Bedrock Security “2025 Enterprise Data Security Confidence Index” reveals dangerous gaps in data protection, nearly 90% of organizations value a metadata lake approach to solve continuous data discovery and classification challenges
Survey of 530 cybersecurity professionals reveals that enterprises that solve internal data visibility problems gain significant advantages in both security posture and operational efficiency
Almost 60% added new AI data responsibilities in the past year, with only 11.5% reporting no change in their security role
MENLO PARK, Calif.– March 17, 2025 – A new survey of 530 U.S. cybersecurity professionals at organizations with over 1,000 employees reveals enterprises lack visibility into their own data, creating significant security risks that are compounding as organizations and their employees increase artificial intelligence (AI) adoption. The Bedrock Security “2025 Enterprise Data Security Confidence Index,” released today, reveals the majority of organizations struggle to track sensitive information across sprawling cloud environments, leaving them vulnerable to data breaches and compliance failures. The research also documents a significant shift in security roles, with nine in 10 professionals surveyed reporting their responsibilities have evolved in the past year, most notably in data governance and AI oversight.
The data visibility problem: Security teams need days or weeks to locate sensitive assets
The survey found that 82% of cybersecurity professionals report gaps in finding and classifying organizational data across production, customer and employee data stores. Just over half (53%) of security teams lack continuous and up-to-date visibility, with most requiring days or weeks to identify and locate sensitive data assets, increasing risk at a time when the average cost of data breach has grown to nearly $5 million.
“Organizations now generate, copy and store data across multiple environments — including IaaS, PaaS and SaaS — creating numerous blind spots,” said Bruno Kurtic, CEO and co-founder at Bedrock Security, who reviewed the research findings. “This survey shows this problem is widespread and likely getting worse.”
More than three-quarters (76%) of organizations say they cannot produce a complete data asset inventory within hours when needed for compliance or security incidents. This timing gap is concerning when compared to the speed at which modern threat actors typically operate, with industry observations indicating adversaries can begin moving laterally through networks within hours of initial breach. The majority (65%) need days to accomplish this task, while 11% require weeks or longer — timeframes that prove dangerous during actual security incidents and slow down productivity for AI application deployments.
“When we ask security teams how quickly they can identify the most foundational information about their data, such as who accessed specific sensitive data in the last 30 days, the numbers are equally concerning,” added Kurtic. “In the survey, 63% claim they can do this within 24 hours, meaning more than a third of organizations lack timely visibility into who’s accessing their most sensitive information.”
Security pros report dramatic job shifts toward data and AI
Data visibility challenges are accelerating a dramatic transformation in security responsibilities, with 86% of professionals reporting changes in their role over the past year as data security duties expand beyond traditional boundaries. Only 11.5% report their job responsibilities remained unchanged, highlighting a widespread shift in security functions. A majority (68%) increased focus on infrastructure security while simultaneously taking on new data-centric responsibilities. Across all survey respondents, almost 59% added new AI data responsibilities in the past year.
Broken out by role:
CISOs/CSOs/CTOs: Almost 70% of these respondents have taken on new data discovery responsibilities, specifically for AI initiatives
Security Managers/Directors: 55% of these respondents added data governance duties for AI training
Security Engineers/Architects: 52% of these respondents have new AI data discovery responsibilities
AI security reality check: Most organizations can’t track what data feeds their AI systems
The survey reveals a further gap between AI adoption and AI security capabilities. Less than half (48%) of organizations express high confidence in controlling sensitive data used for AI/ML training. This lack of control creates serious risks for data leakage, compliance violations and reputational damage.
Security teams reported these top four AI security hurdles:
Struggle to classify sensitive data used in AI/ML systems (79%)
Cannot ensure AI systems respect proper data access rights (77%)
Trouble tracking what data feeds their AI systems (64%)
Difficult to enforce policies on training data usage (57%)
The survey found that security responsibilities have expanded significantly due to AI.
59% of security professionals now have new AI data discovery responsibilities
54% added AI training data governance duties in the past year
What organizations need to solve their data security challenges
When presented with the definition of a metadata lake as “a repository that provides continuous visibility across all enterprise data repositories and assets by cataloging what data exists, where it resides, who can access it and how sensitive it is,” 88% of security professionals rated this approach as “critical” or “very valuable” to solving their data visibility issues.
