More than Meet the AI 970x250

Loss of Visibility: A Hidden Threat to Digital Enterprises

The biggest risks today are the ones IT and security teams can’t see.

Jennifer George Reading Time: 6 Min 

Topics

  • News

    1. MBZUAI Unveils K2 Think V2, Advancing the UAE’s Push for Fully Sovereign AI
    2. ENEC, TII, and ASPIRE Partner to Advance Autonomous Aerial Systems
    3. OpenAI Bets on AI to Streamline Scientific Research Workflows
    4. AI Use Is Rising at Work but Productivity Gains Lag
    5. Meta Signals Shift Toward Paid Features With Subscription Tests Across Its Apps
    6. All LLMs Are Trained on the Same Data’: Oracle Chief Flags AI’s Biggest Challenge

    • [Image source: Chetan Jha/MITSMR Middle East]

    Built on cloud-native architectures, microservices, AI-driven automation, and multi-cloud strategies, today’s digital enterprises are more powerful than ever. Yet this very sophistication has introduced a new challenge: as systems grow more complex and distributed, organizational visibility erodes, leaving leaders struggling to understand what’s happening across their environments and to manage risk effectively.

    This loss of visibility is no longer a technical inconvenience; it is a strategic vulnerability. “The biggest risks today are the ones IT and security teams can’t see,” says Sanjay Mirchandani, President and CEO of Commvault.  As organizations add tools, environments, policies, and autonomous systems, blind spots inevitably multiply — creating fertile ground for cyberattacks, data loss, and operational disruption.

    With so much infrastructure now hidden and run by machines, real cyber resilience is essential for digital trust and business continuity. It determines if organizations can handle uncertainty and disruption.

    The Expanding and Abstract Attack Surface

    In the past, attack surfaces were defined by stable infrastructure, known servers, predictable data, and human-managed access. That’s no longer true. Today’s infrastructure is temporary, automated, and often not directly managed by people. AI workloads can appear and disappear in minutes. Serverless functions run without permanent servers. Autonomous agents work at scale and often handle sensitive data in ways many organizations don’t fully understand.

    “The unprecedented rise of AI is reshaping resilience,” says Mirchandani. AI is not only generating an extraordinary volume and variety of data that must be protected and governed, but it is also introducing new identities, access patterns, and behavioral risks that stretch traditional security models beyond their limits.

    This challenge is clear in enterprise data. Most large organizations now use multiple cloud environments, with over 80 percent choosing this approach to avoid vendor lock-in and speed up innovation. At the same time, more sensitive data is being stored in the cloud and spread across more places. Still, many organizations aren’t confident they can spot threats in real time, often relying on outdated assessments that can’t keep up with constant changes.

    In this situation, just knowing where data is stored isn’t enough. Resilience now means understanding who or what is accessing data, if that access is appropriate, and whether the organization can recover quickly and at scale if something goes wrong.

    Cloud Sprawl and the Illusion of Control

    Many boards and senior leaders still feel reassured by moving to the cloud, assuming that big cloud providers handle most security and protection. In reality, this is one of the most common and risky misunderstandings in today’s IT governance.

    “Data protection in the cloud is a shared responsibility,” Mirchandani stresses. Cloud providers offer basic controls, but companies are still responsible for how their data is set up, accessed, protected, and recovered. Studies show that over half of organizations lack a comprehensive view of their cloud security, leading to significant gaps that often emerge only after something goes wrong.

    These gaps are real. Cloud environments have become a primary target for attackers, with a growing proportion of organizations reporting direct attacks on cloud-based infrastructure and workloads. As estates expand across multiple providers, regions, and services, the complexity of maintaining consistent protection increases, while executive confidence often lags behind reality.

    For leaders, the main question isn’t if the cloud is secure, but whether the organization has a resilience plan that covers all its data. Without clear visibility and consistent policies across on-premises, hybrid, and multi-cloud setups, cloud sprawl not only makes operations harder but also hides risks when clarity is most important.

