Most Enterprises Can’t Prove Where Their Data Lives, New Research Warns

As regulators, auditors, and AI systems increasingly demand hard evidence of data governance, a new report suggests most organizations are ill-prepared to answer a deceptively simple question: where their data actually resides—and whether they can prove it.

According to Kiteworks’ Data Security and Compliance Risk: 2026 Forecast Report, released this month, fewer than four in 10 organizations have clear visibility into where their data is processed, trained on, or inferred by external partners. The findings point to what the report characterizes as a growing accountability crisis; one accelerated by AI adoption, expanding data sovereignty laws, and complex third-party ecosystems.

The research is based on a survey of 225 security, IT, compliance, and risk leaders across 10 industries and eight global regions. It found that only 36% of respondents can confidently track where data is handled by outside entities, while 61% rely on fragmented audit trails that cannot produce evidence-quality documentation. More than half lack centralized data gateways capable of tracking and proving data flows across their environments.

“Organizations have spent years building governance frameworks on paper,” said Tim Freestone, chief strategy officer at Kiteworks. “Now they’re being asked to prove those frameworks work—and most can’t. That’s not a technology gap; it’s an accountability gap.”

AI compounds the problem

Artificial intelligence is intensifying these challenges. Every organization surveyed reported having agentic AI on its roadmap, but governance controls lag far behind deployment plans. Nearly two-thirds of respondents said they cannot enforce purpose limitations on AI agents. Sixty percent lack kill-switch capabilities, and 72% lack software bill of materials (SBOMs) for the AI models operating in their environments.

The result is a growing blind spot: AI systems are accessing, processing, and learning from sensitive data, while organizations lack the infrastructure to track how that data is used—or where it goes.

Third-party trust without verification

Visibility gaps are further exacerbated by third-party relationships. Organizations are increasingly sharing sensitive data with AI vendors, cloud providers, and partners, often without the technical controls or contractual mechanisms needed to verify downstream data handling.

The report found that 89% of organizations have never conducted incident response exercises with third-party AI partners, and 78% cannot validate the quality of the training data used by external AI systems. In effect, trust is being extended without the ability to verify.

Government agencies face steeper hurdles

Among all sectors surveyed, government organizations face the most acute challenges. Ninety percent lack purpose binding for AI, 81% cannot isolate AI systems from broader network access, and one-third report having no dedicated AI controls at all—despite handling citizen data and critical infrastructure.

The report concludes that many public-sector governance programs lag a full generation behind private-sector practices.

The boardroom factor

One of the strongest predictors of success identified in the research was board-level engagement. Organizations with actively engaged boards scored up to 28 points higher across key governance metrics, including data visibility, AI controls, and audit readiness.

Yet more than half of boards remain disengaged from these issues, according to the survey.

“The difference between organizations that can prove where their data lives and those that can’t starts in the boardroom,” said Patrick Spencer, Kiteworks’ SVP of Americas marketing and industry research.

Models and “table stakes” for 2026

The report highlights regional and operational bright spots. Australia, for example, outperformed other regions by 10 to 20 points across nearly every metric, suggesting that strong governance and rapid innovation are not mutually exclusive. It also identifies “keystone capabilities,” such as unified audit trails and training-data recovery, that consistently correlate with stronger performance across all other measures.

By the end of 2026, the report predicts, centralized data gateways and evidence-quality audit trails will no longer be differentiators—they will be baseline requirements.

“Organizations still running fragmented governance on disaggregated infrastructure will face a choice,” Freestone said. “Unify and prove, or accept that every audit, every data-sovereignty inquiry, and every AI deployment is an unmanaged risk.”

The full Data Security and Compliance Risk: 2026 Forecast Report is available from Kiteworks.