government and regulatory bodies are equally influential in this push towards MFA.
The practical advice here is that MFA should be switched on by default with the strongest available options – full stop. One of the primary principles behind Zero Trust is that you make it simple to implement – and strong MFA is a good starting point to start your journey towards Zero Trust. Organisations that fail to embrace MFA, perhaps due to the balance between security and usability, could find themselves out of step as new security threats emerge.
Fortify your future
As organisations enter 2025, data governance will take center stage as a priority. Increased adoption of generative AI, coupled with stricter regulatory landscapes and a relentless surge in phishing threats present a triad of challenges that demand a comprehensive re-evaluation of data governance strategies. At the same time, additional protection beyond password-only access with multi-factor authentication will emerge as a vital mandate, driven by the dual forces of compliance and security. By embracing these changes and proactively adapting to the new environment, organisations can better safeguard their data, manage their risk, and protect themselves in the year ahead.
Manuel Sanchez is Information Security & Compliance Specialist at iManage with extensive professional experience in information security, governance, and compliance.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.