Microsoft has released the 2026 Data Security Index, a global study of how enterprises are securing data as generative AI adoption accelerates across the workplace. Based on a survey of more than 1,700 data security leaders in 10 countries, the report examines how organizations are responding to rising data risk tied to AI-driven productivity.
The report finds that while companies are rapidly deploying generative and agentic AI, data security controls and visibility are struggling to keep pace. That gap matters because AI is increasingly embedded in ERP workflows across finance, supply chain, and HR, where data exposure, access control, and auditability directly affect system integrity.
Key Findings From the 2026 Data Security Index
The 2026 Data Security Index highlights a growing disconnect between enterprise AI adoption and the data security controls meant to govern it. Based on survey responses, the findings show how generative AI is reshaping risk patterns across data-intensive systems.
AI Adoption Is Outpacing Data Security Controls
The 2026 Data Security Index finds that organizations are deploying generative and agentic AI faster than data security controls can adapt. The study reports that generative AI is now involved in 32% of data security incidents. Much of that exposure is attributed to usage patterns rather than the technology itself.
Employees increasingly access generative AI tools using personal credentials and personal devices, bypassing corporate controls. In environments where AI interacts with structured financial, operational, and workforce data, those behaviors reduce visibility into data flows and complicate enforcement of access controls and audit requirements.
Fragmented Security Tools Limit Data Visibility and Governance
The Index points to poor integration as a primary driver of data security blind spots. Survey respondents cited weak integration between data security and data management platforms as their top visibility challenge, reported by 29% of organizations.
As AI-driven workflows increasingly span cloud platforms, SaaS applications, and core enterprise systems, that integration gap limits teams’ ability to track where sensitive data resides and how it moves across environments.
The report shows that fragmented tooling makes it harder to correlate events, detect exposure, and enforce consistent policies as data volumes and system complexity grow. These constraints are pushing organizations to reconsider how data security, visibility, and governance are structured across enterprise data estates.
Employee AI Use Is Expanding the Data Security Risk Surface
The Index links a growing share of data exposure to everyday employee use of generative AI tools. Survey results show that employee use of personal credentials to access AI tools for work rose from 53% to 58% over the past year, while use of personal devices increased from 48% to 57%. These behaviors bypass corporate controls and reduce visibility.
As generative AI becomes part of routine work, unmanaged usage introduces risk even without malicious intent. When AI systems interact with core transaction and master data, unmanaged usage complicates segregation of duties, policy enforcement, and audit readiness across enterprise processes.
Organizations Are Beginning to Use AI to Secure AI
The Index shows organizations increasingly applying AI to data security itself. More than 80% of surveyed organizations said they are implementing or developing data security posture management strategies, and a large majority reported plans to embed generative AI directly into security operations.
Reported use cases include data discovery, incident investigation, and policy enforcement, with adoption of AI agents moving beyond early experimentation. At the same time, the report emphasizes continued reliance on human oversight, reflecting concern about unchecked automation in security-critical workflows.
Security Budgets Are Rising, but Execution Remains Uneven
The Index shows that organizations recognize the scale of the challenge. Nearly nine in 10 surveyed decision-makers said they expect data security and compliance budgets to increase over the next year, reflecting heightened concern as AI adoption accelerates.
At the same time, the findings suggest that spending alone has not resolved underlying issues tied to tool sprawl, visibility gaps, and inconsistent governance.
The result is a mixed execution picture. While investment is increasing, many organizations are still adapting operating models and controls to match the pace of AI-driven change, particularly in complex, data-intensive enterprise environments.
What the Data Security Index Recommends Organizations Do Next
The 2026 Data Security Index frames its guidance around a central premise: AI adoption and data security can no longer be treated as separate initiatives. As generative AI becomes embedded in daily operations, the report argues that visibility, governance, and protection must be applied consistently at the data layer.
1. Consolidate Data Security Around Integrated Platforms
The Index urges organizations to move away from fragmented security tools toward integrated platforms that offer a unified view of enterprise data. The report notes that disconnected systems create blind spots as data moves across cloud services, SaaS applications, and core systems. Data security posture management is presented as a way to continuously identify sensitive data and apply consistent protections.
2. Put Guardrails Around AI-Driven Productivity
Rather than limiting AI use, the report emphasizes clearer guardrails for how generative AI is used every day. Suggested steps include keeping sensitive data out of unsanctioned tools, improving visibility into AI use, and reinforcing approved practices through employee education. The aim is to support productivity while reducing unmanaged risk.
3. Use AI to Strengthen Security Operations
The Index also points to wider use of AI within security operations. It highlights using generative AI to support detection, investigation, and response as data volumes grow. At the same time, the report stresses the need for human oversight, framing AI as a way to support security teams rather than replace them.
What This Means for ERP Insiders
AI can weaken ERP boundaries faster than controls evolve. AI-driven data access increasingly bypasses traditional ERP permission models, exposing gaps between system-level controls and cross-platform data use. Those gaps surface as audit friction and delayed approvals once AI outputs influence financial or operational decisions.
ERP risk shifts from transactions to data movement. As ERP data feeds analytics, automation, and AI tools, governance failures emerge in data flows and access paths rather than posting logic. That shift complicates oversight because controls designed for transactions struggle to follow data once it leaves the core system.
AI progress depends on enterprise data maturity. Organizations with clear data ownership and visibility can extend ERP data into AI use cases faster than those constrained by fragmented governance. In less mature environments, AI initiatives stall as security, compliance, and IT teams reconcile exposure after deployment.
