A Kiteworks report reveals a worrying trend among organisations regarding their ability to manage and prove the whereabouts of their data.
The annual "Data Security and Compliance Risk: 2026 Forecast Report" highlights that 61% of organisations lack the essential evidence-quality audit trails required by regulators and auditors. It also noted that 57% do not possess centralised data gateways to effectively track and control data flows.
The research, which surveyed 225 security, IT, compliance, and risk leaders from various sectors, shows a troubling gap in visibility and accountability for data management. Only 36% of respondents confirmed having insight into where their data is processed, particularly in collaborations with external partners.
"Organisations have spent years building governance frameworks on paper. Now they're being asked to prove those frameworks work—and most can't," said Tim Freestone, chief strategy officer at Kiteworks. His comments underscore a critical shift as regulatory scrutiny intensifies alongside the rapid adoption of AI technologies.
With data sovereignty laws now spanning over 100 countries, organisations face unique compliance challenges that require robust infrastructures. Many lack the tools needed to demonstrate adherence to these regulations, leading to increased manual efforts and a higher risk of error.
Freestone further emphasised, "When a regulator asks where customer data was processed... nearly two-thirds of organisations will struggle to produce a clean answer. That’s not a technology gap; it’s an accountability gap."
The report underlines how AI's integration into corporate strategies complicates compliance efforts. While all surveyed organisations plan to incorporate agentic AI, 63% cannot enforce limitations on these agents. Alarmingly, 72% lack a Software Bill of Materials (SBOM) for the AI models they utilise, suggesting significant gaps in governance that could expose sensitive data to misuse.
Compounding these issues, third-party relationships are problematic. An overwhelming 89% of organisations have not simulated incident response scenarios with AI vendors, leaving them vulnerable to data breaches without the means to verify where data is processed and stored.
The government sector appears particularly ill-prepared. The findings indicate that 90% of government organisations cannot enforce purpose binding for AI, a necessity given their responsibility for handling sensitive citizen data.
Organisations that can clarify data ownership tend to have stronger board engagement—those with actively involved boards perform up to 28 points higher in governance metrics. However, Freestone noted that 54% of boards remain disengaged from these critical discussions.
"The question regulators and AI systems are asking is simple: Where is the data, and can you prove it?" Freestone concluded. For many businesses in Asia having robust data governance infrastructure will not just be beneficial, but essential for compliance and operational integrity.
