Permissions granted?
Who has access to what data? Messy permissions lead to a risky situation for organizations of all sizes
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- The European Union is preparing to roll back parts of its landmark data laws like the GDPR and EU AI Act
- Nikkei’s Slack app was compromised, leading to the exposure of 17,000 employees and business partners
- After a period of AI experimentation, IT leaders are going back to the basics
But first, if your business employs more than 3 people, your permissions are a mess. This complexity is a huge source of risk.
If you only read one thing:
Permission granted. Or declined
When it comes to risks from AI implementations, we've talked a lot about shadow AI, but there is another category of risk that organizations need to confront to get the most out of their AI investment: user permissions.
Most companies struggle to manage permissions at scale. Each platform or file share has its own permissions model: is a given user an ‘admin’, a ‘user’, a ‘reviewer’, or a ‘commentator’ to a particular ‘directory’, ‘asset’, ‘board’, or ‘file’? It’s metaphors all the way down, and if you’re in a typical organization larger than three people, you’re likely in a permissions quagmire.
With many applications offering “share link” options, and no central view of all the data available, the average user has lost track of the files they have access to. This “oversharing” is a big problem; 59% of organizations in a survey by Tenable and Cloud Security Alliance identified insecure identities and permissions as their greatest cloud risk.
The introduction of AI has exposed and exacerbated this issue. Think: users asking Copilot for the salaries of their colleagues (or the CEO). Think also: attackers gaining access to a user and simply asking AI for the sensitive customer data they have access to.
There have been plenty of examples of poor access management leading to data breaches. In the Capital One breach, for example, a former employee exploited weak permissions to access more than 100 million customer records. Or consider the case of KNP, a UK transport company that fell victim to a ransomware gang who needed just one password to encrypt the organization’s systems. With AI in the mix, there will be more.
Send in the agents
If it’s hard for humans to get their head around, spare a thought for the AI agents, and those who manage them. Unlike a person, their permissions must shift depending on who’s asking. They may have access to everything, but when a manager of one department asks an agent to help with a task involving historical performance review data from their team, the agent needs to understand that the manager can access that data, but not that from other departments. An agent helping with HR workflows might need access to salary data for compensation reviews but not for general employee questions.
Rest assured
Permission management is an issue all organizations are struggling to solve, while the advent of AI raises the stakes. We’ve long advised customers to ensure their “access management” is fit-for-purpose as an essential step in ensuring compliance and readiness for AI. With our background in data governance and investment into AI governance, access was the missing piece of the governance puzzle. That’s why we recently completed the acquisition of Redactive, a platform that offers the ability to identify misconfigured permissions at scale.
We're at an inflection point. The organizations racing to deploy AI agents are outpacing their ability to govern who — and what — those agents can access. It’s not glamorous, but permissions management may be the most consequential decision your organization makes this year. The companies that treat it as a governance priority rather than a technical checkbox will be the ones positioned to leverage AI safely. Everyone else will be playing catch-up.
🕵️ Privacy & governance
🔐 Security
🔓Breaches
Japanese publishing giant Nikkei announced its Slack messaging platform had been compromised, exposing the personal information of over 17,000 employees and business partners.
Prominent Chinese cybersecurity firm Knownsec, which has established ties to the Chinese government, suffered a data breach that exposed over 12,000 classified documents revealing critical intelligence about China’s cyber arsenal.
The Washington Post was among victims of a sweeping cyber breach tied to Oracle software
🧑⚖️Legal cases & breach fallout
Related to today’s editorial, the latest update to the OWASP Top 10 found Broken Access Control, a security vulnerability where users can access data or perform actions for which they lack the authorization, was the top concern. Crazy stat: 100% of applications tested being found to have some form of broken access control.
California Attorney General Rob Bonta announced that California secured a $3.25 million settlement with educational technology company Illuminate Education Inc. for failing to protect students’ data.
🤖 AI governance
Inference will determine who wins in enterprise AI.
The latest from RecordPoint
📖 Read
Accurate and reliable data governance is an essential process for any business — but it’s incredibly complex and inefficient if you’re using outdated systems. Until now. Learn how you can use the combined power of Microsoft Purview and RecordPoint for the best outcome.
Commentary from Anthony was also included in this round-up of Cybersecurity Awareness Month responses in Information Security Buzz. He focused on why data governance is the core of both cybersecurity and AI governance.
🎧 Listen
In the latest episode of FILED, Alyssa Harvey Dawson, a board member at organizations including AppLovin and AI 2030 shared her experiences and insights on balancing innovation with risk management, the role of data in AI solutions, and the importance of maintaining customer trust through responsible data use.
