January 1st 2026

Data has long been described as “the new gold.” The phrase is tired, but the underlying idea is no longer metaphorical. Across industries, data is being treated less as exhaust from operations and more as a core productive asset—fuel for automation, analytics, artificial intelligence, and strategic decision-making.

Yet there is an uncomfortable mismatch between how organisations talk about data and how they govern it.

Boards now expect data to generate value. Regulators expect it to be handled responsibly. Courts increasingly treat it as evidence. AI systems turn it into decisions that affect customers, citizens, and shareholders. And yet, when something goes wrong—an audit, a breach, a regulatory inquiry, or an AI failure—many organisations discover that they cannot clearly answer the most basic questions: who owns the data, how it was used, and whether its use can be defended.

Security teams are often confident. Governance teams, less so. The gap between the two is where data assets quietly turn into liabilities.

Security Is Necessary. It Is Not Sufficient.

Most large organisations have invested heavily in information security. Encryption is standard. Identity and access management is mature. Frameworks such as ISO/IEC 27001 provide a common baseline for managing information security risk, and adoption is widespread.

But security protects access, not meaning.

A dataset can be perfectly encrypted and rigorously access-controlled and still be fundamentally ungoverned. Security answers the question, “Who can get in?” Governance answers a more consequential one: “What is this data, who is responsible for it, and what is it allowed to be used for?”

This distinction is no longer academic. In its updated Cybersecurity Framework (CSF 2.0), the U.S. National Institute of Standards and Technology (NIST) elevated “GOVERN” to a core function, alongside Identify, Protect, Detect, Respond, and Recover. The signal is clear: without governance, cybersecurity outcomes are fragile and difficult to sustain.

The same logic applies beyond cyber risk. As data is increasingly used to train models and automate decisions, organisations are being judged not just on whether data was protected, but on whether its use was justified, proportionate, and traceable.

The Quiet Repricing of Data

Consultancies and policymakers have begun to talk more explicitly about data as an asset class. The World Economic Forum has explored how data underpins modern value creation. Deloitte has published guidance on valuing data assets. Law firms such as Baker McKenzie have examined data ownership through a commercial and legal lens.

This shift matters because assets imply expectations. Assets are owned. They are controlled. They are accounted for. And when they cause harm, someone is responsible.

Regulators have followed suit. The GDPR’s accountability principle requires organisations not only to comply with data protection rules, but to be able to demonstrate compliance. The forthcoming EU Artificial Intelligence Act goes further, introducing record-keeping and logging requirements for high-risk AI systems so that decisions can be traced and examined after the fact.

In other words, the era of plausible deniability is ending. Data use must now be defensible.

From Protection to Defensibility

What does it actually mean to protect the value of data, rather than merely to secure it?

The answer is less technical than many expect. It is organisational.

First, ownership must be real. In many firms, data ownership exists only nominally—assigned in spreadsheets, disconnected from decision rights. Yet ownership only matters if it carries accountability: authority to approve new uses, responsibility for quality and meaning, and a clear link to legal and business risk. Without this, data governance becomes ceremonial, and accountability dissolves at precisely the moment it is needed.

Second, context must travel with the data. Modern data stacks move information through dozens of transformations. Without metadata, lineage, and provenance, teams lose the ability to explain how figures were derived or models were trained. For engineers, this leads to brittle pipelines. For lawyers and risk teams, it leads to exposure. Context is not overhead; it is the difference between explanation and speculation.

Third, access must be controlled by purpose, not merely by role. The most damaging data incidents rarely involve outsiders breaking in; they involve insiders using data in ways that were never clearly authorised. Purpose-based access—combined with usable logging—allows organisations to show not just who accessed data, but why. This matters enormously when incidents are reconstructed months later.

Finally, records must support traceability. AI systems, in particular, compress large volumes of data into opaque outcomes. Regulators are increasingly clear that “the model decided” is not an acceptable explanation. NIST’s AI Risk Management Framework emphasises lifecycle governance precisely because risk does not disappear once a model is deployed—it accumulates.

Together, these elements form something more robust than compliance. They create defensibility.

The Cost of Indefensible Data

When data governance fails, it rarely fails quietly.

Executives argue over whose numbers are correct. AI systems behave in unexpected ways that no one can fully explain. Privacy complaints escalate because consent and purpose were poorly documented. Security incidents expand in scope because access histories are incomplete. Litigation becomes expensive because decision-making cannot be reconstructed with confidence.

In each case, the root cause is the same: data was treated as a technical resource, not a governed asset.

This is why financial regulators are also paying attention. The U.S. Securities and Exchange Commission’s new cybersecurity disclosure rules focus explicitly on governance—how risks are managed, who is responsible, and how incidents are overseen. Disclosure now extends beyond breaches to the systems of accountability behind them.

A Practical Test

There is a simple way to assess whether data is genuinely protected as an asset.

Can the organisation clearly identify who owns its most critical datasets? Can it trace a key metric or AI output back through its transformations to the original source? Can it show who accessed sensitive data, for what purpose, and under what authority? Can it reproduce a decision months later with evidence rather than institutional memory?

If the answer to these questions is inconsistent, the problem is not tooling. It is governance.

Security will remain essential. But in a world where data drives value, governance determines who ultimately bears the risk.

And increasingly, that is the difference between an asset that compounds—and one that quietly erodes trust.