New Delhi, May 21 -- For years, data security followed a familiar script, encrypt everything, lock it down, and you're safe. But the way data moves today has outgrown that thinking. In AI space, it doesn't sit still. It flows across models, APIs, third-party tools, and cloud systems, often faster than anyone can track. A single dataset can be accessed, processed, and repurposed by multiple systems within seconds. In that window, encryption isn't what determines whether data stays safe.

We have seen several examples of this, like the Snowflake breach in 2024, which exposed data from over 160 organizations, including Ticketmaster and Santander, because valid credentials opened the door. Once inside, there was nothing stopping the access. The Uber breach in 2022 followed the same logic: an attacker used a compromised password to move through internal systems largely unchallenged. Both incidents carried the same quiet fear that the perimeter you spent years building can be walked around entirely. Hence, the question isn't whether your data is encrypted, it's who controls it.

The real gap in protection

The myth that creates the challenge is that encryption, by itself, defines ownership. But that's not the case, as control over the keys does. In many cloud and AI ecosystems, that control is shared, or in some cases, indirectly delegated. Encryption might still be in place, but the authority to unlock and use that data can extend beyond the organisation that originally owned it. This creates a subtle shift, from owning data to trusting systems that manage access to it.

Cracks begin to show here without the business knowing it. The Snowflake breach didn't happen because encrypted walls were torn down. The data was stored securely. What failed was the boundary around who could use legitimate access, and how far that access reached once it was in the wrong hands.

This distinction is highly visible in intelligence systems. Unlike traditional systems, where access paths are relatively defined, AI introduces a constantly expanding web of interactions. Data flows across models and is often integrated with third-party tools or external APIs. Each layer introduces another point where access can be extended or misconfigured. This is the gap that traditional security approaches struggle to address. Because while encryption secures the boundary, AI operates within it.

Rise of key ownership models

As per the current situation, organizations need to identify where control actually sits within their architecture. For this, models like BYOK (Bring Your Own Key), HYOK (Hold Your Own Key), and client-side encryption are gaining attention. BYOK allows organizations to generate and manage their own encryption keys while still using cloud infrastructure.

HYOK goes a step further by ensuring those keys never leave the organization's environment, and client-side encryption ensures data is encrypted before it even reaches external systems. Though the features differ, they all share a single goal: reclaiming authority over access. These models provide legal clarity as well. Right in place, even legal requests can't unlock sensitive data without the customers' direct involvement.

Alongside, more and more businesses are encouraged to move towards control-by-design architectures. With the introduction and operationalisation of the Digital Personal Data Protection Act (DPDP) and its 2025 rules, organisations are now required to move toward privacy-by-design architectures, where consent, purpose limitation, and access accountability are built into systems from the ground up.

But most organisations aren't ready for it. Only 9% of Indian organisations report a comprehensive understanding of DPDP requirements. That's not just an awareness problem. Most security architectures were never built to answer the questions the DPDP is now asking. So organisations fall back on what they know: encryption, perimeter controls, tools built for a simpler threat landscape. But the fix isn't better protection at the edge. It's rebuilding security around control itself, where access is continuously governed and revocable across every system data touches, not just the ones you can see.

Building trust with data control

The conversation around data security is moving toward sovereignty. Not in the geopolitical sense alone, but in how organisations define ownership over their data in systems that are increasingly distributed, intelligent, and interconnected. Encryption will continue to play its role, but it is now the baseline. What sets organizations apart is how well they control access, govern usage, and retain the ability to act on that control in real time. It has to be built into architecture. That means knowing where data goes, enforcing who can reach it, and being able to cut access as quickly as it was granted. The future of AI security won't be defined by how well data is hidden. It'll be defined by how confidently it's governed.

Published by HT Digital Content Services with permission from TechCircle.