    Shadow Data: The Risk Born from Speed

    If cloud sprawl is the visible manifestation of digital growth, shadow operational data is its quieter counterpart. As a former CIO, Mirchandani is clear. He says shadow IT is not going away. The pressure to move fast encourages teams to spin up SaaS applications, analytics environments, and AI-driven experiments with minimal friction. While these efforts are often well-intentioned, they frequently generate data that sits outside formal governance structures.

    Shadow data is hard to manage because it often comes from approved activities, not just unauthorized tools. Separate automation, AI workflows, and local experiments can create sensitive data that is spread out, poorly labeled, and hidden from company-wide compliance and security systems.

    This is a big problem. Many SaaS tools are used in companies without IT or security teams fully knowing about them. Experts predict that many future breaches will be tied to “shadow AI”—autonomous tools and models used without enough oversight. In this situation, resilience starts with discovery. If organizations can’t keep finding and classifying their data, they can’t protect it.

    From Speed Versus Security to Trusted Resilience

    A common belief in digital transformation is that organizations must choose between speed and control. Mirchandani says this idea is wrong. He believes lasting innovation depends on trust, and trust comes from resilience.

    “To truly enable innovation today, you must embrace a trusted framework for resilience.” In practice, this means building in data security, identity controls, and recovery policies from the start of any new workload, pipeline, or AI experiment. When protection is automatic and consistent, teams can move fast without adding risk.

    The need for this shift is becoming harder to ignore. Despite widespread awareness of cyber risk at the board level, only a small fraction of organizations can credibly claim to have implemented enterprise-wide cyber resilience. This gap between intent and execution is reflected in the frequency and cost of incidents, which continue to rise as digital estates grow more complex.

    Resilience, in other words, cannot be retrofitted. It must be operationalized as a default condition of innovation.

    Why Fragmented Tools No Longer Work

    Older security and data management tools were made for stable, predictable environments. Today’s businesses are always changing. Data moves constantly across clouds, SaaS platforms, analytics, and AI pipelines, often managed by different tools that don’t work well together.

    This lack of integration is now a risk in its own right. Many organizations use multiple tools for discovery, classification, identity management, and recovery, making it hard to see the full picture of their risks and readiness. As Mirchandani says, “It’s not enough to know where data is. You need to understand who or what is accessing it; whether it’s protected; and if it can be cleanly and securely recovered at scale.”

    To reach this level of understanding, organizations need constant monitoring and unified platforms that treat data security, identity, and recovery as connected parts of resilience, not as separate tasks.

    Making the Unknown Knowable

    As companies face many unknowns, automated discovery is becoming essential. But discovery by itself isn’t enough. Mirchandani points out that persistence, context, and recoverability are also important. Discovery should be ongoing and able to keep up with changing workloads. It needs to connect data sensitivity, access patterns, compliance needs, and business importance, and it must be tied directly to recovery readiness.

    When these elements are combined, hidden risks become visible and therefore manageable. As organizations embrace serverless architectures, edge computing, and hyper-distributed models, discovery systems will need to become intelligent and adaptive, learning and evolving as fast as the environments they monitor.

    Resilience by Design and by Leadership

    A resilient-by-design approach begins by identifying what truly matters: the systems, identities, networks, and people essential to business continuity. From there, organizations can plan, test, and rehearse recovery — preparing not just for if a disruption occurs, but for how they will respond when it does.

    For CEOs, this is not a technical detail to be delegated. “We need to close the gap between perceived preparedness and reality,” Mirchandani says. As AI adoption accelerates and attack surfaces expand, cyber resilience must be elevated from an operational concern to a leadership imperative.

    Topics

    About the Author

    Jennifer George is the Correspondent for the MIT Sloan Management Review Middle East.
    View More

    Tags:

    More Like This

    You must to post a comment.

    First time here? : Comment on articles and get access to many more articles.