Organizations see the following specific benefits from a metadata lake:
84%: Current, accurate data inventory across all systems and data sets
78%: Better data awareness for security tools
75%: Enhanced security tool power through data sensitivity awareness
59%: Data usage information for non-security needs (cost management, deduplication)
Multi-cloud sprawl breaks traditional security approaches
“Security teams just can’t keep up with the complexity created by the speed and volume of data generation,” noted Kurtic. “Without effective automation and comprehensive visibility, they’re going to continue to face increased risks and experience a slowdown in business productivity.”
Survey respondents identified their top barriers to effective data security:
82% blame complex environments with multiple clouds and data stores
76% cite lack of automation requiring too much manual work
75% report their tools can’t handle current data volumes
66% lack people and processes for proper analysis
62% struggle with different data types (structured, semi-structured, unstructured)
CISOs, managers and engineers see different sides of data security
The research uncovered notable differences in how security leaders at various organizational levels approach data security:
CISOs/CSOs/CTOs: CISOs place significantly higher priority (83%) on AI data usage governance than other security needs and express the most concern (72%) about discovering data used in AI initiatives. To address these challenges, CISOs show the strongest belief in metadata lake solutions, with 97% rating such technology as either “critical” (36%) or “very valuable” (61%) for solving their data visibility and AI governance issues.
Security Managers/Directors: These mid-level leaders split their focus between AI governance (71%) and policy enforcement (66%) across environments. They report the lowest confidence (46%) in controlling data used for AI training compared to other roles, and the largest percentage (5%) with low or no confidence in this area.
Security Engineers/Architects: Technical practitioners worry most about AI systems understanding data access rights (83%), reflecting their hands-on work with entitlement management. Engineers report the highest ability to track sensitive data, with 39% able to identify over 75% of sensitive data across environments (compared to 20% of CISOs).
“These differences highlight how each role experiences data security challenges through their specific job responsibilities," said Kurtic. “But all groups agree on the need for security, development and data engineering teams to collaborate around a single source of truth for data context in the enterprise — a unified solution for data security and data management challenges.”
AI governance tops security plans for 2025
Without a metadata lake to drive unified data discovery, classification and governance capabilities, the research shows that organizations will continue to struggle with securing their sensitive information — particularly as AI adoption accelerates.
Looking ahead, organizations:
will focus on AI/ML data usage governance (70%)
aim to strengthen policy enforcement across cloud environments (64%)
want more accurate data classification (58%)
plan to improve security tools with better data awareness (53%)
will increase infrastructure security focus (68%)
“These priorities show a clear shift toward data-centric security,” said Kurtic. “Organizations recognize they must know what data exists, where it lives, who can access it and how sensitive it is to protect it properly across their entire IT environment, including AI/ML, cloud and infrastructure security.”
About the survey
The 2025 Enterprise Data Security Confidence Index surveyed 530 U.S.-based cybersecurity professionals at organizations with 1000+ employees. Respondents included CISOs/CSOs/CTOs (12%), IT Security Managers/Directors (71%) and Security Engineers/Architects (17%).
The survey was conducted in February 2025.
To learn more about Bedrock Security:
Infographic: 2025 Enterprise Data Security Confidence Index
Press release: Bedrock Security Launches Industry-First Metadata Lake to Strengthen Data Visibility, DSPM and Responsible AI Adoption
Blog: Metadata Lake - The Missing Link Between Data Producers and Data
Resource center: Why Metadata Lake?
About Bedrock Security
Bedrock Security, the ubiquitous data security and management company, accelerates enterprises’ ability to harness data as a strategic asset while minimizing risk. Its industry-first metadata lake technology and AI-driven automation enable continuous visibility into data location, sensitivity, access and usage across distributed environments. Bedrock’s platform continuously catalogs data, enabling security, governance and data teams to proactively identify risks, enforce policies and optimize data usage — without disrupting operations or driving up costs. Trusted by leading financial institutions, healthcare providers and Fortune 1000 companies, Bedrock Security empowers organizations to improve data security posture management (DSPM), confidently deliver responsible AI initiatives and manage exponential data growth. Headquartered in Silicon Valley and backed by Greylock, the company is led by experts in cloud, GenAI cybersecurity and data storage. Learn more at www.bedrocksecurity.com.
Contact
Diana Puckett
Bhava Communications for Bedrock Security