More often than not, data governance erodes quietly as organizations fail to see its data end to end. Information is created in one system, transformed in another, exported into reports, and shared across teams that assume someone else is tracking the full picture. When no one has clear end-to-end visibility, sensitive data can be overexposed, regulatory obligations can be triggered unintentionally, and small permission gaps can compound into audit findings, fines, or reputational damage.
Shannon Noonan, CEO and Founder of HiNoon Consulting, says that governance for data management and user access must be designed as a lifecycle. “The journey is never a straight line,” she says. “The journey is usually undoing bad habits to rebuild good habits around data management and user access.”
With more than 15 years of experience building governance, risk, and compliance programs for enterprises navigating privacy, audit, and security demands, her work sits at the intersection of internal controls and modern data realities: sprawling systems, distributed ownership, and a fast-growing reliance on automation. She is also a board member and author, and serves as the U.S. Global Ambassador for the Global Council for Responsible AI. That vantage point informs her view that weak governance is a measurable business risk, capable of triggering regulatory exposure, operational disruption, and loss of stakeholder trust when access and data controls fall out of alignment.
Governance Starts With Seeing the Whole System
Data management and user access are often treated like adjacent problems. Noonan argues they break down for different reasons. Data management is usually stewarded by a primary team that sets standards for how data is stored, labeled, and used. Access management, by contrast, tends to be fragmented across operating systems, databases, and applications, each owned by different administrators with different priorities.
That split creates a predictable governance gap. “Data management is managed by one team and then user access is managed by multiple teams,” Noonan says. The data may be “owned” by a function, but the pathways into it are controlled in several places. In practice, that means organizations can be meticulous about storing sensitive data correctly, while still exposing it through an overlooked report, a legacy permission, or an integration built for speed.
Noonan starts with what she calls a practical form of e-discovery: identify what exists, where it lives, and how it moves. “You have to do some form of e-discovery, identify what is there, and then walk through the process,” she says. The goal is to answer basic questions that many teams assume have already been settled: What type of data do you have? Where does it go? What happens to it along the way?
Mapping Data Flows Before You Talk About Security
Many organizations try to “secure” a system before they can describe it. Noonan flips that sequence. Controls only work when they are anchored in a clear map of the data lifecycle. “You have to know what you have,” she says. “You have to know who has access to it. And then you’ve got to figure out if you secured it properly.”
That sequence matters because most access issues aren’t intentional; they happen when teams make decisions without full visibility into how permissions intersect across systems. A team grants permissions because someone needs to do a job, not realizing those permissions combine with other permissions elsewhere to create an exposure. Governance, then, becomes the discipline of connecting what feels like reasonable local decisions into a coherent enterprise model.
Noonan’s first step is comprehensive mapping. “Map out the data. What data do you have in the environment? Then classify the data, and map it all the way through to the end,” she says. Crucially, a map that ends at a database or a dashboard isn’t a map. It has to include extracts, transformations, translations, and reports, and it has to show where data is copied, joined, or re-identified.
Access Breaks When Ownership Is Fragmented
The largest barrier Noonan sees is structural. “Everyone owns a different piece of the pie,” she says. “No one owns it from A to Z.” That reality is most common in mature organizations where systems have been built over years, sometimes decades, and layered with new processes as regulations or business models change. Each function protects its own perimeter, but the seams between teams create the real risk.
“You’re making sure you’ve got segregation of duties in place so that individuals can’t manipulate the data inappropriately or fraud can occur,” Noonan says. But if one team approves access to a system and another team approves access to an adjacent process, the combined rights may allow actions that neither team anticipated.
This is why governance can’t be a document that lives in one department. It has to be an operating rhythm that forces cross-functional visibility: shared terminology for data classifications, consistent approval criteria, and a method for reconciling what a permission means across platforms.
A HIPAA Lesson in How Data Becomes Re-Identifiable
A case from Noonan’s work illustrates how quickly good intentions can unravel. Take for example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996. A client operating under HIPAA requirements separated research and development from production. Scientists were given anonymized data so they wouldn’t handle regulated information directly. “They like to anonymize the data so that the scientists that were doing research and development didn’t really technically have HIPAA data,” Noonan says.
The segmentation itself was sound. The failure came from an exception built for convenience. Scientists had access to run reports that contained a generic identifier linking the anonymized environment back to production. “That report had all of the HIPAA data that took away the anonymization, because there was one generic ID that connected the two,” Noonan says. If someone could combine the datasets, the record became identifiable again, and the environment’s risk profile changed.
“They had never gone through and identified where the data was going and how it was being processed all the way to the end,” she says. The result forced a governance decision: revoke access or elevate the entire environment to HIPAA-grade controls and classification.
AI Will Make Governance Faster and Riskier
Over the next three to five years, Noonan expects automation to make mapping easier, but she also sees a new governance problem emerging: centralization.
AI tools can scan environments, track lineage, and surface access anomalies. Yet many models require data to be pooled into a centralized repository such as a data lake. “You’re going to have to take the data out of an environment, put it in a centralized area such as a data lake or an AI tool,” Noonan says.
Centralization boosts efficiency, but it can quietly expand who can see what. Noonan describes client scenarios where HR data moved into AI systems, enabling broader query access than intended. “We’re seeing trends of HR data going into these systems and people have the ability to go and research people’s payroll because it’s in there, and they didn’t realize that everybody could access it,” she says.
Governance, then, becomes less about whether a dataset is segregated in a legacy system and more about whether the AI-enabled environment preserves that separation with controls that match the sensitivity. “Once you put it in that centralized element, more people have access to it,” Noonan says. “Is that what you want to happen?”
Build Governance Early
Noonan often uses medical data examples because they’re relatable, but she stresses the principles apply everywhere. “This applies to every environment, right? Every process and control.” The real dividing line is whether governance is foundational or retrofitted. Many companies, she notes, have been “adding on and adding on and adding on” for decades, which makes governance feel like a repair project. For an early-stage company, the opportunity is different.
“It should be built into the process from the start, not trying to figure out how to do it at the end,” Noonan says. The alternative is a familiar cycle: permissions accumulate, data spreads, teams operate in silos, and governance becomes urgent only after an audit finding or a breach. Data governance and user access management aren’t separate initiatives. They’re two sides of a single promise: that an organization knows what it has, knows who can touch it, and can prove those decisions make sense.
Follow Shannon Noonan on LinkedIn or visit her website.
