Half of Organizations to Adopt Zero-Trust Data Policies by 2028: Gartner

By 2028, 50% of organizations will adopt a “zero-trust” approach to data governance as the amount of AI-generated data continues to rise, said Gartner.

In simpler terms, the research and advisory firm said by 2028, half of all companies will no longer be able to assume that data is reliable or created by humans, as AI-generated content becomes widespread and increasingly difficult to distinguish from human-produced information.

Instead, they'll verify and authenticate everything first, like for example similar to how banks verify customer identity before transactions, or how airport security checks everything before letting you through.

“Organizations can no longer implicitly trust data or assume it was human generated,” said Wan Fui Chan, managing vice president at Gartner. She said a zero-trust posture, which focuses on verifying and authenticating data before it is used, will be needed to protect business and financial outcomes as AI-generated data becomes more common across industries.

Gartner said large language models (LLMs) are typically trained on data collected from the web and other sources such as books, code repositories, and research papers. Many of these sources already include AI-generated content. If current trends continue, the firm expects that most data used to train future models will contain material produced by earlier AI systems.

For example, AI systems like ChatGPT learn by reading massive amounts of text from the internet, books, and research papers. But increasingly, that training material includes content written by other AI systems. It's AI learning from AI.

This, could increase the risk of what it calls “model collapse,” where AI systems become less accurate or reliable over time because they are trained on their own outputs rather than on verified, real-world data.

Despite these concerns, companies aren't slowing down. According to the 2026 Gartner CIO and Technology Executive Survey, 84% of respondents said their organizations plan to increase spending on generative AI in 2026.

As enterprises expand their use of AI tools, the volume of AI-generated data stored and reused inside organizations is expected to rise sharply. Gartner said this makes it harder for companies to track the origin and reliability of their data.

Regulation And Data Control

Regulatory pressure is another factor pushing organizations toward stricter data controls. Chan said rules requiring companies to verify whether data is AI-generated or human-created are likely to increase in certain regions. However, she added that these requirements will vary by geography. Some governments may introduce stricter controls on AI-generated content, while others may take a more flexible approach.

“In this evolving regulatory environment, all organizations will need the ability to identify and tag AI-generated data,” Chan said. She added that success will depend on having the right tools and a workforce skilled in information and knowledge management, along with metadata management systems that support data cataloging and governance.

Metadata Management and Actions Recommended

Gartner said active metadata management will become an important capability for enterprises. This allows organizations to analyze their data assets, generate alerts when data becomes outdated, and automate decisions based on data quality.

To manage the risks associated with unverified AI-generated data, Gartner recommended several steps. These include appointing leaders responsible for AI governance and compliance, encouraging collaboration between cybersecurity and data teams, and updating existing data governance and security policies to address risks specific to AI-generated content. The firm also advised organizations to adopt active metadata practices so that data requiring review or recertification can be identified quickly.

Gartner said these measures will be necessary as organizations rely more heavily on AI-driven systems and data-driven decision-making. Without stronger controls, the firm warned, businesses risk using inaccurate or unverified data, which could affect both operational performance and regulatory compliance.