Next week, security and risk leaders will gather at the Gartner Security & Risk Management Summit with a familiar mandate: reduce risk, protect sensitive data, enable the business, and prepare for AI.
But here is the uncomfortable question we all need to grapple with: Are we still building data security programs for a world where data stays put?
A recent data security leadership job description from a major financial institution tells the story. The role is strategic. The responsibilities are serious. The language is modern: DLP, DSPM, discovery, classification, content inspection, user behavior analytics, monitoring, dashboards, risk prioritization, encryption, IAM, cloud controls.
All of that matters. None of it should go away. But something is missing.
The job posting reveals how much of the data security market is still organized around an old perimeter-centric operating model: find sensitive data, classify it, tag it, monitor it, detect risky movement, and prevent loss.
That is definitely necessary. But it is not sufficient. Especially not sufficient for the era of AI in which sensitive data must be shared with humans, and a rapidly growing number of machines operating inside and outside of your domain.
Simply stated, most data security controls still operate outside the data. They depend on the endpoint, the network, the application, the tenant, the identity provider, or the cloud environment. But modern data does not respect those boundaries. It moves through partner ecosystems, SaaS platforms, AI workflows, supply chains, customer channels, regulators, auditors, and environments the enterprise does not own.
So the strategic question for security leaders is changing.
It is no longer just: “Can we discover and classify our sensitive data?”
It is: “Can we preserve control after we share our data with other humans and machines?”
This is the architectural gap that we simply can’t ignore in the age of AI.
Recommended Reading: The Era of AI: Why “Metadata on Data” is Critical Infrastructure
DLP can help prevent leakage. DSPM can reveal exposure. IAM can govern who gets in. Endpoint, network, and application security can reduce attack paths. But once data leaves the system where those controls live, the control plane often disappears.
This is why data security leaders need to expand their mental model.
The future control plane cannot only be identity. It cannot only be endpoint. It cannot only be network, cloud, or application security. Those layers remain essential, but they are incomplete unless the data itself can carry protection with it.
Imagine sensitive data that travels with its own policy. Data that can enforce granular access controls wherever it goes. Data that can be shared, revoked, audited, and governed beyond the original boundary. Data that is protected not merely because of where it sits, but because of what it is.
This is how we address the architectural gap that perimeter-centric security creates: By moving to a data-centric model that extends control wherever the data moves.
As a result, we no longer have to say “no” to data sharing that some might consider risky. Instead, we can enable controlled, intentional movement of data, because it’s now self-protecting. Because the business will keep sharing data. AI will keep increasing demand for data access. Partners will always need collaboration. Regulators will keep demanding proof.
The answer cannot be to freeze data in place. The answer is to make data safe enough to share and use.
This is the idea that underpins everything we do at Virtru. Self-protecting data is an architectural requirement for the AI era. Persistent, object-level protection gives security leaders a way to extend zero trust to the data itself: policy, encryption, access control, revocation, and audit that travel with the information.
The value of Virtru does not replace DLP, DSPM, IAM, endpoint, network, cloud, or application security. It makes those investments more durable by closing the gap they were never designed to close alone — and it unlocks their full potential.
For leaders attending Gartner next week, the challenge is simple: as you evaluate the next wave of data security technologies, ask whether they merely help you find and monitor sensitive data, or whether they help you control it wherever it goes.
The market has become very good at telling security teams where risk exists, but the next era belongs to the leaders who can enable granular control that addresses risk while keeping data both protected and productive.
If you are attending Gartner Security & Risk Management Summit, visit Virtru at Booth #136. We would welcome the conversation about how data can protect itself, how policy can move with information, and how organizations can unlock data for collaboration and AI without surrendering control.
Be sure to also catch Virtru’s Dana Morris, VP Engineering, on June 1 at 6:30 PM in Theater 1 on the show floor, presenting, “Virtru: Finally Solving the Enterprise Data Rights Management Problem.”