The key to AI success? It's not the "model" but data governance.

Although companies are actively investing in and designating artificial intelligence(AI) as a future growth engine, industry-wide warnings are being issued: the key to AI success is not actually the “model,” but “data management.” It is especially pointed out that without classification and visibility guarantees for unstructured data, not only AI but the entire security and compliance fields could be fundamentally shaken.

Congruity360, a provider of unstructured data governance solutions, believes that this risk is becoming a deadly “blind spot” for enterprises in the AI era. Many organizations have invested heavily in AI implementation, but their success depends on the efficiency of data classification and control.

Currently, 41% of all enterprises lack data classification tools altogether, and only 37% plan to introduce such tools within the next two years. This results in high-risk, unclassified data within the organization being exposed without protection across file servers, NAS, cloud, and other locations. The consequence is that IT and security teams have to spend significant time and budgets on post-incident cleanup, and internal trust is also damaged in the process.

Christophe Bertrand from theCUBE Research emphasizes: “Since AI’s impact extends beyond business processes and workloads to affect overall operations, the underlying data infrastructure for AI must also be fundamentally protected,” highlighting the importance of data security.

Congruity360’s Chief Operating Officer Mark Ward warns: “In the face of data surges, enterprises’ ability to classify, discard, or control data has not kept pace. This imbalance solidifies the already siloed unstructured data environment, leading to potential security incidents or violations that grow like a snowball.”

Additionally, idle data, duplicate documents, outdated emails, and other so-called ROT data (redundant, obsolete, trivial data) that are improperly classified within organizations are no longer just storage cost issues but can directly lead to sensitive information leaks and compliance risks. Ward explains: “Just because a folder shared by someone who left five years ago contains personal information is enough to turn legal risks into reality.”

A strategy centered on the “Four Pillars of Governance”—operational efficiency, security reinforcement, compliance response, and business risk reduction—is gaining attention. Many companies are adopting DSPM (Data Security Posture Management) to quickly identify blind spots in cloud and on-premises environments. Ward considers response speed a critical competitive advantage, stating that “it is possible to visualize the current state of a client’s data security within a week.”

For large enterprises managing hundreds of PBs of data, this issue is even more severe. Without regular operational audits, this data will accumulate into invisible risks and could trigger security incidents, audit failures, or regulatory scrutiny. To address this, Congruity360 employs continuous data diagnostics and lifecycle management to help eliminate unnecessary snapshots and old backups, improving storage efficiency.

The core of ROT control strategy is to establish an intuitive “data monitoring system.” It must be able to track who accessed what information and when, reducing unnecessary storage while also complying with regulations such as GDPR and HIPAA.

The reason why data governance is so highly regarded is because it goes beyond simply emphasizing security; it is also a prerequisite for AI success. A survey by Drexel University shows that 62% of companies attribute slow AI adoption to “weak data governance.” Ward emphasizes: “Only with clean and classified data can AI deliver reliable results. Training AI models on poor data not only wastes computing power but also amplifies regulatory risks.”

Congruity360 offers SaaS-based DSPM services for a range of clients from Fortune 1000 companies to small and medium-sized enterprises. DSPM is not only a tool for assessing partial data attributes but also a channel for diagnosing information value and risks from both AI and security perspectives simultaneously. Its features include: ▲ Regular data audits and ROT cleanup ▲ Preset classification rules ▲ Removal of unnecessary backups ▲ Re-deployment of storage based on sensitivity ▲ Establishment of data lifecycle-based disposal policies, etc.

Finally, Congruity360 emphasizes that ROT management should be viewed as a daily operational task rather than a one-time project. Because ROT is not a static goal but a security culture that requires continuous reinforcement. Ward warns: “Human error remains the biggest cause of security vulnerabilities. Issues such as residual accounts of former employees and misclassification leading to sensitive data exposure continue to recur.”

Ultimately, AI must first control its risks before extracting data. Only when organizations recognize that governance can both lead AI projects to success and cause their failure will a “security system based on AI governance” truly operate. Today, if enterprises cannot properly assess their data, the risks they face are no longer about possibility but have entered the realm of probability.