Rising AI and Regulatory Pressures Expose Critical Data Governance Gaps

A new survey found that most organizations can’t accurately track where their own data resides, which leaves them exposed amid rising regulatory and AI pressures. The findings highlight serious gaps in data governance, auditability, and AI safeguards that put businesses and government agencies at risk of non‑compliance and accountability failures.

This survey was conducted by Kiteworks as part of its Data Security and Compliance Risk: 2026 Forecast Report, which aims to assess global data‑governance maturity. It collected responses from 225 security, IT, compliance, and risk leaders across 10 industries and 8 regions.

Regulatory pressure and data sovereignty challenges are intensifying

Most organizations lack clear visibility into their data, with only 36% able to identify where their information is processed or handled by external partners. Research further shows that 61% operate with fragmented audit trails that cannot produce dependable evidence. Moreover, 57% do not have the centralized data gateways necessary to effectively track and manage data flows.

Additionally, regulatory pressure is rapidly intensifying as data sovereignty laws across more than 100 countries now require organizations to prove exactly where their data is stored, processed, and transferred. However, many companies lack the necessary infrastructure, which shows compliance often becomes a manual, error‑prone task that is difficult or even impossible to complete reliably.

“Organizations have spent years building governance frameworks on paper. Now they’re being asked to prove those frameworks work—and most can’t,” said Tim Freestone, Chief Strategy Officer, Kiteworks. “When a regulator asks where customer data was processed, when a board asks how AI systems are accessing sensitive information, when a sovereignty audit demands proof of data residency—nearly two-thirds of organizations will struggle to produce a clean answer. That’s not a technology gap. It’s an accountability gap.”

AI adoption exposes gaps in governance and safeguards

AI adoption is intensifying the challenge, as all surveyed organizations plan to integrate agentic AI despite lacking important safeguards. This report shows that 63% cannot enforce purpose limitations on AI systems, 60% lack kill‑switch mechanisms, and 72% don’t have a software bill of materials for their AI models. It allows AI systems to access sensitive data without adequate governance frameworks to track or control usage.

According to the research, third‑party and vendor risk is also rising sharply, as many organizations are sharing sensitive data with AI vendors and cloud partners without the technical visibility required to confirm where that data ultimately goes. The research found that 89% have never performed incident‑response exercises with their AI partners and 78% are unable to validate the quality of the training data being used, which exposes them to significant trust and accountability gaps.

Government agencies face even greater challenges, with the research showing significantly wider governance gaps compared to the private sector. According to the findings, 90% of government entities lack purpose binding for AI, 81% are unable to isolate AI systems from broader network access, and one‑third have no AI controls in place.

Recommendations for strengthening data governance and AI controls

Organizations can start addressing this problem by putting stronger controls around how their data moves and is used. That means creating a single, centralized system that all sensitive information and AI‑related data must pass through. They should also maintain a clear, reliable audit trail that shows exactly where data goes and who interacts with it. These steps help organizations prove data location and usage instead of relying on scattered systems that can’t produce evidence.

Additionally, administrators should improve governance by adding AI‑specific safeguards such as purpose limits, kill switches, and model documentation. It’s also recommended to strengthen contracts and test incident‑response plans with third‑party vendors to further reduce risk.