Effectively managing data governance in the AI era
By Gareth Cox (pictured), Vice President Sales Asia Pacific and Japan, Exabeam
In April 2023, engineers at a major telecommunications company found themselves at the centre of an unwelcome global spotlight after uploading proprietary source code and confidential meeting notes to a prominent large language model.
Headlines warned of catastrophic data leaks and boards demanded briefings. Within weeks, corporates across sectors moved to ban or heavily restrict the use of generative Artificial Intelligence (AI) tools.
The alarm was understandable. The response, however, warrants closer scrutiny.
Those early incidents triggered a wave of fear, uncertainty and doubt that continues to reverberate through the enterprise. Rather than fostering considered, risk-based adoption, many organisations defaulted to blanket prohibition. AI tools were blocked outright.
In doing so, companies took comfort in the appearance of cautiousness. In practice, many curtailed their own capacity to capture productivity gains and competitive advantage from a rapidly maturing technology.
The core issue is often misunderstood. The primary risk is not that AI systems are inherently malicious. It is that most of these tools are cloud-based services. As with any cloud product, the exposure arises when sensitive information is uploaded without appropriate controls. Data placed in the wrong environment can be difficult to retrieve and harder still to govern.
The more constructive path is not prohibition, but policy. Organisations should treat AI platforms as they do other cloud services: implement clear data-handling standards, define permissible use cases, deploy technical safeguards and educate staff. Managed properly, generative AI represents an operational tool, not a ticking time bomb.
Be clear on the risks
The telecom company’s incident revealed something important about how organisations currently think about data security in the AI era. The immediate reaction treated AI tools as a new class of threat requiring new defences. In reality, however, they represent a problem seen before – just with different interfaces.
When employees upload data to any cloud service, whether it’s a generative AI (GenAI) platform or a document collaboration tool, the core risk remains unchanged. Data leaves the organisation’s perimeter and it loses direct control.
This therefore then becomes a somewhat typical data governance problem that AI simply made more visible to executives and security teams who hadn’t been paying close attention to how cloud adoption had already transformed data boundaries. This distinction and shift in perspective matters profoundly because it fundamentally changes how organisations should respond to the risk.
If AI is treated as a unique and novel threat, walls will be built that isolate it from productive use. However, if it’s treated as another cloud service requiring appropriate governance, an organisation can move forward with the necessary guardrails that enable safe adoption.
The real challenge is balancing safe adoption with genuine productivity gains, while avoiding the overcorrection that leaves transformative AI capabilities locked away in a compliance vault while competitors move forward.
Establishing clear guidelines
Many organisations adopted acceptable use policies that mirror the major telecom’s post-incident reaction. This approach remains common where security teams, tasked with protecting data, are simply defaulting to total restriction.
It’s the safe play while technically defensible, easy to explain, and transfers risk away from the security function but limits the forward motion of innovation and holds a cap on potential.
The answer for security and IT leaders isn’t paranoia, it’s structure. By creating clear, enforceable rules, organizations can enable AI adoption while protecting the business.
The foundation of any effective AI governance model starts with visibility and control. Create a living list of sanctioned AI tools tied to enterprise accounts like personal accounts and shadow IT. Once this visibility has been achieved, it’s appropriate to require all AI usage through company-issued credentials, ensuring every login is accountable and logged. When it’s possible to trace who accessed which tool and when, it’s also possible to create records that support both compliance requirements and incident investigation.
A time for action
The telecom company’s misstep has become something of a cautionary tale. Yet in the process, it has diverted attention from the more substantive discussion the industry needs to have about generative AI. The prevailing narrative hardened into “AI is too dangerous to use”, when the more measured conclusion should have been that powerful technologies today demand disciplined management.
Organisations whose policies amount to a blanket prohibition may be guarding against the wrong threat. The greater risk is rarely that AI systems will spiral out of control; it is that employees will adopt them regardless, without oversight or guardrails. Such unmanaged use is precisely what creates the prospect of data leakage and compliance breaches. By contrast, structured adoption – underpinned by clear policy and robust governance – delivers visibility, traceability and the capacity to detect and respond to genuine incidents.
The next phase of AI adoption in corporate Australia is likely to produce a clear divide. On one side will be organisations that invested early in governance frameworks and encouraged responsible experimentation. On the other will be those that erected prohibitive barriers, only to drive AI use underground. The former stand to capture productivity gains while preserving security. The latter may confront incidents they struggle to detect, let alone prevent.
