Perforce Software today published a survey of 250 IT professionals that finds the amount of sensitive data residing in non-production environments is rising as organizations embrace artificial intelligence (AI) and digital business transformation.

The company’s Delphix 2024 State of Data Compliance and Security Report finds three quarters (75%) reporting that the volume of sensitive data stored in non-production environments increased over the past year, with advances in AI and machine learning (60%) followed by digital transformation (53%) and increased digital customer interactions (53%) cited as the primary cause.

A full 91% of respondents are concerned about the expanded exposure footprint across all non-production environments including software development, testing and data analytics, with more than half (54%) noting their organization has already experienced a data breach or theft involving sensitive data in non-production environments. More than half (53%) have also encountered audit issues and failures involving data stored in non-production environments.

The top concerns respondents have about this data are data breaches and data theft (88%), followed closely by regulatory compliance (86%), ransomware (86%), data corruption and alteration (82%) and audit issues and failures (82%). Over a quarter (26%) are concerned about the difficulty of addressing requirements for large-scale data estates.

Despite these issues, however, a total of 86% of respondents said their organizations allow data compliance exceptions in non-production environments. Just under a quarter (22%) acknowledged discovering sensitive data in non-production environments is a top challenge.

David Wells, product lead for compliance products for Delphix by Perforce, said much of that activity can be traced to, for example, analysts working with business intelligence (BI) applications or application developers using data copied from a production environment to build applications.

Unfortunately, much of that activity involves sensitive data that isn’t masked, he added. In theory, that data could be masked but inertia often prevents organizations from implementing that capability. The survey noted that just under a third of respondents (32%) believe that protecting sensitive data in non-production environments will hinder the rate are which applications are developed.

On the plus side, two-thirds of respondents (66%) are using data masking in some portion of their non-production environments, but in the absence of any kind of data masking capability it’s all but inevitable there will be a compliance violation, noted Wells. Nearly all respondents said static data masking is effective, with 90% noting it is extremely effective or very effective at protecting sensitive data in lower environments.

The challenge of applying data masking more broadly is simply overcoming simple inertia, noted Wells.

That situation is only likely to be made worse with the rise of AI. A full 85% of respondents are concerned about regulatory non-compliance in AI environments, with 68% perceiving there is a lack of solutions to tackle data privacy in AI environments.

It’s not practical for cybersecurity teams to oversee every use case involving sensitive data, but they can help mitigate the issue by creating a culture that emphasizes data stewardship, said Wells. Employees of organizations need to better appreciate they are being trusted to ensure the security of sensitive data of customers and employees, rather than merely being handed a data set that can be carelessly managed, he added.

Regardless of how organizations achieve that goal, the one certain thing is the cost of the fines and penalties levied for that behavior are only going to continue to increase.