SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Anz boardroom storm cloud ai brain over weak data governance
#
Malware
#
Data Protection
#
DR

Data Privacy Day warns AI, cloud outpacing governance

Sat, 31st Jan 2026
Author image
By Catherine Knowles, News Editor

Data Privacy Day has highlighted growing concern among security and infrastructure leaders. Among the concerns are that organisations are expanding AI and cloud use faster than they can control personal data, as regulators and boards increase scrutiny of how information is governed, protected and restored.

Executives from Protegrity, StorMagic and Commvault have commented that privacy risk now sits at the intersection of AI pipelines, hybrid infrastructure choices and an emerging requirement to demonstrate recovery and resilience after incidents.

AI governance

Milan Chutake, Vice President of Engineering at Protegrity, said many organisations remain unprepared for the privacy impact of rapid AI adoption across business units and data sources.

Chutake said, "In an AI-driven world, data privacy must be addressed before data ever touches a model, not after something goes wrong. Once sensitive data enters an AI pipeline or an external LLM, it becomes extremely difficult to reverse that exposure. The biggest challenge I see today is that many organizations are moving faster than their governance models can support, and data privacy is becoming a real nightmare because there is no centralized policy consistently controlling how data is discovered, shared and used across systems."

:AI can help automate discovery across databases and unstructured data, but it cannot replace human oversight, and nobody should blindly trust AI with sensitive data. Privacy requires more than discovery: it requires clear policies, continuous logging and visibility into how data flows across every step of an AI workflow. Without centralized control and proof of how data is accessed and used, enterprises risk losing control of their most sensitive information at the exact moment they are trying to scale AI the fastest."

Chutake's comments reflect mounting industry concern that sensitive information is entering external large language models and internal generative AI projects without consistent controls or audit trails across different business systems.

Infrastructure choices

Data residency and infrastructure design are also emerging as central elements of privacy strategy as organisations weigh cloud-first models against on-premises and edge deployments.

Bruce Kornfeld, Chief Product Officer at StorMagic, said day-to-day operational discipline now matters more than written policy when it comes to protecting sensitive information.

Kornfeld commented, "Data Privacy Day is a reminder that protecting sensitive information requires consistent discipline, not just policies. This discipline starts with infrastructure choices. As organizations continue to evaluate cloud-first strategies, many are also reassessing where their most critical data should live. For workloads that demand predictable performance, strong governance and clear ownership, on-site infrastructure continues to play an essential role in a sound privacy strategy."

He continued, "Keeping data on-prem, closer to where data is being generated and managed, gives organizations greater visibility and control over how information is stored, accessed and protected. This is especially relevant as regulations evolve and as more data is generated at distributed and edge locations. When data stays closer to where it is created and used, IT teams can more consistently enforce security standards, reduce exposure and respond quickly when issues arise.

"Long-term data protection comes down to stability and accountability. Infrastructure decisions should support privacy by design and reduce operational risk across all environments, helping organizations protect sensitive information and maintain trust as their IT environments continue to change."

Kornfeld's comments underline the continued role of on-premises systems and local processing for workloads that face strict governance requirements or operate in distributed environments, such as industrial sites, branches and retail locations.

Test assumptions

Gareth Russell, Field CTO at Commvault, said expectations are shifting from policy intent towards demonstrable evidence that organisations can maintain control of personal data during disruption.

He said board discussions now extend beyond breach prevention and into the ability to recover quickly and cleanly while meeting regulatory disclosure and reporting obligations.

Russel said, "Data Privacy Day often prompts the usual reminders: update policies, refresh consent language, and train staff on security and resilience strategies. These are important steps, but increasingly they are simply the baseline. In 2026, the board-level question leaders should also be asking is: can we demonstrate control of personal data and sustain trust through disruption, whether it stems from a compromise, misconfiguration, insider error, or a supplier incident?"

According to Russell, privacy incidents now double as tests of organisational resilience and public trust, which places new attention on tested recovery processes and decision frameworks.

He said, "This is where privacy and resilience converge. When personal data is involved, incidents become trust events. Organisations are judged on whether they can respond decisively and restore operations with confidence. A practical way forward is to define trust-critical priorities: the data, systems, and processes you must protect and restore first under pressure. Plans and targets alone are not enough. The differentiator is tested recoverability, with clear decision rights and proven workflows that restore cleanly and quickly."

Russell commented that identity controls and response processes sit at the core of this shift as attackers continue to exploit account compromise to reach sensitive information in cloud environments.

"Identity is a privacy fault line. In cloud environments, compromised identities are often the fastest route to sensitive data. Resilience means detecting abnormal access early, limiting blast radius, and recovering confidently when identity controls are bypassed."

Data Privacy Day has become a moment for boards and executives to challenge their own assumptions about readiness, Russell said.

"Data Privacy Day is a useful moment to pressure-test readiness. If a data incident happened tomorrow, could you contain impact, restore cleanly, and demonstrate control with confidence? Organisations that treat recoverability as a privacy capability protect trust by resuming safely and evidencing what was affected, what was restored, and what is secure."

Related stories
Datadog opens DASH 2026, spotlighting AI in production
Rubrik launches Agent Cloud to govern enterprise AI
12Port unveils AI session intelligence for PAM security
DryRun Security adds Andrew Peterson to drive AI shift
Splashtop, Leader partner on secure remote access push

Top stories

Most enterprises unprepared for HPE’s virtualisation reset
Why Australian superannuation funds need to prioritise security for their customers with strong MFA
Milestone chooses Australia to launch 2026 MXD series
CrowdStrike Falcon now available via Microsoft Marketplace
Macquarie boosts loan to fund Sydney AI data centre