Data Security Posture Management has become one of the fastest-growing categories in enterprise security. The market reached approximately $415 million in 2024 and is expanding at 37.4% annually. Gartner projects adoption will climb from under 1% of enterprises in 2022 to over 20% by 2026.
The growth makes sense. DSPM solves a genuine, painful problem: most organizations don't know where their sensitive data actually is. Shadow data in orphaned cloud storage, unclassified files in S3 buckets, customer PII in SaaS applications that IT never formally approved, DSPM finds it, classifies it, and tells you what's exposed.
That's real value. It's also where most DSPM tools stop.
The gap between discovering sensitive data and actually protecting it is the gap that generates breach notifications, regulatory fines, and audit failures. Understanding exactly where DSPM's authority ends and what the next layer requires is what separates organizations that have genuine data protection from those that have a very good map of their risks.
What Does DSPM Do?
DSPM is a visibility and posture tool. Its core capabilities:
Data discovery — Automatically finds sensitive data across cloud environments, SaaS platforms, databases, and unmanaged storage. This includes shadow data that IT didn't know existed: orphaned files, forgotten backups, misconfigured storage buckets, and data synced to unauthorized services.
Classification — Assigns sensitivity labels based on content type (PII, PHI, financial data, IP, CUI), regulatory category, and organizational policy. Modern DSPM tools combine pattern matching with ML-based context analysis to handle unstructured data like documents and emails, not just structured database records.
Risk assessment — Identifies misconfigurations (over-permissioned storage, publicly accessible buckets, excessive access rights), and models the "blast radius" of a potential compromise and how much data would be exposed if a specific credential were stolen.
Continuous monitoring — Alerts when data posture changes: new stores created, permissions modified, classification drift, and new shadow data appearing.
Compliance evidence — Generates audit trails showing where regulated data lives, what classification it holds, and what controls are documented.
The 2025 Gartner Market Guide for DSPM acknowledges both the category's rapid growth and its core limitations: operational complexity, vendor lock-in, and critically, lack of remediation. DSPM discovers and documents risk. Most platforms do not enforce protection.
The Leading DSPM Platforms
Cyera
Cloud-native, agentless DSPM using its "DataDNA" technology, combining pattern matching with IAM and network policy context to surface misconfigurations and shadow data. In 2025, Cyera added an Identity-Centric module that links data sensitivity to user behavioral patterns, modeling the data exposure path of a potential credential compromise. Named a representative vendor in the 2025 Gartner Market Guide.
What it does well: Multi-cloud discovery, shadow data identification, exposure path analysis.
What it doesn't do: Encrypt files. Protect data after it's downloaded or shared externally.
Varonis
Extends decades of on-premises file-system monitoring expertise into cloud storage (AWS S3, Microsoft 365, Google Drive). Analyzes access patterns to flag excessive permissions and lateral movement paths. Rated #1 DSPM on Gartner Peer Insights 2025.
What it does well: Access analytics, insider threat detection, behavioral baselining across both on-premises and cloud.
What it doesn't do: Apply encryption to files. Control what happens to data after a legitimate user downloads it.
Microsoft Purview DSPM
Native to the Microsoft 365 / Azure ecosystem. Provides unified discovery and classification across Microsoft 365, Azure, Fabric, and integrated third-party SaaS. In 2025, added an AI Observability module for visibility into Copilot interactions and a posture dashboard with guided remediation workflows.
What it does well: Deep Microsoft ecosystem integration, sensitivity label orchestration, Copilot data visibility.
What it doesn't do: Protect files that leave the Microsoft environment. Enforce classification labels on unmanaged devices or external recipients.
Wiz
Market leader in CNAPP (Cloud-Native Application Protection Platform) with DSPM added as a capability. Deep multi-cloud visibility correlates infrastructure misconfiguration risk with sensitive data exposure.
What it does well: Infrastructure-to-data correlation, cloud security posture, multi-cloud coverage.
What it doesn't do: Operate as a standalone data protection tool. Encrypt or access-control files at the document level.
Sentra
Cloud-native DSPM specialist. Strong out-of-the-box classifiers, agentless deployment, and attack path analysis that correlates vulnerability, permission, and data sensitivity to model exploitable breach routes.
