Data protection in 2026: regaining control against emerging risks

In 2026, protecting sensitive data is no longer just about defending against cyberattacks. For organizations, the challenge now also lies in ensuring that their data is not exploited, intentionally or unintentionally, by external artificial intelligence systems, without control or visibility.

Data protection starts with a simple but often overlooked question:

Do you know what data your employees share every day with generative AI tools?

Today, it is no longer relevant to ask whether employees use generative AI. Numerous studies and surveys have already shown that these tools are widely adopted across organizations.

The real issue lies elsewhere:

What types of data are being used, through which AI solutions, and with what level of control?

In this article, we share our engineering-driven vision: how to regain control over your data, implement proportionate security measures, and turn cybersecurity constraints into strategic business decisions.

Contact an expert about your project

Data leakage: a silent but critical risk

At a time when data leaks have become a goldmine for attackers—and in an increasingly tense geopolitical context—data control is no longer optional.

An effective data protection strategy can no longer be limited to securing internal systems alone. It must also address data leakage risks across the entire corporate ecosystem, particularly in relationships with third parties and vendors.

Data identification: the foundation of any security strategy

Regaining control starts with a fundamental step: identifying your data.

Data mapping is the cornerstone not only of data protection, but of all future cybersecurity initiatives. The more accurate the data inventory, the easier it becomes to apply relevant and effective security controls.

The goal is not to be exhaustive from day one. A pragmatic approach is recommended: work by data category and iterate over time, start simple, then progressively refine.

For each type of data, this process can be structured along three core dimensions: 

Storage

  • Is the data stored internally or externally?
  • What security measures are in place?
  • Do contracts adequately cover the identified risks?

Processing

  • How is the data used?
  • Is processing handled internally or by third parties?
  • Are security levels aligned with data sensitivity?

Data Flows

  • Where does the data circulate?
  • Which data flows are essential to business operations?
  • Which flows are unnecessary or insufficiently controlled?

Proportionate security and strategic choices

Once visibility is established, the challenge is to align security measures with the organization’s actual risk level.

For example, relying on a software vendor is not inherently risky. It depends on:

  • The industry sector
  • The nature of the data involved
  • Regulatory requirements
  • And above all, the defined security strategy and the vendor’s own security practices

That said, organizations must always retain control over their data security, either by contractually enforcing third-party accountability or by strengthening their own security mechanisms.

Shadow AI: choosing strategy over reaction

The rise of Shadow AI perfectly illustrates these new challenges.

The first step is to identify real, and often invisible, uses of generative AI within the organization. Once this reality is acknowledged, several strategic options can be considered, such as:

  • Subscribing to enterprise-grade generative AI solutions with contractual safeguards
  • Deploying and operating an internal generative AI architecture
  • Prohibiting the use of public AI tools without an enterprise license
  • Implementing technical architectures to control outbound data flows to public AI platforms
  • Defining clear rules on which types of data are authorized or prohibited

The key is not to endure uncontrolled AI usage, but to define and implement a clear strategy to prevent sensitive data leaks.

The human factor: a critical lever

As with any security initiative, success largely depends on people.

Organizations must support these changes through:

  • Progressive awareness of data-related risks
  • Regular security awareness initiatives
  • Training programs tailored to specific roles and use cases

The objective is not to ban usage, but to enable responsible, controlled, and secure use of company data.

Protecting data in 2026 means above all regaining control in an environment where practices evolve faster than regulations.

Identify, decide, govern, and support, these are the essential levers for starting the year with greater confidence and a cybersecurity strategy truly aligned with today’s challenges.

We support you throughout your cybersecurity journey.

Contact one of our experts

More insights

Back to all insights

Contact us

Do you have a digital or engineering project? Or would you simply like to find out more about our solutions? Fill in the form below and our team will get in touch with you.

Contact us

Do you have a digital or engineering project? Or would you simply like to find out more about our services? Fill in the form below and our team will get in touch with you.