The rapid rise of AI has renewed focus on securing the asset that powers it – data.
As organisations race to operationalise AI using proprietary information, many are finding that existing governance, classification, and access controls were never designed for AI-era workloads.
While AI is not the only driver of data security trends, it is the most prominent, and its risks are emerging on multiple fronts. Principle among these is the potential for employees to upload sensitive information into unsecured public AI services, creating a growing problem in the form of “shadow AI”.
At the same time, internal AI systems can expose sensitive data when weak governance models allow AI tools to access information outside normal privilege boundaries. The rapid pace at which software vendors are embedding generative AI capabilities into existing platforms has only accelerated this challenge.
The result is an increased risk that personally identifiable information (PII), intellectual property, and commercially sensitive information can be exposed, misused, or unintentionally leaked into public or third-party environments.
According to Gartner, cybersecurity leaders are increasingly adopting layered defence strategies that combine cross-functional governance, stronger data classification and labelling, updated third-party risk management, and organisation-wide education programs.
AI is not the only reason why data security procedures are gaining attention, with regulators increasingly stepping in to ensure the privacy of citizen’s data is protected.

Over the past decade, regulators globally have taken an interventionist stance on data handling failures, most notably through the European Union’s GDPR regime, but also through the increasingly assertive enforcement posture of the Office of the Australian Information Commissioner.
These pressures are driving investment into a new generation of data security technologies.
Data security posture management (DSPM) platforms combine discovery, classification, monitoring, and risk assessment capabilities to help organisations better understand where sensitive information resides, how it is being used, and how it may be exposed – including within AI environments. Virtue Market Research projects the DSPM market will grow from US$2.0 billion ($2.9 billion) in 2025 to US$10.4 billion ($14.6 billion) by 2030.
At the same time, the continued migration of enterprise workloads and associated data into cloud environments has accelerated adoption of cloud-native application protection platforms (CNAPPs). CNAPP platforms consolidate multiple cloud security capabilities into a unified framework for securing, monitoring, and governing modern application and data environments. According to Grand View Research, the CNAPP market is projected to grow from US$13.9 billion ($19.5 billion) in 2023 to US$38.0 billion ($53.8 billion) by 2030.
Yet even as organisations improve visibility and governance, a longer-term challenge is beginning to emerge: the arrival of “Q-Day”, the point at which sufficiently advanced quantum computers could break many widely used public-key cryptographic systems.

The concern stems from the ability of quantum systems to rapidly solve mathematical problems that underpin conventional encryption, particularly integer factorisation and discrete logarithms. While post-quantum cryptography (PQC) is being developed to resist these attacks, it cannot protect information that has already been harvested and stored by threat actors in anticipation of future quantum capabilities.
Even then, encryption leaves another critical gap, as most security models protect information while it is stored or transmitted, but not while it is actively being processed.
This is driving growing interest in so-called ‘confidential computing’, which uses hardware-based trusted execution environments (TEEs) to isolate workloads and protect information during computation. Chip level technology and confidential virtual machine offerings from major cloud providers are increasingly being adopted for highly regulated and sensitive workloads.
Taken together, these trends point to a fundamental shift in how organisations think about data security. Rather than focusing solely on protecting networks and endpoints, security leaders are increasingly being forced to protect data itself across its entire lifecycle: at rest, in transit, and now, even while in use.
The rapidly evolving cyber threat landscape has led the global integrated logistics and supply chain company Toll Group to adopt a more comprehensive approach to data security – one that extends beyond technology controls to encompass vendor selection, contract management, and third-party risk governance.
According to global data protection lead Vasant Prabhu, traditional approaches built around stronger firewalls, tighter access controls, and perimeter-based defences were no longer sufficient for a supply chain operating at global scale.
“The most dangerous door is often one you didn't even know existed,” Prabhu said.
“The journey has been about shifting from defending a perimeter to understanding the entire terrain, because the threat doesn't stop evolving.”

With operations spanning more than 50 countries, and logistics increasingly recognised as a high-risk sector within the global economy, Toll Group has embedded security requirements directly into procurement processes, contracts, and third-party risk decisions as a condition of doing business.
“If you're only managing security after risk materialises, you're already too late,” Prabhu said.
“Data security isn't an abstract problem - you're dealing with customer PII, vendor records, and operational telemetry, all of it moving across borders and third-party systems where you can never fully guarantee control.”
Prabhu noted that because Toll Group’s assets are designated as critical infrastructure under Australia’s SOCI Act, the organisation faces obligations that extend beyond commercial risk.
“A failure isn't just a commercial or reputational issue – it has a national impact,” he said.
“That's the reality we operate in every day given shifting geopolitical alignment and global privacy mandates.”
The result is a threat surface that continues to expand faster than the controls designed to protect it.

“Between third-party vendor risk, multi-jurisdictional complexity, and nation-state threats targeting critical infrastructure – and AI introducing data flows that existing frameworks weren't built to govern - we're constantly managing a perimeter that doesn't stand still,” Prabhu said.
“We must identify every member in the ecosystem and get an assessment on each, and that is phenomenal amount of work, given resource constraints and evolving threat perception.”
To address these challenges, Toll Group has strengthened vendor due diligence processes, tightened third-party access controls, and increased scrutiny around how AI technologies interact with enterprise data environments. Prabhu said third-party risk platforms such as ProcessUnity have helped ensure that “security is a condition of entry, not an afterthought”.

The organisation’s current focus on supply chain and vendor security also follows the significant cyberattack Toll Group experienced in 2020.
“We've already lived through what the reactive version looks like, and at the scale we operate, you can't afford to learn that lesson again,” Prabhu said.
“The obligation to get ahead of it was as much about hard experience as it was about regulatory pressure and emerging threats.”
Prabhu added that the growing use of AI across Toll Group projects was creating an entirely new layer of complexity for data security and governance.
“Suddenly you're asking questions about what data enters a model, is there a way of measuring the model performance, and what is data residency and processing in different jurisdictions as per regulation, and who sees the outputs – and realising your existing controls were never designed with that in mind,” he said.
“It requires a complete re-look at the data security strategy.”
“It's going to be a lot worse with Agentic AI entering the mix. Good governance and guardrails is mandatory.”
The 2026 State of Security sponsors have worked tirelessly to improve the safety of end user organisations.
We are proud to present this year's State of Security champions, and showcase the work they do.