As organisations grapple with cloud adoption, artificial intelligence, and increasingly complex regulatory requirements, security leaders are discovering that data loss prevention (DLP) tools, which were once considered the gold standard, can no longer keep pace with how data moves and multiplies across modern enterprises.
This reality check isn’t just a theoretical exercise. When Singapore's Monetary Authority recently fined a major financial institution for data protection failures, the case revealed something unsettling: the organisation had robust policies, frameworks, and technologies in place. Yet sensitive data still leaked. The problem wasn’t a lack of investment in security; it was a fundamental mismatch between how we think about protecting data and how data behaves in today’s environment.
The scale problem no one talks about
At a recent FutureCISO discussion, organised in partnership with Forcepoint, senior technology leaders from Singapore’s banking, healthcare, and enterprise sectors highlighted the difficulties of tracing all the data in their organisations.
Brandon Tan, senior director of sales engineering for APAC at Forcepoint, echoed their challenges. He posed a deceptively simple question: "How many of you know, even as a ballpark figure, how much data you have in your organisation?"
The silence was telling. The room included chief information officers, heads of cyber security, and data governance leaders from leading organisations in Singapore. Yet few could confidently answer. If organisations don't know how much data they have, Tan pressed, then how can they know how much sensitive data they possess, or where it’s located?
“Without answering these three fundamental questions, a lot of policies and governance frameworks that organisations design are essentially borrowed from others,” Tan explained. “Someone smart came up with a framework… and we adopt it. But how does this framework tie back to your real data and real sensitive data?” Brandon Tan
The challenge goes beyond mere inventory. Hariprasada (Hari) Rao Ravi, executive director, group information security & digital risk management at OCBC Bank, articulated a concern shared by many in the room:
“As we add more rules for managing content or monitoring content, we need more resources. We’re hoping that AI models can accurately detect real breaches so we can apply fewer resources and manage programmes more effectively.” Hari Ravi
The data sprawl dilemma
The proliferation of cloud services, SaaS applications, and collaborative platforms has created what security professionals call “data sprawl.” This is the uncontrolled replication and distribution of information across an expanding digital landscape. Gone are the days when data resided neatly in on-premises file servers protected by perimeter firewalls.
“Your data is flying all the time,” Tan noted. “You have your Microsoft 365, your top applications, your third-party vendors, your supply chain. Data is everywhere now.”
This sprawl becomes exponentially more complex with the advent of generative AI. When a sales team downloads customer data from Salesforce, uploads it to Microsoft Teams for discussion, runs it through ChatGPT or Copilot for analysis, and then distributes findings via email — all within 30 minutes — sensitive information has crossed five different channels before security teams can even assess the risk.
A bank representative at the roundtable described a particularly thorny manifestation of this challenge: “We have contracted staff in a private bank where data is mostly confidential. We don’t want to expose client data to those staff, but we still need them to work on all the related items. How do we figure out that balance between data loss and data security to make sure client data remains secure without letting it flow to non-FTE employees?”
The AI double-edged sword
Artificial intelligence presents both the greatest threat and the most promising solution to modern data security challenges. The threat is straightforward: AI tools can generate massive volumes of highly sensitive, inferred data at unprecedented speed.
Suppose a user queries an AI system about company financials, competitive intelligence, or customer information. In that case, the system may synthesise answers from dozens of confidential documents — creating new, sensitive content that never existed before.
“Arguably, whatever you query could be confidential. Whatever comes up could be higher fidelity — the cream of the cream of the data,” Forcepoint’s Tan warned. “How fast can you classify that? How fast can you create policies to protect them?”
Microsoft Copilot introduces particularly subtle risks. Unlike ChatGPT, which operates outside corporate boundaries, Copilot accesses company data stored in SharePoint and OneDrive. This creates a powerful but dangerous capability: users can ask analytical questions about information they technically shouldn’t access.
“I can ask, ‘What is the salary of my vice president?’ in Copilot, and there’s a chance I’ll get an answer,” Tan revealed. “Why? Because it scours the entire SharePoint of my organisation. If someone accidentally shared that document with ‘everyone internal,’ you’ll get the information. The only guardrail in Copilot is file permission.”
