New Research Reveals Most Organizations Can't Prove Where Their Data Lives

61% can't produce unified audit trails. 57% lack centralized data gateways. AI and data sovereignty won't wait.

SAN MATEO, CA, UNITED STATES, January 6, 2026 /EINPresswire.com/ -- Kiteworks, which empowers organizations to effectively manage risk in every send, share, receive, and use of private data, today released its Data Security and Compliance Risk: 2026 Forecast Report—a comprehensive analysis revealing that most organizations cannot answer a fundamental question regulators, auditors, and AI systems are all asking: Where does your data live, and can you prove it?

The research, based on a survey of 225 security, IT, compliance, and risk leaders across 10 industries and 8 regions, exposes a systemic visibility and accountability crisis. Only 36% of organizations have visibility into where their data is processed, trained, or inferred by external partners. Meanwhile, 61% have fragmented audit trails that can't produce evidence-quality documentation, and 57% lack the centralized data gateways needed to track, control, and prove data flows across their environment.

"Organizations have spent years building governance frameworks on paper. Now they're being asked to prove those frameworks work—and most can't," said Tim Freestone, Chief Strategy Officer, Kiteworks. "When a regulator asks where customer data was processed, when a board asks how AI systems are accessing sensitive information, when a sovereignty audit demands proof of data residency—nearly two-thirds of organizations will struggle to produce a clean answer. That's not a technology gap. It's an accountability gap."

Data sovereignty laws now span more than 100 countries, each with distinct requirements for where data can be stored, processed, and transferred. Yet the report finds most organizations lack the infrastructure to demonstrate compliance. Without centralized gateways and unified audit trails, proving data residency becomes a manual, error-prone exercise—if it's possible at all. The gap between regulatory expectations and operational capability is widening, not closing.

AI adoption is accelerating the problem. Every organization surveyed has agentic AI on their roadmap, but 63% can't enforce purpose limitations on AI agents, 60% lack kill-switch capabilities, and 72% have no software bill of materials (SBOM) for AI models in their environment. AI systems are accessing, processing, and learning from sensitive data—while the governance infrastructure underneath them can't track where that data goes or prove how it's being used.

Third-party relationships compound the visibility problem. Organizations are extending sensitive data to AI vendors, cloud providers, and partners without the contractual mechanisms or technical visibility to verify where that data ends up. The report finds 89% have never practiced incident response with third-party AI partners, and 78% can't validate training data quality. Trust is being extended without the ability to verify.

The government sector faces the steepest challenges. Among government organizations surveyed, 90% lack purpose binding for AI, 81% can't isolate AI systems from network access, and 33% have no dedicated AI controls whatsoever—while handling citizen data and critical infrastructure. Government governance programs lag a full generation behind the private sector.

"The organizations that can answer these questions share one thing in common: board engagement," said Patrick Spencer, SVP of Americas Marketing and Industry Research, Kiteworks. "Organizations with engaged boards score up to 28 points higher on every governance metric—data visibility, AI controls, audit readiness, all of it. But 54% of boards aren't engaged on these issues. The difference between organizations that can prove where their data lives and those that can't starts in the boardroom."

The research identifies models worth following. Australia outperforms other regions by 10-20 points across nearly every metric, demonstrating that strong governance and rapid innovation aren't mutually exclusive. The report also identifies "keystone capabilities"—unified audit trails and training-data recovery—that predict success across all other metrics, showing up to 32-point advantages for organizations that have implemented them.

"The question regulators, auditors, and AI systems are asking is simple: Where is the data, and can you prove it?" Freestone concluded. "By end of 2026, centralized data gateways and evidence-quality audit trails won't be differentiators—they'll become table stakes. Organizations still running fragmented governance on disaggregated infrastructure will face a choice. Unify and prove, or accept that every audit, every data sovereignty inquiry, and every AI deployment is an unmanaged risk."

Download the full 2026 Forecast Report here.

About Kiteworks
Kiteworks' mission is to empower organizations to effectively manage risk in every send, share, receive, and use of private data. The Kiteworks platform provides customers with a Private Data Network that delivers data governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive data moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all private data exchanges. Headquartered in Silicon Valley, Kiteworks protects over 100 million end-users and over 1,500 global enterprises and government agencies.

David Schutzman
Kiteworks
203-550-8551
email us here
Visit us on social media:
LinkedIn
Facebook
YouTube
X

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.