What it does well: Speed-to-value, attack path correlation, cloud-first deployments.
What it doesn't do: Provide file-level enforcement or post-download protection.
Normalyze, Securiti, BigID
All strong in specific areas: Normalyze for Snowflake-native environments, Securiti for privacy workflow automation (DSAR/CCPA), BigID for organizations that need DSPM plus automated governance. Each shares the same fundamental characteristic: discovery and classification are the primary outputs. File-level enforcement requires a separate layer.
The Gap: What DSPM Doesn't Cover
The clearest description of the DSPM gap comes from Kiteworks, whose platform addresses it directly: "DSPM tells you where data is, not what happens when it leaves." And more pointedly: "Without a governed data exchange layer, DSPM reports become liability documents."
The specific failure modes:
After a file is downloaded. A DSPM scan classifies a document as containing PII and flags that it's accessible to 200 users in a SharePoint library. An authorized user downloads it for a legitimate reason — a traveling employee, a contractor working offline. The DSPM has no further authority over that file. It's now on a device that may or may not be managed, with no encryption, no access controls, and no audit trail beyond the original download event.
After a file is shared externally. DSPM covers the data environments it has been configured to scan. When a classified document is emailed to outside counsel, shared via a collaboration tool not in scope, or forwarded to a supply chain partner, it leaves the DSPM's visibility entirely. The classification label may still be attached to the file. There is no enforcement mechanism traveling with it.
After AI ingestion. AI tools — from Microsoft Copilot to custom enterprise LLMs — ingest documents to generate answers and summaries. DSPM can identify that sensitive files are being accessed by AI systems. It cannot prevent those files from being processed by AI infrastructure operating outside your security perimeter, or control what happens to the content once the model has ingested it.
For unstructured data at scale. Many DSPM implementations struggle with the 70–90% of enterprise data that is unstructured — emails, documents, log files, engineering drawings, and PDFs. Classification rules designed for structured data patterns (SSNs, credit card formats, member IDs) miss context-dependent content in engineering specifications, legal memos, and technical drawings.
🔍 Is Your Shadow AI Leaving Sensitive Files Unprotected?
Use our Shadow AI Risk Assessment Checklist to identify every autonomous AI system in your environment and assess its data governance posture.
The Three-Layer Model Security Teams Are Building
The industry has arrived at a recognized architecture for complete data protection:
Layer 1 — DSPM: Discovers and classifies data at rest. Answers "what do we have, where is it, and is it exposed?" This is the map.
Layer 2 — DLP: Monitors and controls data in motion. Catches policy violations at defined boundaries — email, network, cloud uploads. This is the gate.
Layer 3 — File-level encryption: Protects the data itself, wherever it travels. Enforces access controls at the document level, independent of storage platform, device, or network. This is the lock.
The gap that generates the most breach exposure is between Layer 1 and Layer 3. DSPM tells you what to protect. File-level encryption ensures the protection travels with the data after DSPM has done its job.
This three-layer model is validated by the BigID/Kiteworks partnership (2025), which explicitly addresses this integration: BigID provides DSPM classification, Kiteworks ingests those sensitivity labels, and applies persistent protection when classified data is shared externally. The market is recognizing the gap and building bridges across it.
Where Theodosian Fits in the DSPM Stack
Theodosian is not a DSPM tool. It doesn't discover data, classify it, or build a risk inventory. What it does is enforce protection after DSPM has done that work.
When DSPM identifies a document as containing CUI, PHI, or regulated IP, that classification should trigger file-level encryption, protection that travels with the document regardless of where it goes next.
Per-file FIPS 140-3 validated encryption means each document carries its own cryptographic key and access policy. The policy applies to any device, in any environment, online or offline. If the file ends up somewhere it shouldn't — on an unmanaged laptop, forwarded to an unauthorized recipient, ingested by an AI tool — access is denied. The DSPM found the file and flagged the risk. The file-level layer ensures that risk doesn't materialize into an incident.
For organizations operating DSPM alongside Microsoft Purview, Varonis, or Wiz: Theodosian operates at the layer those tools don't reach. It's the enforcement mechanism that converts a DSPM classification report into operational protection.
