Gihan Kovacs, UAE Regional Sales Director, Forcepoint, explains why AI-driven enterprises must embed data security into their cyber resilience strategy, emphasizing continuous visibility, AI governance, regulatory compliance, and the protection of sensitive data across dynamic digital environments.
Enterprise data no longer sits within clearly defined boundaries. It moves fluidly across cloud platforms, connected devices, collaboration tools and AI-enabled systems that process information in real time — often without a human on the other end. The speed, scale and sophistication of data movement today have fundamentally exposed the limits of traditional security models, requiring an entirely new approach to data security for digital and AI-first organizations.
Think of it this way: When BYOD emerged, security teams had no inventory, no policy and no authority over the devices touching corporate data. Now, AI agents and tools are creating the same problem at the data layer, only faster and at far greater scale. Most organizations lack sufficient visibility into how AI tools are interacting with their data, creating an invisible breach waiting to happen. And even those with visibility often struggle to prioritize the right controls.
For organizations in the UAE, where AI adoption continues to advance across sectors such as finance, government, healthcare and energy, this shift is reshaping how leaders think about cyber resilience. As AI agents now take on autonomous roles and introduce data risks that extend far beyond initial access, security can no longer stop at the perimeter or the endpoint. It must follow the data itself.
What Embedding Data Security into AI Resilience Looks Like in Practice
There’s a rush to adopt AI across every sector. But when initiatives launch without the proper guardrails — data discovery, policy enforcement, continuous monitoring — they create significant risk. That’s why cyber resilience has become inseparable from business strategy, and why operationalizing AI securely requires embedding security from the outset:
- Making visibility at the data layer the first priority. Before organizations can govern their data, they have to find it. Sensitive data gets duplicated, moved, emailed, uploaded and shared, often by employees trying to do their jobs more efficiently. But by the time a security team runs a quarterly scan, that landscape has already shifted. That’s why continuous, automated discovery and classification have become a prerequisite to truly understand the data layer.
- Extending existing security policies to AI channels. Employees are regularly pasting sensitive data into AI tools like ChatGPT, Copilot and a growing list of third-party models. Without the proper DLP controls, there is no way to know what’s going into those prompts, coming back out or being leveraged for training. By extending policies to AI tools, organizations can enable safe innovation by monitoring and controlling what data enters and exits those applications.
- Monitoring and adapting. The threat landscape around AI is evolving faster than any static ruleset can accommodate. Continuous monitoring through data detection and response tools and behavioral analytics can detect anomalies and policy violations in real time.
When organizations achieve continuous visibility, consistent policy enforcement and controls that move with the data itself, AI delivers real, lasting enterprise value without forcing the choice between safety and speed.
Regulatory Evolution in the UAE
Organizations that treat data security as a standalone IT function will find themselves reacting to exposure rather than preventing it. The UAE’s regulatory trajectory suggests the market agrees — and is legislating accordingly.
The National AI Strategy 2031 and the Personal Data Protection Law of 2021 laid the groundwork, while the UAE Charter for the Development and Use of Artificial Intelligence, issued in June 2024, established clear governance expectations around data privacy, algorithmic transparency and human oversight. Federal Decree-Law No. 6 of 2025 took this further, codifying cybersecurity obligations directly within the UAE’s financial regulatory framework. Data security and regulatory compliance are now the same conversation.
What makes this market different is that the regulatory environment is not static. Obligations are accumulating through free zone rules, sector guidance and procurement requirements, with DIFC and ADGM already imposing detailed standards around automated decision-making and data handling. As of January 2026, the UAE became the first country to integrate a National AI System as an advisory member of Cabinet and the boards of all federal entities and state-owned companies. Local frameworks are also converging with the EU AI Act and emerging global cyber resilience standards, raising the bar for any organization operating across borders.
The UAE is shaping up to be a market where regulatory posture and security posture are increasingly intertwined. Organizations that build data security into their resilience framework now will be better positioned than those treating it as a bolt-on.