Scott Kopcha witnessed what CISOs everywhere are seeing: employees eager to use artificial intelligence, whether through public models or custom AI tools, accessing company data at a breathtaking rate and volume.
Kopcha already had a mature data protection strategy in place; as a law firm, his organization had a long history of safeguarding sensitive data. Still, Kopcha, CISO at law firm Goodwin Procter, knew his firm’s data protection strategy needed to evolve.
“Whenever you start breaking down these different types of AI models, you see there are seven or eight different ways they can interact with your data, and our tools weren’t necessarily set up to provide the breadth of monitoring and protective capabilities required,” he says.
He added another protection layer that classified and tagged data based on whether it could be used with AI and in what circumstances. He invested in new tools to support that layer, and he’s monitoring the vendor landscape for emerging capabilities that could further boost his data protection program.
Kopcha’s data protection strategy also calls for an evaluation of new technologies being deployed by the firm to determine whether new controls are needed for them, a move he says ensures protection keeps pace with technological innovations.
“The idea is to be able to show anyone who comes to ask that you’ve done your due diligence, and you’ve done your due care,” he says.
Kopcha is not alone in that quest.
Many CISOs are working to mature their data protection strategies, driven primarily by the explosion of AI use. That has them rethinking policies, procedures, and their tools as well as how they make decisions and how often they need to revise their data protection plans.
“Data has always been the lifeblood of the enterprise. What’s changed is the convergence of pressures making data protection exponentially harder,” says Chris Cochran, field CISO and vice president of AI security at the SANS Institute. “AI has made the traditional perimeter largely irrelevant. Employees are using unsanctioned AI tools for work at a pretty alarming rate, pasting source code and customer data into consumer-grade models. One of the problems is that it doesn’t look or feel like exfiltration. Layer on expanding data sovereignty requirements, regulators now issuing guidance specifically on AI data security, and the looming reality of what encryption looks like post-quantum, and you understand why this has become a board-level conversation.”
Factors driving strategy evaluations
CISOs, security experts, and data practitioners cite the expanding use of AI in the enterprise as the main reason they’re rethinking their data protection strategies.
“AI is exposing more sensitive information as [workers] are taking that information and typing it into LLMs,” says Errol Weiss, CSO at Health-ISAC.
AI tools make it easy for employees to easily expose sensitive data, Weiss says. They can quickly input protected information into a public AI model to tackle everyday tasks, thinking they’re working efficiently without realizing the data privacy risks they’re taking. “We now have hundreds of thousands of people using the technology that way today,” he adds.
But other factors are prompting CISOs to reassess their data protection policies and practices, too. They include the ever-increasing speed and volume of data generation, expanding attack surfaces, increasing regulatory pressure, a growing focus on operational resilience, and AI-enabled cyberattacks.
Research shows that the vast majority of organizations are taking action. According to the Cisco 2026 Data and Privacy Benchmark Study, 90% of organizations have expanded their privacy programs because of AI, 43% have increased privacy spending over the past year, and 93% plan to allocate more resources in the next two years to privacy and data governance due to the growing complexity of AI systems and expectations of customers, clients, and regulators.
Dan Mellen, global and US cyber CTO at professional services firm EY, says improvements are needed in most organizations.
For example, many organizations do a poor job at data classification and data tagging, two vital steps for ensuring adequate security controls are applied to sensitive data, he says. “We’ve seen countless examples where the right guardrails aren’t in place,” he adds.
Many IT leaders are also finding that some technologies they implement for data protection are not capable of addressing their needs as AI advances, particularly for agentic AI deployments, Mellen says. For instance, not all data loss prevention (DLP) tools monitor lateral data movement between servers or workloads and instead only deliver perimeter defense, he says.
Mike Baker, vice president and global CISO at DXC Technology, uses the term “data sprawl” to describe the growing amount of data on the move, something that accelerated first with cloud computing and now with AI.
Like other CISOs, Baker is re-examining his data protection program to ensure he and his team “really understand where our data is, understand the sensitivity of the data across our estate, how it’s being accessed, and what environment the data is in.”
To that end, he’s deploying best-of-breed tools to identify, discover, and classify data as well as to manage access to it and continually monitor data flow. He has also implemented a zero-trust security framework.
Furthermore, Baker is now holding more ad hoc meetings, in addition to quarterly sessions with business leaders, to ensure the data protection strategy remains aligned with the business strategy and that it can keep up with changes in the company’s technology and business environments.
Not all organizations are taking such actions, however.
For example, 20% of execs said their organizations don’t monitor their privacy programs, according to the 2026 State of Privacy Report from ISACA, a nonprofit association for governance, risk, security, and assurance professionals. Report authors called that “concerning, as these respondents do not have a way to evaluate their privacy program’s progress or identify areas for improvement.”
Key areas of action
Organizations with immature data protection strategies need to quickly catch up, experts say. Regardless of where they are on the maturity scale, everyone can do better, they add.
“They have a lot of work to do,” says Pam Nigro, vice president of security at Medecision and an ISACA board member.
Nigro says companies in heavily regulated industries such as healthcare, as her company is, tend to have mature data protection programs. They’re also more likely to regularly review their strategies and aim for continuous improvement she adds.
Nigro reviews her data protection strategy nearly monthly to ensure its practices and policies keep up with the company’s evolving technology and business plans.
As called for in her data protection strategy, Nigro’s team reviews how new technologies will use company data to determine whether new controls are needed; monitors traffic flow; and evaluates emerging data protection and security technologies for potential use.
In addition, security leaders offer other actions CISOs can take to mature their data protection strategies and programs.
Mike Aiello, a former CISO at Goldman Sachs and now a partner with AllegisCyber Capital, suggests working collaboratively with other executives to understand the likelihood and impact of data breaches, “so you know what money to spend on what controls and what data to prioritize protecting as opposed to focusing on ambiguous risks.”
Make identity and access management a central part of your data protection strategy, Aiello advises. The ability to recognize and control who (whether human or machine) is authorized to access what data is essential for preventing breaches and complying with regulations.
Aiello also advises security leaders to have a strategy that addresses data provenance, as it ensures security teams can enforce integrity, trust, and compliance throughout the dataset’s full lifecycle.
And have a strategy for regularly evaluating emerging tools, especially those that use AI, to ensure the organization’s data protection program can benefit from evolutions within the vendor space.
Jeremy Koppen, CISO at Equifax, says the “spotlight’s getting brighter” on data privacy, noting that the company had created its Security and Privacy Controls Framework years ago to manage both. (Equifax made the framework available to the public in 2023.)
The company’s strategy has called for continuing evolution, which has included moving to a passwordless environment; continually tuning and refining tools to align them to the company’s internal rules and control framework; focusing on automation and prioritization; and co-innovating with vendors on product and service enhancements.
“Staying ahead,” Koppen says, “requires a relentless focus on evolving our guardrails to protect every new way our data is being used and accessed.”