When artificial intelligence uncovers critical data vulnerabilities, CIOs must act decisively to mitigate AI data exposure. (Illustrative AI-generated image).
- The Copilot moment that exposed everything
- Why resilience and security were kept apart (and why it worked then)
- AI as a spotlight, not the firestarter
- What Fidelity and EY did next: from shutdown to intelligent classification
- The new mandate: one team, one metric, one strategy
The Copilot moment that exposed everything
Picture this: Fidelity Investments is testing Microsoft 365 Copilot. The legal team gets a shock. Copilot digs up PowerPoints from four jobs ago, sitting on SharePoint visible to too many people. The AI did not hack anything; it simply found information that, on paper, people had permission to see. The problem was years of messy data management.
Steve MacIntyre, Fidelity’s SVP for data security, calls AI a flashlight revealing uncomfortable truths: old, forgotten, unprotected data. At EY, Wim Geurden, chief architect of enterprise technology, says about six months before Copilot launched, his team discovered they had no idea what data sat on servers. No lifecycle management, no process for tracking file access. The data estate was full of orphaned files. EY’s first instinct was to shut down unlicensed AI access. But Geurden knew the wall between resilience and security had to come down. Both MacIntyre and Geurden spoke at the VeeamON event in New York recently.
These stories are not isolated. Across industries, early adopters of generative AI tools are confronting a harsh reality: their data is a mess. The problem is not the AI itself but the decades of neglect in data governance. As AI tools index everything they can reach, they surface forgotten files, outdated permissions, and sensitive information in the wrong places. For CIOs, this is both a crisis and an opportunity to finally fix what has been broken for years.
Why resilience and security were kept apart (and why it worked then)
For decades, resilience and security teams lived separately. The resilience team focused on uptime and recovery metrics like RTO and RPO, while security focused on keeping out attackers. They had different tools, budgets, and priorities. They barely spoke. One team might encrypt backups without telling the other, slowing recovery. The other might configure failover without checking compliance.
That worked when data was in databases with clear boundaries. But now data is everywhere: cloud, SaaS, collaboration tools. AI tools like Copilot index everything they can reach. If data is accessible, even accidentally, an AI finds it.
The separation was rooted in history. In the 1990s and early 2000s, IT departments were small enough that a single person might handle both backup and firewall configuration. As companies grew, specialization became necessary. Security teams emerged to deal with the rising threat of malware and hackers. Resilience teams evolved from backup administrators to disaster recovery planners. By the 2010s, these groups had their own vendors, certifications, and conference circuits. They rarely attended the same meetings.
This siloed approach created gaps. For example, a security team might detect a breach and isolate systems, but if they do not inform the resilience team, the backup process might capture corrupted data. Conversely, a resilience team might restore from backup without checking if the backup itself was compromised. The result is a cycle of vulnerability that AI now exposes at scale.
AI as a spotlight, not the firestarter
MacIntyre says: “AI did not create the problem. It revealed it.” The real failure was years earlier, when no one classified data or set proper access controls. AI has expanded the attack surface by making every ungoverned file a potential exposure. Companies that rushed to deploy AI now discover poor data hygiene: financial data in marketing folders, HR records accessible outside HR, old files with API keys.
One study found the average enterprise has over 100 million files, more than 30% open to every employee. AI does not care about job titles. It finds everything. The same applies to resilience: a messy data estate slows recovery and risks restoring compromised backups.
Consider the implications for compliance. Regulations like the EU AI Act and GDPR require organizations to know what data they hold and who can access it. AI tools that surface ungoverned data can lead to fines and reputational damage. In 2023, a European bank faced a regulatory inquiry after an AI tool exposed customer data that had been stored in a shared drive for years. The bank had no way to prove it had taken reasonable steps to protect that data because it had no classification or lifecycle management in place.
AI also changes the threat landscape. Attackers are using generative AI to craft more convincing phishing emails and to probe for weak points in data governance. A single unclassified file with credentials can lead to a full breach. The convergence of resilience and security is not just about cleaning up data; it is about building a defense that can adapt to AI-driven threats.
What Fidelity and EY did next: from shutdown to intelligent classification
Both companies took action. At EY, Geurden’s team blocked unlicensed AI access, then used machine learning to automatically classify data-labeling files as confidential, internal only, or public, and flagging old data for deletion. The same AI that caused the problem became part of the solution.
At Fidelity, MacIntyre locked down data first, tightening access controls on SharePoint. They used automated tools to classify stale data and created a cross-functional team of security and resilience experts who meet regularly to review policies and plans. MacIntyre says the goal is to make security and resilience “two sides of the same coin.”
The approach at both companies was methodical. EY started with a data discovery phase, using AI to scan all repositories and identify what existed. They then applied classification labels based on content, not just location. Files that had not been accessed in over a year were flagged for review or deletion. This reduced the data estate by nearly 20% in the first six months, lowering both risk and storage costs.