Yet AI also offers the solution. Traditional DLP systems require security teams to define what needs protection explicitly. This is a nearly impossible task when dealing with petabytes of unstructured data. AI-powered classification can analyse documents contextually, understanding not just keywords but sentiment, relationships between concepts, and even compliance implications.
The classification revolution
Tan demonstrated this capability by uploading a hotel invoice to ChatGPT and asking three questions: What is this document? Is it sensitive? Would it violate data protection regulations? The AI correctly identified it as a hotel guest folio, classified it as containing personally identifiable information that requires protection, and noted potential GDPR implications due to the presence of a full name, address, and loyalty numbers.
“The system we’re building is simple,” explained Forcepoint’s senior director of sales engineering for APAC. “Connect to OneDrive or SharePoint, pull files sequentially, send each to an AI engine that answers three questions, then label the file with metadata. You don’t have to create DLP policies anymore — just tell the DLP to act on anything labelled as confidential or PDPA-sensitive.”
This approach addresses the scale problem that defeats human-driven classification. A roundtable delegate articulated what many organisations face: “I want to use tools and technology to enhance data protection and automate areas without manual intervention, but I don’t want to disrupt the end-user experience.”
The accuracy question inevitably arises. Tan was candid: “You should expect 80-90% accuracy. There will be a 10-20% misclassification rate. But what’s your alternative? What do you think the accuracy of user classification is? People are terrible at classifying — we can’t even organise our own homes effectively.”
The system tracks confidence levels, allowing organisations to enforce strict controls only when AI certainty is high (70-80% confidence) and routing ambiguous cases for human review. Over time, as users correct misclassifications through workflow approvals, the system learns and improves its accuracy.
The compliance complexity
For multinational organisations, data protection isn’t a single challenge but a kaleidoscope of overlapping regulations. OCBC Bank, for instance, must comply with data protection requirements in Singapore, Malaysia, Indonesia, the Philippines, China, and Hong Kong — each with distinct mandates.
Sandesh Dessai, vice president for IT & cyber security risk compliance at OUE Limited, emphasised the real-time dimension:
"What I want from this event is to understand how we can achieve real-time visibility into what data is being accessed, especially as users adopt various AI tools. We need full visibility and comprehensive data discovery that empowers us to identify potential insider threats, safeguarding the integrity and trust of our business.” Sandesh Dessai
This requires moving beyond prevention to continuous monitoring and posture management. Modern data security platforms now scan cloud repositories, identifying what data exists and who has access to it. The distinction is critical: a highly confidential file with no external access poses minimal risk. The same file shared publicly represents a crisis in the making.
Cultural transformation through technology
The most overlooked aspect of data security is culture. One delegate to the roundtable noted the challenge of medical devices increasingly connected to networks: “With AI and the need to connect more to deliver value to clients, it’s important for us to have visibility of data flow and how well it’s governed.”
Chiming in on the topic, Forcepoint’s Tan advocated for using technology not just for enforcement but for education. When classification agents run on employee laptops and provide real-time coaching, like whether “this file you’re working on is now deemed confidential. Do you want to label it?” Such an approach creates thousands of daily teaching moments.
“Your boss asks what you do to instil a data security culture,” he observed. “Most people answer: workshops. But if you deploy a tool to 10,000 employees and it coaches them every day on what’s confidential and what isn’t, that education is happening continuously.”
Start with the fundamentals
The transition from data loss prevention to comprehensive data security posture management represents more than a technology upgrade. It’s a fundamental reconceptualization of how organisations protect information. Instead of focusing solely on blocking data exfiltration at exit points, it forces the organisation to understand what data exists, its sensitivity, and risk exposure before applying contextual controls throughout the data lifecycle.
As one roundtable delegate, put it: “My goal is to learn how we can structure our data properly and ensure everyone gets the best use of it while maintaining security.”
The good news is that the same AI technologies creating new vulnerabilities also provide unprecedented capabilities for addressing them. Organisations that accept that perfect accuracy is impossible but that AI-assisted classification at scale beats the alternative will be better positioned to protect what matters most.
It is also a fundamental business imperative in an era where data security is no longer just an IT problem.
