All articles
Cloud & Data · 22 Jun 2026 · 4 min read

DSPM explained: finding the data you forgot you had

Ask most organisations where their sensitive data lives and the honest answer is "mostly in the obvious places, and probably some we have lost track of." That second category is the problem. You cannot protect, govern, or safely expose to AI a dataset you do not know exists. Data security posture management, or DSPM, exists to close that gap.

What DSPM actually does

DSPM continuously answers four questions about your data, across cloud platforms, SaaS, file shares and databases:

  • Where is it? Discover data wherever it lives, including the shadow copies, forgotten repositories and personal stores that escape manual inventories.
  • What is it? Classify it, so customer records, financials, health information and intellectual property are identified, not just counted.
  • Who can reach it? Map effective access, the real answer to who can open a file once inheritance, sharing links and group nesting are resolved.
  • How exposed is it? Score the risk, flagging sensitive data that is public, over-shared, unencrypted or sitting somewhere it should not be.

The output is not another dashboard for its own sake. It is a prioritised list of the data that would hurt most if it leaked, and the specific reason each item is exposed.

Why it has become urgent

Two shifts pushed DSPM from nice-to-have to starting point. The first is cloud sprawl: data multiplies across platforms faster than any team can track by hand. The second is AI. Tools like Microsoft 365 Copilot inherit a user's permissions, which means the moment you switch them on they can surface anything that user can already reach, including the over-shared folder nobody remembered. If your access is loose, AI does not create the exposure, it accelerates it.

That is why we treat data discovery and posture as the first step of AI readiness, not an afterthought. You label and tighten before you turn the assistant on, not after it surfaces something it should not have.

DSPM is not a replacement for your controls

A common misunderstanding is that DSPM replaces data loss prevention or labelling. It does not. DSPM finds and prioritises the risk; your controls act on it. The value is in the sequence: discover and classify with a posture platform, then enforce with sensitivity labels, DLP and access policy, so effort lands on the data that matters rather than being spread evenly across everything.

How we deliver it

We are platform-honest about where DSPM fits. Cyera gives deep, AI-powered discovery and classification across cloud and SaaS data stores, including the things Microsoft-native tooling does not see. Netskope adds posture and control as data moves and is accessed. Microsoft Purview anchors classification and labelling inside the Microsoft estate. The right mix depends on where your data actually lives, which is exactly what the discovery phase tells us.

For most organisations the path is the same: find out what you have and how exposed it is, fix the handful of high-risk items first, then put durable controls and governance around the rest. See our Data Protection work for how the pieces fit together.

Where to start

You do not need a year-long programme to begin. A focused data discovery exercise will usually surface the few exposures that carry most of the risk within weeks. A data security health check is the simplest way in: a clear read of where your sensitive data sits, who can reach it, and what to do first.

Find out what you actually hold, and how exposed it is.