Most organisations still don’t have a clear view of where their sensitive data resides. The shift from traditional on-premise IT to hybrid environments has fundamentally changed the risk landscape. Today, 90% of IT leaders are managing distributed hybrid estates, increasing potential for scale and innovation, but also creating visibility gaps that attackers can actively exploit.
Managing and securing data across these diverse ecosystems presents a significant challenge. Over a third of organisations cite the difficulty of securing data across multiple environments, while 30% struggle with a lack of centralised management and 29% report challenges maintaining visibility over cloud-based data. When organisations can’t clearly see where their most sensitive data lives, who can access it and how it moves, they are left trying to protect what is effectively invisible.
The visibility gap undermines security strategies
There is no doubt that the move to hybrid cloud environments has given businesses increased flexibility and scalability to remain competitive. However, as data estates grow more complex, security teams are being asked to protect an expanding attack surface without a unified view of where the risks truly sit.
To build a more resilient security posture in hybrid environments, organisations need to take practical steps to regain control. That starts with identifying mission-critical applications and the data that underpins them. Maintaining a clear inventory of an organisation’s “crown jewels” is essential for prioritising protection and triaging recovery efforts.
Centralising data security management is equally important. Fragmented tooling and siloed visibility make it difficult to enforce consistent policies or respond quickly to threats. A unified data security platform can provide a single control plane across on-premise and cloud environments, improving visibility, governance and recovery readiness across the entire estate.
As attackers increasingly look to exploit AI systems, security teams also need AI-driven threat detection to surface risk in real time and respond before threats escalate. At the same time, adopting a Zero Trust security model helps reduce the impact of compromised credentials by ensuring that no user, device or application is inherently trusted.
Agentic AI is complicating matters
Agentic AI is becoming embedded across business operations, often operating quietly in the background. These systems require broad permissions to function effectively, giving them access to far more sensitive data than traditional technologies. If that access isn’t tightly governed, the risk of unintended exposure or misuse rises quickly.
For example, tools such as OpenClaw require extensive permissions, including access to API keys, tokens and system-level controls. This creates powerful non-human identities that often sit outside traditional identity and access management governance. Exposed credentials, identity sprawl and persistent memory poisoning can all provide attackers with long-lived access to critical systems.
If a single agent is compromised, its autonomous capabilities can dramatically expand the blast radius. Without a user even realising, agents can execute commands, modify files and interact across multiple cloud environments. The result is a heightened risk of data exposure, operational disruption, regulatory consequences and reputational damage.
As AI systems take on greater autonomy, organisations must rethink how much trust they extend to them and how they maintain visibility and governance over the data these agents can access. For already stretched security teams, understanding where sensitive data sits and how AI systems interact with it is becoming increasingly difficult.
Data protection must evolve into cyber resilience
To manage the data privacy risks introduced by agentic AI in particular, organisations need to move beyond simply monitoring behaviour or setting high-level guardrails. Visibility into what an AI system has done is useful, and restrictions can reduce accidental misuse, but neither is sufficient on its own when sensitive data is involved.
If an AI agent accesses the wrong dataset or exposes personal information, knowing that it happened does little to contain the privacy risk. Organisations need mechanisms that allow them to quickly limit exposure and restore the data to operate business as usual.
Organisations that succeed will be those that treat data visibility as foundational to security. You can’t protect what you can’t see, but with the right visibility, governance and recovery capabilities in place, organisations can still protect what matters most.
Richard Cassidy
Richard Cassidy, CISO for EMEA at Rubrik, is a multifaceted leader with over 25 years of experience in scaling tech start-ups and shaping digital security. Known for his strategic acumen in business operations and customer value, he’s also a recognized authority in cybersecurity and SecOps transformation.
