Three-quarters of organisations are confident in their ability to secure unstructured data - yet more than two-thirds report less than 80% remains unprotected, a new industry survey has found.

The Rise in Unstructured Data and AI Security Risks, published by the Cloud Security Alliance (CSA), reveals a widening gap between perceived and actual security posture across enterprise data environments. The survey polled 210 IT and security professionals in November 2025.

More than half (56%) of respondents reported only partial visibility into where their unstructured data is stored. A further 10% were unsure of their actual coverage.

Unstructured data - encompassing documents, emails, chat logs, images, and financial records - accounts for approximately 33% of enterprise data, with semi-structured data comprising an additional 21%. Nearly a third (29%) of organisations reported that unstructured data accounted for more than half of their annual data growth.

“The explosive growth of unstructured data - estimated by Gartner to account for between 70% and 90% of enterprise data - has become a defining characteristic of modern organisations,” said Hillary Baron, AVP of Research, Cloud Security Alliance.

“What is clear from this study is that as unstructured data continues to expand and spread across environments, many organisations are struggling to keep pace with the visibility, governance, and protections needed to manage it securely.”

Tool Sprawl Undermines Governance

Despite listing security (74%), governance (57%), privacy (54%), and compliance (50%) as their top concerns, organisations are failing to execute foundational controls.

Nearly one-third (32%) of organisations use 11 or more tools to manage unstructured data. Of those, 12% rely on at least 21 tools. Data encryption (62%), cloud security (60%), application security (59%), and identity and access management (56%) are among the most widely deployed.

Forty-seven percent of respondents identified AI-driven threats as the top risk to unstructured data. At the same time, 40% said they plan to rely on AI as a core security capability - for threat detection, classification, and workflow automation.

Only 9% of organisations reported realtime scanning capabilities. Twenty-three percent cannot scan at all - a finding that raises concerns about AI amplifying existing security blind spots rather than closing them.

The survey and report were conducted online in November 2025.

The full report is available for download here.