AI can’t scale without data security—here’s why

Accelerating AI adoption and improving innovation, as well as the bottom line, starts with a proactive approach to data security.

AI adoption is growing daily, with 92% of organizations planning to increase their AI investments over the next three years. But despite the enthusiasm, only 1% of leaders say their organizations are “mature” in AI deployment.

While leaders and employees want to move faster, trust and safety are top concerns. Seven out of eight companies have sensitive data exposed to every user—and that data could be surfaced by AI tools.

“Organizations are generating more sensitive data than ever, and AI tools, such as copilots, agents, and chatbots, are surfacing that data faster than humans can control it,” says Yaki Faitelson, cofounder and CEO at Varonis, a leading data security company. “But the biggest challenge isn’t just external threats—it’s internal exposure.”

A single data breach can result in millions—and often tens of millions—of dollars in hard costs for companies. In 2024, the average data breach cost in the financial industry was $4.88 million. The cost was even steeper for the health care industry, with a breach’s average cost topping $7 million.

Dollars aside, a single breach drains corporate resources. IT spends countless hours reporting regulatory requirements, remediating vulnerabilities, and recovering data systems after a security incident. Sales and marketing business units also lose time trying to overcome eroded customer and partner trust and brand reputation.

AI security isn’t something that can be put off.

Security from the start

To ensure an organization is protected, business leaders must consider data security in tandem with their AI initiatives.

Data security involves proactively mapping where sensitive data lives, who has access to what data, and how that access is being used. From there, access is rightsized, so users have only the access they need to do their jobs. Without a secure foundation, corporate secrets can be readily surfaced by AI tools. Once that sensitive data is in the system, it can be difficult—if not impossible—to remove it.

To avoid this data exposure, business leaders must take security a step further. Too many organizations think data discovery equals data security. Yet, tools that locate sensitive data don’t always fix the issues they find.

“If security measures can’t automatically remediate risk—revoke permissions, disable stale users, remove risky apps—then they’re not securing AI,” says Brian Vecci, field chief technology officer at Varonis. “They’re just watching it go off the rails.”

Organizations must take the time to build a secure data foundation for everything that comes next in AI security: monitoring, employee training, and policy enforcement.

Putting people controls in place

Once data is secured at the source, the next challenge is to assess how AI is currently being used and who is using it. Shadow AI—technology used by employees and contractors without permission or oversight by IT—can create multiple problems with enterprise AI. The Varonis 2025 State of Data Security Report revealed that 98% of employees use unsanctioned apps.

As more employees rely on the convenience of using unsanctioned AI tools, it comes with substantial hidden risks, including exposing sensitive data, undermining compliance, and introducing vulnerabilities.

“Whether it’s uploading sensitive files to a chatbot or using shadow AI apps, human behavior is a major risk factor,” says Vecci. “Organizations need to monitor use, enforce policies, and educate teams on what safe AI use looks like. Security isn’t just technical—it’s cultural.”

Because employees can get around security parameters with little effort and create risk within an organization, training and upskilling is critical.

“Every employee needs a baseline understanding of how to use AI safely,” says Dana Shahar, chief HR officer at Varonis. “Shadow AI happens when users don’t understand how data should be handled. Identity compromise happens when they can’t spot an AI-generated phishing attack. The more we upskill our workforces, the more they can innovate with AI without putting their organizations at risk.”

In the age of AI, leaders need to rethink security positions and duties and how to train their workforces to succeed. “We need to equip the next generation of human defenders with the knowledge and tools to focus on what only they can do: Drive secure adoption, build resilient strategies, and make the judgment calls AI can’t,” says Shahar.

AI for the security win

Still, as AI and data continue to mature and scale, humans alone can’t keep up with AI-enabled threats. These vulnerabilities grow much faster than humans can keep up with, so AI-powered defenses are often the best option to protect systems from attack.

Security analysts can use agentic AI as digital assistants that support human teams by handling critical, time-consuming tasks. By deploying these tools to detect, investigate, and respond to threats automatically—and often more quickly and effectively than humans alone—security teams can take back control. Companies must understand that AI is not secure by default. By taking a security-first approach, business leaders can give their organizations the power to harness the potential without the risk. Still, protecting data is an ongoing commitment that organizations must stay tuned into as they scale their AI.

“AI security isn’t a one-time setup. It must start early and continue to reduce risk,” says Vecci. “It’s a living system that needs constant attention.”