DSPM adoption in 2025 -- what's driving the surge? [Q&A]

Since Gartner introduced Data Security Posture Management (DSPM) in 2022, adoption has grown rapidly, driven by multi-cloud complexity, AI risks, and stricter privacy regulations.

Yet, a knowledge gap remains, as organizations often compare DSPM to traditional tools like DLP or CNAPP without fully understanding its unique benefits. We spoke to Nikhil Girdhar, senior director for data security at Securiti to discuss how DSPM has evolved and how organizations can use it to best advantage.

BN: How has DSPM technology evolved to address the growing complexity of multi-cloud environments and emerging AI risks?

NG: When introduced as a category in 2022, DSPM primarily focused on securing data in public cloud environments. Today, it has evolved into a broader framework for modern data security, providing comprehensive visibility and control across hybrid and multi-cloud ecosystems. As AI adoption accelerates, robust data security and compliance governance have become essential for AI success.

Modern DSPM solutions leverage advanced technologies like knowledge graphs to unify fragmented data insights, enabling smarter risk detection. They provide a contextual understanding of data and AI risks, automate security controls, and streamline compliance with global regulatory frameworks. Additionally, AI-focused capabilities -- such as shadow AI discovery and governing data interactions with AI models -- are now critical for mitigating emerging AI risks.

BN: Many organizations still compare DSPM to traditional tools like DLP or CNAPP. What unique benefits does DSPM offer and why is it a critical addition to the data security stack?

NG: DSPM is a critical complement to both DLP and CNAPP, enhancing their effectiveness and maximizing an organization’s security investments. A key limitation of traditional DLP and CNAPP solutions is their tendency to generate excessive false positives due to a lack of data context, making it difficult for security teams to prioritize real risks.

DLP solutions, while essential for preventing data exfiltration -- particularly at endpoints -- operate reactively. Many still rely on outdated regex-based classification techniques, which struggle to accurately identify sensitive data, leading to high volumes of false alerts that overwhelm security teams.

Similarly, CNAPP solutions with built-in CSPM capabilities flag publicly exposed data due to system misconfigurations. However, without an understanding of whether the exposed data is sensitive, these alerts lack prioritization, forcing security teams to sift through thousands of issues without clear remediation guidance.

Modern DSPM solutions address these gaps by leveraging AI-driven data classification. By accurately identifying sensitive data and mapping its risk exposure, DSPM helps security teams cut through alert fatigue, refine remediation efforts, and improve the signal-to-noise ratio in both DLP and CNAPP workflows. This enables organizations to focus on securing the most critical data assets while improving operational efficiency.

BN: What trends or challenges do you foresee shaping DSPM? How will these developments impact how organizations manage data security and privacy?

NG: In 2025, the evolution of DSPM will be significantly influenced by key trends, with AI as a primary focus. AI adoption presents unique challenges, including safeguarding sensitive data from improper use in AI model training, tuning, and RAG, as well as managing the dynamic risks associated with evolving AI systems. To address these complexities, DSPM solutions will need to go beyond traditional data security by addressing:

• Shadow AI Detection -- Discovering unsanctioned AI models in use and monitoring their access to sensitive data.
• AI Data Governance -- Preventing the inadvertent use of sensitive or regulated data for AI model training, tuning, or RAG to mitigate compliance risks and ethical concerns.
• AI Data Access -- Mapping and monitoring AI-driven data interactions to ensure only authorized models and users have access.

These challenges span both enterprise AI applications and AI agents, including Copilots embedded in SaaS platforms, making it critical for DSPM to provide comprehensive oversight across all AI-powered systems.

Additionally, the expanding regulatory landscape, including emerging laws on AI and data usage, is driving the need for DSPM solutions with robust automated compliance features to align with governance frameworks.

Organizations must navigate an increasingly complex array of requirements, from general regulations like GDPR and CCPA to industry-specific standards such as HIPAA, PCI DSS 4.0, and Section 1033 of the Consumer Financial Protection Act (CFPA). With governments introducing policies specific to AI and its interaction with data, DSPM solutions must evolve to address these unique requirements, ensuring organizations can maintain compliance while continuing to innovate with AI.

BN: What common barriers to DSPM adoption do organizations face, and what best practices can help them overcome these challenges?

NG: Data security projects are complex and often impact the entire organization. Many companies rush to adopt DSPM without securing cross-organizational buy-in, leading to siloed efforts that lack collaboration with key stakeholders such as data governance, compliance, and privacy teams. A narrow focus on technology alone results in gaps in risk coverage, operational inefficiencies, and resistance to new processes. Without alignment across relevant stakeholders, DSPM initiatives struggle to deliver meaningful impact and ROI, limiting their ability to enable safe data use. To overcome these challenges, organizations must engage all stakeholders early to align DSPM efforts with broader business objectives. Establishing cross-functional teams can foster collaboration and ensure DSPM addresses the full scope of data risks, leading to more comprehensive and effective security outcomes.

BN: What steps should organizations take to integrate DSPM into their existing security frameworks?

NG: Integrating DSPM effectively requires treating it as a business-wide initiative rather than just a technical deployment.

• Organizations should begin by securing buy-in from all relevant stakeholders, including business units, data owners, and compliance teams, to ensure alignment with enterprise objectives.
• Standardizing data classification frameworks across all environments including public clouds, private clouds, SaaS, data lakes, and more is crucial for maintaining consistent security controls.
• Leveraging tools like knowledge graphs can enhance contextual understanding of data, providing insights into data usage, toxic combinations of risks, and compliance needs.
• Integrate DSPM with other security tools such as DLP and CNAPP to enhance alerting systems and provide actionable insights while minimizing false positives and negatives.
• Finally, automating remediation processes and orchestrating workflows can streamline response actions, reduce manual effort, and enhance overall security effectiveness.

By following these steps, organizations can seamlessly integrate DSPM into their existing frameworks while improving their data security posture.

Image credit: IgorVetushko/depositphotos.com