Bonfy Blog

Why Security Teams Need to Understand Relationships, Not Just Data

Written by Gidi Cohen | 7/14/26 2:15 PM

TL;DR: Relationships Often Determine Risk More Than Data Alone

Traditional security focuses primarily on identifying sensitive information. However, AI-driven workflows demand an understanding of the relationships surrounding that data and its usage context. Today, many high-impact incidents occur because information reaches the wrong entity, regardless of the data's sensitivity.

Effective AI governance now requires evaluating those relationships alongside content; as AI integrates into enterprise workflows, understanding who is involved is as critical as understanding what.

The Data Isn't Always the Problem

Traditional enterprise data security focuses on identifying and protecting sensitive information, operating on the assumption that knowing the data's content is sufficient to determine protection needs. This logic served us well for decades.

However, the adoption of AI systems challenges this assumption. In many AI-driven scenarios, the data itself does not determine the risk. The same information may be appropriate in one interaction but a reportable incident in another—even when the content remains unchanged.

The critical factor is often the context rather than the content: specifically, the relationships between the people, entities, and business environment surrounding the information.

Most Security Controls Evaluate Information in Isolation

Modern data security programs are highly effective at identifying specific types of sensitive information—like PII, financial records, and intellectual property—in regulated industries. Current data loss prevention (DLP) tools excel at verifying what information is present, which worked well when data moved through predictable, monitored channels from known sources to known destinations.

However, these traditional tools struggle to answer vital questions, such as: Who owns this information? Who is authorized to receive it? Does this interaction make business sense?

As AI increasingly assembles, generates, and transforms information at scale and speed, these relationship-based questions are becoming significantly more important.

Many AI Incidents Are Really Relationship Failures

Consider common failures in AI-driven systems:

  • A customer service AI retrieves information for the wrong account.
  • An AI-generated summary references the wrong individual (e.g., a client or patient).
  • Information intended for one client appears in another's workflow.
  • A legitimate user receives information belonging to someone else.

In these scenarios, the system often functions exactly as designed—the data was accessible, the user was authenticated, and the output was generated without error. Yet, the outcome violates business expectations and contractual obligations. In regulated industries, these errors can trigger reporting requirements under frameworks like HIPAA, CCPA, GLBA, or GDPR.

Ultimately, these incidents are not failures of classification or permissions, but failures of relationship—specifically, a lack of awareness regarding the connection between the data and the people involved. As AI handles more complex, cross-functional workflows, these types of relationship failures are likely to increase.

The Growing Necessity of Relationship-Aware Governance

Because AI systems dynamically retrieve and generate information, evaluating the output's content is no longer enough. Effective governance must now account for the relationships surrounding that data. Organizations must ask critical questions about every AI interaction: Who created this information? Who does it refer to? Who is requesting it, and who will ultimately receive it?

Understanding these connections is essential for determining if an interaction is appropriate, regardless of whether the underlying data is sensitive.

This represents a fundamental shift in enterprise data security, especially in highly regulated industries. As AI systems take on more complex, autonomous work, safeguarding data requires a deeper focus on the specific business context and relationships that give that information its meaning.

Security Models Must Evolve Beyond Classification Alone

While identifying sensitive information remains a foundational requirement, classification alone cannot determine if complex AI interactions are appropriate.

Enterprise organizations must evolve their governance to account for business relationships between various entities, ensuring information reaches intended recipients within the correct business context.

As AI adoption deepens, understanding these relationships becomes just as critical as understanding the data itself.

Relationship-aware governance is a foundational concept in our research. Discover why entity relationships are becoming a critical dimension of AI-era data security in our whitepaper, When AI Becomes the User: Rethinking Data Control for Assistants, Agents, and Autonomous Workflows.