The identity to data gap was always there. AI just made it your problem.

Your contracts say vendors have least-privilege access. Your reality is different. Third-party identities accumulate permissions over the life of an engagement, access that made sense at onboarding rarely gets reviewed at offboarding, and no one is tracking what they can reach across your full estate. Your IAM knows they have an account. Your DSPM knows where your most sensitive customer data lives. Neither knows whether those two facts intersect.

This is the harder question and the one a regulator or a customer will ask first. Knowing a vendor could reach sensitive data is a risk. Not knowing whether they did is a liability. Most organisations have no audit trail for third-party data access that’s granular enough to answer this with confidence. Log data exists in fragments across cloud providers, SaaS platforms, and on-prem systems. Correlating it into a coherent answer takes days — if it’s possible at all.

Your DSPM doesn’t track agents — it tracks data objects. Your IAM sees the service account the agent authenticates with, not the agent itself. Your AI governance tool knows the agent exists but has no view into what data it can reach. So the honest answer, for almost every organisation running copilots today, is: you don’t know. You have a list of AI tools your teams have deployed, and a separate list of where your PII lives, and no way to connect them.

Access is only half the problem. An AI agent that can reach your PII may be processing it inside your environment, sending it to an external LLM API, storing it in a vector database your security team has never reviewed, or passing it through a third-party orchestration layer you didn’t know existed. Your data never moves in the traditional sense — so your DLP doesn’t see it. But it’s being read, embedded, and summarised somewhere. The question is where.

Blast radius is an identity×data question. It requires knowing every data store that credential can reach, what’s inside each one, and what an attacker could do with it. Your identity tools show you the permissions. Your data tools show you the classifications. Nothing shows you both at once — which means blast radius assessments are manual exercises that take days, not the real-time answers you need when an incident is live.

This question didn’t exist three years ago. Today it’s one of the most consequential data integrity questions a security leader can ask — and almost no existing tool is positioned to answer it. Your DLP wasn’t designed for training pipelines. Your DSPM classifies data at rest but doesn’t track what was ingested, when, and by which model. Your AI governance tool governs outputs, not inputs. The result: most organisations have no idea what their models were trained on.

This is the question behind the questions. Each of the four above is technically answerable — if you’re willing to export from your SIEM, cross-reference your CMDB, pull access logs from three cloud providers, and spend a week correlating. That’s not security. That’s archaeology. The gap isn’t just that the data is missing — it’s that the operational cost of connecting it is so high that most teams don’t bother until something breaks.