Fidelity took a similar path but emphasized cross-team collaboration. MacIntyre created a joint steering committee with representatives from security, resilience, legal, and compliance. This group meets bi-weekly to review new data sources, access requests, and incident reports. They also conduct quarterly tabletop exercises that simulate both a security breach and a recovery scenario, forcing the teams to work together under pressure.
Both leaders emphasize that technology alone is not enough. The cultural shift is critical. At EY, Geurden made sure that resilience team members attended security briefings and vice versa. He also changed performance metrics to include shared goals, such as reducing the number of unclassified files or improving the time to detect and recover from an incident.
The new mandate: one team, one metric, one strategy
AI has turned convergence into a must-do. Regulators like the EU AI Act require robust data governance. Standards like SOC 2 now expect tighter integration between security and availability. One metric tying the two together is negative TTE (Time to Encrypt), measuring how quickly you respond before a threat becomes a disaster. A negative TTE means you caught and stopped the threat before downtime.
Yet many companies resist merging. Security teams say “no”; resilience teams say “yes.” Different tools and jargon create cultural clash. But the cost of separation is clear: in 2023, a major financial firm suffered a ransomware attack. Security isolated systems but did not tell resilience fast enough. Resilience restored ransomware into backups, causing a three-day outage instead of a few hours. Analysts estimate integrated teams see 30% to 50% faster recovery and fewer breaches. The cost of merging is almost always cheaper than one major incident.
The concept of negative TTE is gaining traction as a unifying metric. Traditionally, security measured time to detect and time to respond, while resilience measured recovery time objective (RTO) and recovery point objective (RPO). Negative TTE flips the script: it measures how quickly you can encrypt or isolate data before an attacker can exfiltrate it. If you achieve negative TTE, you have prevented the breach from becoming a disaster. This metric forces both teams to collaborate on prevention and response, rather than working in isolation.
Another emerging framework is AI-driven resilience, which uses machine learning to predict failures and automate recovery. For example, an AI system can monitor backup integrity in real time, flagging corrupted files before they are used in a restore. It can also detect anomalous access patterns that indicate a breach, triggering both a security alert and a backup lockdown simultaneously. This convergence of tools and processes is the future of enterprise IT.
Common pitfalls CIOs must avoid when merging the two
CIOs often make predictable mistakes. First, treating it as a purely technical problem. Merging is a people and process challenge that requires changing how teams think and are evaluated. Second, rushing integration. Start with a pilot project, like recovering one application with a combined team, then expand. Third, ignoring existing metrics. A combined team needs a shared scorecard, like “mean time to contain and recover.” Fourth, forgetting third parties. Ensure all vendors share information and follow the same playbook. Finally, do not underestimate simple tools: a shared Slack channel, joint drills, and lunch-and-learns build trust.
One common pitfall is assuming that a single tool can solve the problem. Many vendors offer integrated security and resilience platforms, but no tool can replace the human relationships and processes needed to make convergence work. CIOs should invest in training and cross-functional workshops before buying new software.
Another mistake is ignoring the human element. Security and resilience teams often have different cultures. Security professionals tend to be risk-averse and focused on prevention, while resilience professionals are more pragmatic and focused on recovery. Bridging this gap requires leadership that values both perspectives. MacIntyre suggests rotating team members between the two functions for short periods to build empathy and understanding.
Finally, do not forget about third-party risk. Many organizations rely on cloud providers, SaaS vendors, and managed service providers for both security and resilience. Ensure that all vendors share information and follow the same playbook. A breach at a vendor can cascade into a recovery failure if the two teams are not aligned.
How to start tearing down your own wall tomorrow
Based on MacIntyre and Geurden’s lessons, here are concrete steps. First, audit one critical system or collaboration platform. Look for old, broadly shared files. Set a 90-day goal to clean up and classify data. Second, bring heads of security and resilience together for a one-hour meeting. Give them a single ransomware scenario and ask them to map their response together. Find and fix the gaps. Third, create a shared incident response playbook covering both security incidents and outages. Test it with a tabletop exercise within 30 days. Fourth, pick one joint metric, like “time to detect and recover,” and track it on a shared dashboard. Fifth, use AI to classify data-the same AI that revealed the problem can solve it. Finally, start small. You do not need to merge the entire organization overnight.
For CIOs who are ready to go further, consider establishing a data governance council that includes representatives from security, resilience, legal, and business units. This council should meet monthly to review data policies, access controls, and incident reports. They should also oversee the deployment of AI tools to ensure they are used responsibly and do not create new risks.
The path to convergence is not easy, but the alternative is worse. As AI continues to evolve, the gap between security and resilience will only grow more dangerous. Companies that act now will not only protect themselves from data exposure but also build a foundation for innovation. Those that wait will find themselves cleaning up after the next Copilot moment, wondering why they did not tear down the wall sooner.
