Skip to content
Blog You Can’t Have Safe AI Without Modern Data Management

You Can’t Have Safe AI Without Modern Data Management

“Turn Claude on by Monday”: Why AI Is Forcing a Rethink of Information Classification

On a recent Friday afternoon, a pharma company’s board sent a directive to their CIO: “We need to start using Claude. Another company in our portfolio is getting incredible value from it. Turn it on.”

By Monday, the CIO was expected to figure out how Claude worked, enable it, and show early progress. No governance, no policy updates, no enablement plan. Just: make AI happen.

If you work in security or IT, you can probably feel the pit in that person’s stomach.

This is how AI adoption is happening in a lot of organizations today: fast, reactive, and driven by top-down pressure.

And it exposes a problem many leaders have quietly lived with for years: we don’t have a simple, shared way to talk about the sensitivity of our data.

Without that, you cannot have a meaningful conversation about what is safe—or unsafe—to put into AI.

Why information classification “failed” last time

In this particular pharma company, information classification had a history.

A previous CIO tried to roll out an InfoClass program about a decade ago. It was painful and bureaucratic, with too many labels, too much theory, and not enough visible value. The verdict at the time: “This doesn’t help us. Shut it down.”

That opinion stuck. For years, the organization deprioritized information classification. It was treated as a failed experiment and, at best, a low-value compliance exercise.

But that decision had real consequences:

  • Their Data Loss Prevention (DLP) program was stopped in its tracks because “sensitive” and “not sensitive” were never defined in business terms.
  • Insider threat monitoring lacked a clear way to distinguish everyday activity from high-risk handling of critical intellectual property (IP) or regulated data.
  • Data handling guidance was generic and vague, i.e. “be careful with customer and research data,” instead of grounded in specific, shared definitions.
 

AI changed the question, not just the tooling

When the board decided AI needed to be “turned on,” the guidance to employees was supposed to be simple:

“You can put X types of data into Claude, but not Y types of data.”

That’s a reasonable goal. It’s how leaders think about risk: define the allowed and the prohibited, then educate the workforce.

But this organization had no common language to define X and Y. No practical classification scheme. No agreed-upon levels of sensitivity that mapped to real data examples in R&D, clinical, finance, or legal.

So what options did they have?

  • Leave it to intuition: “Use common sense; don’t paste anything too sensitive.”
  • Assume the tech provider has it handled: “The AI vendor’s security is great, so we’re fine.”
  • Or go full speed ahead, hoping nothing catastrophic leaks: “The IP and customer data might flow, but the value is worth it.”

None of those options is a strategy. They’re just different flavors of risk-by-accident.

This is where information classification suddenly has newfound value. Not as a dusty compliance policy, but as the shared language that lets you operationalize AI safely.

Reimagining information classification for the AI era

The good news is that “information classification” does not have to mean a clunky, hierarchical, ex-government model with 10 labels, obscure codes, and TPS cover sheets (IYKYK)attached to everything.

That’s the version many leaders remember, and rightly, rejected.

A modern, AI-aware information classification program looks very different:

  • Simple labels, not a taxonomy contest: Think “Low / Medium / High” or “Public / Internal / Confidential / Restricted.” A small number of levels that people can actually remember and use.
  • Clear, departmental examples, not just policy language: Each department gets clear, tailored examples:
    • Finance: what sensitivity level is board reporting? What level are vendor contracts? What level is internal cost data?
    • R&D: what level is pre-clinical research? What about clinical trial data and lab notebooks?
    • HR: what sensitivity levels are performance reviews, salary data, DEI reporting?
  • Job aids and OCM, not magic from a tool: You support people with quick-reference guides, workflows in the tools they already use, and ongoing reminders. You don’t expect a single launch training or a new label in Office to change behavior.
  • Integrated with the controls that matter: Labels drive very real changes: DLP rules, sharing restrictions, access reviews, and—critically—what data can flow into AI systems and under what conditions.
When you design classification this way, it stops being a checkbox and becomes a backbone for how data moves through your environment.
 
InfoClass might not be a “sexy” cybersecurity program but it has the potential to be a truly foundational one.

