Five enterprises. One independent study. The numbers that make the business case for AI data readiness.
The hardest conversation in enterprise security is not about which threats are real. It is about what governing data is actually worth. Most security leaders know their data estate is undertreated. They know AI is reaching sensitive data that was never classified, that compliance scope creep is consuming analyst time, and that the tools they have were not built for the scale and speed the current environment demands. What they often lack is a number they can put in front of a CFO or a board.
Forrester Consulting, commissioned by Sentra, conducted a Total Economic Impact study published in June 2026. Forrester interviewed five security decision-makers at enterprises across financial services, fintech, transportation, and healthcare, then built a composite organization model to quantify the three-year financial impact of continuous AI data readiness. The composite is a US-based B2C fintech enterprise with four billion dollars in annual revenue, 3,500 employees, a 100-petabyte data footprint, and a hybrid multicloud architecture operating in a highly regulated environment with significant PII, PHI, and PCI exposure.

Source: The Total Economic Impact of Sentra, Forrester Consulting, June 2026. Based on a composite organization. Results are not a guarantee.
This post breaks down what drove those numbers and what they tell us about the real cost of not having continuous AI data readiness in place.
The problem the five interviewees shared
Before adopting Sentra, the five organizations described variations of the same situation. They relied on manual tagging, tribal knowledge, ad hoc scripts, and point-in-time audits to understand where their data was and what it contained. That approach worked well enough when data volumes were manageable and AI was not actively reaching into their data stores. By the time they were interviewed for this study, neither of those conditions still applied.
One pattern that stood out across interviews was the specific pain of test and nonproduction environments. Organizations in regulated industries are required to keep production data out of development, test, and QA environments. Without automated discovery, none of the interviewees had reliable visibility into whether production data had drifted into those environments. As a result, compliance teams were treating large numbers of lower environments as in scope for audits, adding review burden for systems that often posed no real risk once examined.
The senior manager of security at a fintech organization described why they had discontinued their prior solution before even finishing the contract: high false positive rates, low-fidelity findings, and misclassifications that required manual rework rather than reducing it. The tools the market offered before continuous, automated classification either could not scale to the data volumes involved or produced findings too noisy to act on.
The FVP of security architecture at a financial services organization described the periodic access review process before Sentra as "a huge nightmare," noting that gaps in visibility meant their teams could never be confident the review was actually complete.
Finding one: AI governance effort dropped by 90 percent

The first and largest benefit in the study was the reduction in manual production data and AI governance effort. Before Sentra, the composite organization's data and AI governance function consisted of five FTEs split across data management and AI use case review. Those teams spent their time on manual tagging, cross-team coordination, and validating data assets that engineers had tagged themselves, a process the CISO at a transportation company described as relying on "our own internal data tagging and data authorization platform that was manually attested to by engineers."
After implementing continuous automated discovery and classification, the composite reduced the number of systems requiring active human governance by 90 percent. Cross-team coordination decreased as security teams could access data asset information directly through Sentra rather than requesting it from data engineering. Manual review cycles gave way to automated monitoring.
The impact on AI governance specifically was equally significant. The CISO at a financial services organization explained that Sentra changed how their team approached AI use case approvals: "Instead of me trying to be the clearing house for every single AI solution, very much like a DLP, Sentra helps me stay focused surgically on the higher-risk AI use cases." Rather than reviewing every AI deployment with the same level of scrutiny, the team could now distinguish between lower-risk AI assistants and higher-risk agentic AI deployments based on the sensitivity of the data those systems could actually reach.
The senior manager of security at a fintech organization put the labor savings in concrete terms: "From a data governance perspective, the impact has been significant, about 2.5 FTEs saved annually. Previously, our analysts manually classified and labeled thousands of data stores across our storage technologies. That's all been automated through Sentra's API."
The three-year present value of this benefit, risk-adjusted at 15 percent by Forrester, was $1.5 million.
Finding two: Compliance scope in nonproduction environments shrunk from 100 systems to 10

The second benefit addressed the audit scope problem directly. The composite reduced the number of systems requiring compliance oversight in test and nonproduction environments from approximately 100 to 10, a 90 percent reduction, by identifying and removing or masking production data in those environments.
The CISO at a financial services organization described the before state clearly: "We had to extend our compliance operations into testing environments. With Sentra, we were able to identify the number of systems with customer data in them and eliminate 90 percent of that footprint."
Once production data was identified and remediated in lower environments, those systems fell out of scope for audits and regulatory controls entirely. Validation cycles shortened, evidence gathering became less burdensome, and compliance teams could focus their effort on the environments that actually contained sensitive data rather than treating every system as a potential risk.
The three-year present value of this benefit, risk-adjusted at 15 percent, was $913,000.
Finding three: DLP coverage narrowed to the users who actually matter
The third quantified benefit came from the intersection of data classification and DLP targeting. Before Sentra, DLP programs were applied broadly across the full user population, because without data classification the security team had no way to know which users were likely to encounter genuinely sensitive data. That produced high alert volumes, significant analyst time spent reviewing low-risk events, and licensing costs proportional to total headcount rather than actual risk.
With Sentra providing visibility into which users had access to sensitive data, the CISO at a financial services organization reduced their DLP monitoring from the full employee base to approximately 400 users out of a company of 7,000: "We know these individuals could cause a serious privacy incident. Sentra allows us to pinpoint the right people to monitor."
The same CISO estimated the impact on analyst time directly: "If I didn't have Sentra, I would need at least $200,000 of additional labor just to go through all the false positives. It would be one additional data security analyst."
The three-year present value of this benefit, risk-adjusted at 10 percent, was $526,000.
Finding four: Breach risk reduced by 65 percent