Context-aware access controls mean the enforcement is dynamic, not static. Identity, device trust, location, and time all factor into whether a protected file can be opened. And Drop the Gate — Theodosian's anomaly-triggered access freeze — can revoke file access automatically when behavioral patterns suggest a compromise is underway.
Comparison: DSPM Platforms vs. File-Level Protection
| Capability | Cyera | Varonis | Microsoft Purview DSPM | Wiz | Theodosian |
|---|---|---|---|---|---|
| Data discovery | ✅ Excellent | ✅ Excellent | ✅ M365/Azure native | ✅ Cloud-focused | Today, Theodosian sits at the enforcement layer (the step that turns a sensitivity label into actual protection) |
| Data classification | ✅ | ✅ | ✅ | ✅ | ❌ |
| Risk posture assessment | ✅ | ✅ | ✅ | ✅ | ❌ |
| File encryption | ❌ | ❌ | ❌ | ❌ | ✅ FIPS 140-3 per-file |
| Post-download protection | ❌ | ❌ | ❌ | ❌ | ✅ Travels with file |
| Unmanaged device coverage | ❌ | ❌ | ❌ | ❌ | ✅ Device-agnostic |
| Access revocation after sharing | ❌ | ❌ | ❌ | ❌ | ✅ Immediate, retroactive |
| AI ingestion control | Visibility only | Visibility only | Visibility only | Visibility only | ✅ File remains encrypted |
Turn Your Data Risk Map Into Operational Protection
Knowing where your sensitive unstructured data lives is only half the battle. If your security posture management software doesn't follow your files across the boundary, you aren't protecting data. Theodosian seamlessly ingests your classification labels and wraps your files in self-defending, FIPS 140-3 validated encryption that stays active wherever the file travels.
FAQs: What DSPM Misses
What is DSPM, and what does it do?
DSPM (Data Security Posture Management) automatically discovers sensitive data across cloud environments, SaaS platforms, and storage systems, then classifies it by type and sensitivity. It identifies misconfigurations and excessive access rights that create exposure risk, and provides continuous monitoring when data posture changes. DSPM answers "where is our sensitive data and is it exposed?", but it doesn't encrypt files, enforce access controls at the file level, or protect data after it leaves the governed environment.
What is the difference between DSPM and DLP?
DSPM focuses on data at rest, finding and classifying sensitive data that already exists across your environment. DLP (Data Loss Prevention) focuses on data in motion — monitoring and blocking unauthorized data transfers at defined boundaries like email, network egress points, and cloud uploads. Neither tool protects a file after it has been legitimately downloaded or shared externally. That protection requires file-level encryption that travels with the document.
Does DSPM satisfy CMMC encryption requirements?
No. CMMC Level 2 practice SC.3.177 requires FIPS 140-3 validated encryption on Controlled Unclassified Information. DSPM identifies where CUI exists and whether it is properly controlled, but does not itself apply encryption. To satisfy SC.3.177, the CUI files themselves must be encrypted with a FIPS-validated module — a requirement that falls to a file-level encryption tool, not a DSPM platform.
What does Gartner say about DSPM limitations?
The 2025 Gartner Market Guide for DSPM explicitly identifies "lack of remediation" as a core limitation of the category. DSPM platforms discover and document data risk, but most do not automatically enforce protection. Gartner also notes operational complexity and vendor lock-in as buyer concerns. The recognized industry response is to pair DSPM with downstream enforcement tools, DLP for data in motion, and file-level encryption for persistent protection at the document layer.
How does AI usage create DSPM gaps?
AI tools like Microsoft Copilot, enterprise LLMs, and agentic AI systems ingest documents to generate answers, summaries, and automated outputs. DSPM can identify that sensitive files are being accessed by AI infrastructure, but it cannot control what happens to that content once the AI model processes it — whether it's summarized in a response accessible to unauthorized users, cached in training data, or routed through infrastructure outside your governance boundary. File-level encryption ensures that even when AI processes a protected document, the underlying content cannot be accessed without satisfying the file's access policy. Related Reading: Agentic AI Security: The Agentic AI Governance Gap