Connecting information classification to modern data management

It’s helpful to zoom out for a moment. Information classification is not the whole story. It’s one pillar of a broader, modern data management layer that your cybersecurity program desperately needs.

When you do this right, classification becomes the organizing principle that ties together:


  • Data discovery: Where does our “high” or “restricted” data actually live across cloud, SaaS, endpoints, and data stores?
  • Access governance: Who has access to those classes of data, and do they still need it?
  • DLP and insider risk: Which classes of data require monitoring, alerting, or blocking when exfiltration is attempted?
  • AI guardrails: Which classes of data are allowed in AI tools, under what scenarios, and with what logging and oversight?

 

In other words, modern information classification is the semantic layer that lets you say: “These data classes can participate in AI; these cannot; and here is how our controls enforce that.”

If your data management program hasn’t been updated in years, AI is the forcing function that will expose all the cracks. It’s no longer enough to know you have “sensitive data somewhere.” You need to be able to express that sensitivity in a way humans and machines can both act on.

What “modernization” actually looks like

So how do you move from a half-remembered, failed InfoClass initiative to something modern and AI-ready?

Here’s a pragmatic approach:

  1. Start with 3–4 levels, not 10: Design a simple scheme that makes sense to your organization. Co-create it with a cross-functional group (security, legal, privacy, data, plus 2–3 key business units). The goal is clarity, not perfection.
  2. Anchor it in real examples for each team: Build job aids that say, “In Finance, these are typical examples of Internal vs. Confidential vs. Restricted.” Do the same for R&D, HR, Sales, and so on. If people can see themselves and their work in the model, they will use it.
  3. Connect labels to specific control decisions: Decide what changes in your environment once something is classified:
    1. Should “Restricted” data ever leave your tenant?
    2. Should it be accessible from unmanaged devices?
    3. Can it be used in AI tools at all, or only in an internal, vetted environment?
      These decisions make classification feel real, because users see consequences and protections tied to the labels.
  4. Pilot, iterate, then scale: We’ve said it once, we’ll say it again... please don’t boil the ocean. Start with one or two departments that are both high-risk and motivated (e.g., R&D and Finance in a pharma organization). Run a pilot, measure friction and misclassification, adjust labels or guidance as needed, then expand.
  5. Treat it as ongoing change management, not a project: People change roles, new systems appear, AI capabilities evolve. Your classification program needs regular tune-ups, refreshed training, and updated job aids. The goal is not “set it and forget it” but “keep it usable and aligned with how we work now.”

You can’t have safe AI without modern data management

Boards and executives are right to push for AI. The upside is real: better insights, faster decisions, more efficient operations.

But when that pressure lands on a CIO or CISO with no modern data management foundation: no simple information classification, no clear picture of where sensitive data lives, no linkage to DLP or access controls... the organization is essentially flying blind.

You shouldn’t have to choose between innovation and protection. A modern information classification program, embedded in a broader data management strategy, is how you get both.

It gives you the language to answer the board’s next AI question with confidence:

“Yes, we can turn it on. And here’s exactly what data can go into it, what can’t, and how we’re going to make sure our people and our technology respect that line.”

 

Modernize your Information Classification program and build a flexible data management system.

Book a readiness call now! 
About the author
Cody Rivers
Cody Rivers is a Consulting Director at Reveal Risk. Cody helps lead a consulting practice that specializes in creating and maturing cybersecurity programs that focus on risk reduction while aligning their work to client budget realities.​ ​Prior to joining Reveal Risk, Cody served as Chief Technology Officer (CTO) for a successful Midwest-based IT Managed Services Provider (MSP) with clients that spanned the US and Western Europe. While there, he built the cloud security practice that assisted clients to overcome technical obstacles on their path to security maturity and regulatory compliance.​ ​Cody’s experience spans 15+ years working with local professional sports teams to Fortune 1000 companies in nearly all major industries. He’s worked within such frameworks as SOC, NIST, and SOX. In 2021, Cody was recognized as a CTO of the Year by the Indianapolis Business Journal.