The idea that “corporate data is reliable by default” is rapidly losing relevance. Gartner argues that as the volume of information generated by Artificial Intelligence (AI) grows and becomes increasingly indistinguishable from content created by humans, data governance will need to evolve toward a “zero trust” approach.
The consultancy estimates that by 2028, 50% of organizations will adopt a zero trust stance in data governance, driven by the proliferation of “unverified” data generated by AI and the potential impact of this on operational, financial, and compliance decisions.
Why the problem is no longer just “data quality”
For years, the debate on data governance was based on relatively well-known pillars: lineage, quality, data owners, access policies, classification, retention, and auditing. The current shift has a different nuance: more and more information enters systems without solid verification of its origin.
Gartner sums it up with a troubling idea for any executive committee: organizations can no longer “implicitly trust” data, nor assume it was generated by humans. When corporate repositories (documents, tickets, knowledge bases, summaries, reports, even spreadsheet fields) are fed with AI-generated content, the line between “data” and “plausible text” becomes blurred.
Meanwhile, the market accelerates. According to Gartner, 84% of CIOs and technology leaders surveyed in 2026 expect to increase funding for generative AI in 2026, foreshadowing more automation… and more information production at scale.
“Zero trust” applied to data governance: what does it mean in practice
In cybersecurity, zero trust became popular as a cultural and technical shift: don’t trust any user, device, or flow by default, and verify continuously. Applied to data governance, the principle is similar:
- No data is considered “fit” by default for critical decisions, model training, regulatory reporting, or automation.
- Authentication, verification, and traceability are mandatory (origin, transformations, responsible parties, controls).
- Trust is earned through signals and evidence (metadata, certifications, signatures, integrity controls, audits).
This doesn’t mean treating all data as “guilty,” but establishing a framework where verification is an operational requirement, especially when data may have originated or been modified by AI.
Table 1 — Typical risks of “unverified data” and how the zero trust approach fits
| Risk | Realistic company example | What zero trust demands |
|---|---|---|
| Uncertain origin | Reports or procedures drafted by AI without verifiable sources | Source tagging + provenance evidence + validation responsible |
| Invisible inconsistencies | Summaries that omit critical nuances or mix versions | Recertification controls + change audits + role-based review |
| Automation based on false premises | Agents or flows executing actions based on a “plausible” data point | “Trusted data” policies per use case + validations before action |
| Reputational/regulatory risk | Internal or external reports with unsubstantiated claims | End-to-end traceability + integrity and evidence retention controls |
The “model collapse” factor: when AI learns from AI (and loses touch with reality)
Gartner warns of an effect already under discussion in research: if models are increasingly trained with data generated by previous models, the risk of progressive degradation increases, known as model collapse. In simple terms: the system begins reinforcing its own “approximations” and loses information from the original distribution, especially in rare or “edge” cases.
Although this risk is associated with models, the practical consequence for an organization is direct: if corporate data becomes contaminated with unverified content, analytics, automation, and decision-making are also compromised.
The key point: identifying and tagging AI-generated data
Gartner forecasts that, in certain environments, the demand will increase for proof of which data is “AI-free” (not generated by AI) or, at the very least, the ability to identify and tag AI-generated data. The important nuance is that these requirements may vary by geography and sector, but the technical capacity to prove provenance and verification is likely to become a competitive advantage (or a requirement).
This introduces an operational concept highlighted by Gartner: active metadata management (active metadata management). It’s not just about having a catalog, but ensuring metadata serve to:
- Analyze and detect obsolete or questionable data,
- Alert when an asset requires recertification,
- Automate decisions (for example, block use of a dataset if it loses “verified” status).
What Gartner recommends: four actions to stay ahead
Gartner suggests several strategic actions that, taken together, outline a realistic implementation:
- Name a responsible party for AI governance
An explicit role for policies zero trust applied to data, AI risk management, and compliance operations, coordinated with data and analytics teams. - Foster cross-functional collaboration
Teams integrating cybersecurity, data/analytics, and business units to evaluate specific risks: which decisions depend on which data and what controls are missing. - Adopt active metadata practices
For real-time recertification, alerts, automation, and traceability throughout the data lifecycle.
li>Leverage and update existing governance
Don’t start from scratch: update security, ethics, metadata, and data governance policies to include the new “AI-generated content” factor.
Implications for CIOs, CDOs, and security leaders
In a traditional approach, conversations on data governance could remain in the realm of “best practices” and maturity models. With generative AI, the debate becomes more executive:
- Cost of errors: if data is uncertain, automation scales the mistake.
- Speed: continuous verification is required for critical assets; quarterly audits are insufficient.
- Responsibility: data needs clear owners and evidence, not just “good intentions.”
- Resilience: the goal is that data remains usable with guarantees, even in environments where AI produces massive content.
FAQ — Frequently Asked Questions
What is “zero-trust data governance,” and how does it differ from cybersecurity’s zero trust?
Cybersecurity’s zero trust focuses on access control (users, devices, networks). In data governance, the focus is on not assuming data is valid by default: it requires verifying provenance, traceability, recertification, and controls to declare data “fit” for its intended use.
How can organizations tag AI-generated content?
Usually by combining policies and metadata: origin fields (human/AI/system), validation responsible, evidences (source, transformations), and rules to prevent “unverified” data from being used in critical processes without review or minimal reliability signals.
What is “model collapse,” and why is it important even if my company doesn’t train models from scratch?
It matters because a company may reuse models, fine-tune models, or feed systems with internal knowledge. If the corporate repository fills with unverified AI content, the risk of degrading the quality of information feeding search systems, assistants, agents, and analytics increases.
Which areas typically prioritize zero trust for data first?
Areas with direct impact on results and risk: finance (reporting and forecasting), legal/compliance, critical operations, customer service automation, and any system where an action is triggered by a response or “recommendation.”