The Blind Spot – Part 3 (Discovery)

The Blind Spot – Part 3 (Discovery)

Discovery and classification aren’t checkbox exercises. They’re the foundation of every other security control you have.

Here’s a principle that sounds obvious but gets violated constantly in enterprise security:

You cannot protect data you don’t know exists.

Most organizations have some form of data discovery and classification in place. The problem isn’t that they don’t have the concept. It’s that their coverage has three consistent gaps:

Gap 1: Unstructured data is largely unclassified.
Structured data (databases, ERP records, CRM) tends to have reasonable classification coverage. Unstructured data (documents, emails, collaboration files, code repositories) usually doesn’t. This is also the data that AI systems are most aggressively consuming.

Gap 2: Secondary data is ignored.
Backup copies, archive environments, and disaster recovery replicas contain the same sensitive data as production. They are often outside the scope of classification programs entirely. If a breach exposes a backup, your classification posture didn’t protect you.

Gap 3: Classification is static, not continuous.
A classification run from six months ago tells you where sensitive data was, not where it is now. Data moves. New files are created. Pipelines copy data into new environments. Without continuous classification, your posture drifts. Silently.

DSPM addresses all three gaps by treating discovery and classification as ongoing processes, not projects.

The practical implication for AI: before you connect a data source to a model or an agent, you need to know what’s in it. Classification tells you which data is AI-eligible and which carries risk that requires governance controls before it goes anywhere near a pipeline.

This is the foundation. Everything else (access control, policy enforcement, recovery) depends on knowing what you have.

What percentage of your unstructured data do you think is currently classified accurately?

Derran Guinan
Field CTO · Americas

Field CTO for the Americas at Veeam. 30+ years in IT and cybersecurity. I write about data protection, security architecture, and AI from the field — honest takes for practitioners, not press releases.

Related Articles

The Blind Spot – Part 4 (Classification)

𝐘𝐨𝐮 𝐜𝐥𝐚𝐬𝐬𝐢𝐟𝐢𝐞𝐝 𝐲𝐨𝐮𝐫 𝐝𝐚𝐭𝐚. 𝐍𝐨𝐰 𝐰𝐡𝐨 𝐜𝐚𝐧 𝐚𝐜𝐭𝐮𝐚𝐥𝐥𝐲 𝐫𝐞𝐚𝐜𝐡 𝐢𝐭? Classification tells you what your data is. Access governance tells you who can touch it…

The Blind Spot – Part 5 (Agent Commander)

𝐓𝐡𝐢𝐬 𝐢𝐬 𝐰𝐡𝐞𝐫𝐞 𝐭𝐡𝐞 𝐕𝐞𝐞𝐚𝐦 𝐚𝐧𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐢 𝐀𝐈 𝐬𝐭𝐨𝐫𝐲 𝐛𝐞𝐜𝐨𝐦𝐞𝐬 𝐜𝐨𝐧𝐜𝐫𝐞𝐭𝐞. Over the past four weeks I’ve outlined the gaps that DSPM addresses: Unclassified unstructured…