The fourth benefit was a risk-based calculation rather than a direct labor savings. The composite organization modeled a 65 percent reduction in the likelihood of breach-related costs resulting from Sentra's continuous monitoring and proactive remediation capabilities. Before Sentra, overprovisioned access and fragmented visibility created an expanded attack surface that the team had limited ability to monitor consistently.
The CISO at a financial services organization, describing their experience with Sentra relative to their prior career in defense and intelligence, said: "By far the best experience I had classifying and protecting data and being able to really feel comfortable that I got everything."
Interviewees also noted improved cybersecurity insurance outcomes following Sentra's deployment, reflecting external validation of a stronger security posture.
The three-year present value of this benefit, risk-adjusted at 20 percent, was $806,000.
Finding five: Cloud infrastructure costs dropped through shadow data elimination
The fifth benefit was one that often surprises security leaders when they first encounter it: the relationship between data governance and cloud spend. Before Sentra, organizations had no reliable inventory of which data assets were still needed and which were orphaned. Databases created for development, testing, or analytics projects were not decommissioned when those projects ended. Duplicate datasets persisted across environments. Snapshots accumulated without review.
The CISO at a financial services organization was specific: "We eliminated 110 databases, and each of those costs roughly $10,000. I'd say we reduced about $1.1 million in cloud spend by eliminating orphaned assets."
The composite modeled this at 1.5 percent of total cloud infrastructure costs, yielding a three-year present value of $839,000.
What the total numbers look like
Across five quantified benefit categories, the composite organization realized $4.6 million in three-year present value benefits against $1.0 million in total costs, including software licensing, compute infrastructure, and internal implementation effort. The net present value was $3.6 million and the return on investment was 351 percent. Payback on the initial investment occurred in under six months.
The cost structure is worth noting separately. The composite's annual Sentra license cost was $200,000, with an additional $40,000 in compute costs to support in-environment scanning, a total of $240,000 per year before risk adjustment. Implementation was completed by a small internal team over a short period. The CISO at a transportation company described the experience: "We were highly concerned with the annualized cloud compute run rate of this and that number ended up being wildly inconsequential with Sentra." Ongoing operational overhead required only a limited portion of an FTE's time after deployment.

The AI data readiness angle the numbers are actually describing
The five benefits in the Forrester study are presented as distinct financial categories, but they describe a single underlying capability: knowing what your sensitive data is, where it lives, and what can reach it, on a continuous basis rather than through periodic manual effort.
The 90 percent reduction in AI governance effort is what happens when classification is automated and current, so AI use case reviews can focus on actual risk rather than reviewing every AI system at the same level. The compliance scope reduction is what happens when you can tell a regulator exactly which systems contain production data and which do not, rather than treating everything as potentially in scope. The DLP narrowing is what happens when data classification tells you which users are genuinely high risk rather than applying broad controls to everyone. The breach risk reduction is what happens when your security team can see what AI, applications, and service accounts can actually reach, rather than managing a partially visible attack surface. The cloud savings are what happens when you can confidently identify and decommission data that serves no current purpose rather than letting it accumulate indefinitely.
These are all expressions of the same question that Sentra's AI data readiness platform is built to answer continuously: what sensitive data exists, where is it, and who or what can reach it.
Key takeaways
- Forrester found 351 percent ROI and $3.6 million NPV over three years for a composite 100-petabyte fintech enterprise, with payback in under six months.
- The largest benefit was a 90 percent reduction in manual production data and AI governance effort, worth $1.5 million over three years.
- Compliance scope in nonproduction environments dropped from 100 systems to 10, generating $913,000 in three-year savings.
- DLP monitoring narrowed from broad population coverage to targeted high-risk users, saving the equivalent of one analyst FTE and $526,000 over three years.
- Breach risk reduced by 65 percent through continuous monitoring and proactive remediation, worth $806,000 in avoided costs.
- Shadow data elimination reduced cloud infrastructure costs by 1.5 percent annually, generating $839,000 over three years.
- The financial model does not include unquantified benefits such as improved cross-team collaboration, AI readiness and governed adoption, or the strategic value of a continuously updated data inventory.
The Forrester study provides the board-ready business case that most AI data readiness conversations have been missing. The question is not whether continuous data governance is worth investing in. The numbers answer that. The question is how much exposure accumulates in the time between when the question is first raised and when the investment is made.
Download the full Forrester TEI study for the complete methodology, model assumptions, and financial summary tables.
Read the AI Data Readiness guide for the foundational context on what AI data readiness means and what it requires.
Request a demo to see what a continuous data readiness assessment looks like across your own environment.
This study was commissioned by Sentra and conducted by Forrester Consulting, June 2026. Results are based on a composite organization and are not a guarantee of results for any individual organization. Total Economic Impact and TEI are trademarks of Forrester Research, Inc.
