Skip to main content

Data security through obscurity is dead

This blog is adapted from an episode of the NetApp podcast Let’s Solve IT!, where technology leaders share real-world insights and practical solutions to today’s IT challenges.

man at a workstation with screens and a microphone
Contents

Share this page

Gavin Gutterson

Security through obscurity is dead

For years, many organizations operated under a quiet assumption: if information was difficult to find, it was effectively protected.

Sensitive documents lived somewhere on shared drives. Emails were buried in inboxes. Meeting notes were scattered across collaboration tools. The information technically existed, but unless someone knew exactly where to look, it was unlikely to surface.

In many ways, that became a form of security through obscurity.

Artificial intelligence has changed that assumption permanently. AI systems can now scan enormous volumes of information in seconds, searching documents, summarizing conversations, analyzing transcripts, and surfacing insights that once required hours of manual effort.

The productivity benefits are undeniable. But so is the shift in risk. In an AI-powered environment, very little stays hidden for long.

The discoverability problem

One of the most significant impacts of AI within the enterprise isn’t just automation but discoverability. Information that once required time and effort to locate can now be surfaced instantly. A single prompt can search documents, collaboration messages, notes, and transcripts across multiple systems.

That dramatically changes the security equation.

If sensitive information exists somewhere in your environment, AI increases the likelihood it will eventually be discovered, whether by employees, automated systems, or potentially malicious actors if controls fail. The friction that once helped obscure poorly managed data is disappearing.

When conversations become data

Another shift is the sheer volume of data organizations are now creating.

AI assistants increasingly transcribe meetings, summarize discussions, and generate notes automatically. These tools are valuable because they help teams capture decisions, track action items, and stay aligned. But the moment a conversation becomes a transcript, it becomes data. And once something becomes data, it must be governed.

Consider a development team discussing product vulnerability during a meeting. The conversation is intended for a small group of engineers working through a problem. If that discussion is automatically transcribed and stored in a searchable system, it becomes a permanent record.

Modern AI tools can surface that information almost instantly.

For authorized teams, accessibility may be useful. But if access controls are misconfigured, or if the transcript is stored in the wrong location, the risk of exposure increases significantly. The issue isn’t the meeting itself. It’s how easily the information can now be found.

Convenience is moving faster than governance

One of the biggest challenges organizations face with AI is that convenience often outpaces governance. People adopt

AI tools because they save time. But teams often adopt these capabilities without fully understanding where the underlying data is stored.

I’ve seen this firsthand in other industries. Early in the generative AI boom, one hospital system had to quickly shut down access to public AI tools after doctors began using them to review patient notes. The intention wasn’t malicious, just an effort to work more efficiently. But those patient records were being sent to external systems that were never designed to store protected healthcare data.

It’s a reminder that productivity gains can quickly create governance challenges if organizations move too quickly.

Data governance is now a security imperative

This is why data governance has become one of the most important elements of modern cybersecurity.

Organizations need clear answers to a few fundamental questions:

  • Where does our data live?
  • What type of data is it?
  • Who has access to our data?
  • How long should data be retained?

Without that visibility, AI doesn’t just accelerate productivity; it accelerates risk.

One of the most common problems we see is that organizations spend enormous effort protecting data that isn’t particularly sensitive while overlooking information that truly matters.

I often joke that companies spend too much time protecting the lunch menu. It’s the cybersecurity equivalent of locking the front door while leaving the side gate wide open. Meanwhile, sensitive discussions, such as engineering work, security analysis, and internal strategy, may reside in collaboration tools without proper controls. In an AI-driven environment, that imbalance becomes far more dangerous.

Assume the data will be found

A useful way to think about cybersecurity is through the analogy of car safety. No one can guarantee they’ll never be in an accident. But we design vehicles to minimize damage if one occurs.

Security should follow the same philosophy.

Organizations should assume that data exists, may eventually be discovered, and could potentially be exposed. The goal isn’t to eliminate risk because that’s unrealistic. The goal is to minimize the blast radius if something goes wrong. That means implementing strong access controls, classifying sensitive data, defining retention policies, and ensuring governance applies consistently across systems.

These practices were important before AI, but now they are essential.

The bottom line

AI isn’t just changing how work gets done. It’s changing how information is discovered. The days when sensitive information could remain buried in a forgotten folder or hidden in a long email thread are rapidly disappearing.

Security through obscurity was never a reliable strategy. In the age of AI, it isn’t a strategy at all.

Organizations that succeed in the AI era will be the ones that understand where their data lives, govern it carefully, and assume that if something exists, it will eventually be found.

Hear more from Gavin Gutterson in his episode of the Let’s Solve IT! Podcast, hosted by Matt Brown. Ep. 1 - When AI convenience becomes a business risk | Let’s Solve IT! Podcast

Gavin Gutterson

Gavin Gutterson is Vice President and Chief Information Security Officer at NetApp, where he leads the company’s global cybersecurity, risk management, and resilience programs.

Explore the full podcast series: https://letssolveitnetapp.podbean.com/

View all Posts by Gavin Gutterson
AI disrupts security: Why data governance is essential | NetApp