• Skip to primary navigation
  • Skip to main content
The Data Lab

The Data Lab

Pruple button with the word menu
  • About Us
        • About Us

           
          Visit our About Us page

        • Careers
        • Our Team
        • Impact
        • Contact us
  • Business
        • For Business

           

          Visit our Business Support page

        • Access data and AI talent
        • Funding and Business Support
        • Partnerships
        • AI Adoption Support
  • The Data Lab Academy
        • The Data Lab Academy

           

          Visit the Data Lab Academy page

        • Professional Development
        • Masters Scholarship Programme
  • Universities and Colleges
        • For Universities and Colleges

           

          Visit our Universities and Colleges page

        • Funding and Support
        • Collaborate and Innovate
        • Academic Projects
  • Community
        • Community

           

          Visit our Community page

        • News
        • Online Community
        • Data Visualisation Competition
        • Case Studies
        • DataFest

Security that doesn’t get bypassed: designing controls data teams will actually use

Guest Blogs, Partnerships 08/07/2026

photo of Hannah, blog Author

We’re delighted to hand the mic over to Hannah Nairn, Head of Information Security at Elementz, for our latest guest blog. Elementz is a Bronze Partner of The Data Lab, and Hannah brings her expertise in information security to explore the challenges organisations face as data teams adopt new technologies and ways of working. In this blog, Hannah looks at why security controls are often bypassed and how organisations can design approaches that support both security and innovation. She shares practical insights on building controls around real-world workflows — making secure ways of working easier, more effective and more sustainable.

It usually starts with a “just this once”.

A dataset gets copied locally because access is slow.
A credential is shared because someone is blocked.
A check is skipped because the pipeline needs to run now.

More recently, it looks like this:

A prompt pasted into a copilot “just to see”.
Real data used to test an AI tool because synthetic data is not quite right.
A new integration switched on mid-project without much thought about what it can access.

Nothing dramatic. Nothing malicious. Just small decisions to keep things moving.

Then it happens again. And again. Eventually, the workaround becomes the process.

This is how security controls quietly lose.

The bypass problem

Data teams work fast. Models are trained, tested, retrained. Pipelines evolve constantly. New tools appear halfway through delivery and quickly become essential.

AI has accelerated all of this.

Work is no longer contained within neat boundaries. Data flows into copilots, plugins, APIs, and external models that may store or learn from what they are given.

In that world, anything that slows progress becomes friction. And friction invites creativity.

You have probably seen it:

  • Sensitive data pulled into local notebooks to move faster
  • Checks skipped because delivery is already late
  • AI tools plugged in without knowing what data they retain
  • Prompts or outputs copied into external tools for convenience
  • Model outputs reused because they “look right”
  • Exceptions approved quickly and never revisited

Individually, these decisions feel harmless. Collectively, they reshape how work really happens.

Why controls get ignored

Most controls are built with good intent. They just do not match reality.

They interrupt flow

If a control appears mid-workflow, it feels like a blocker. Nobody experimenting with a model or prompt wants to stop and second guess every step. That pause is where workarounds begin.

They rely on perfect decisions

Controls often assume people will slow down and think carefully. In reality, work is fast. People reuse patterns, copy what worked before, and rely on habit. Under pressure, habit wins.

They are too one size fits all

Not all data or AI use is equal. A copilot for code is not the same as analysing sensitive customer data. When controls ignore that, they feel irrelevant and get ignored.

They lag behind behaviour

Teams adopt tools before guidance exists. By the time policies arrive, habits are already formed. Security ends up reacting instead of shaping.

They add effort without value

If something feels like extra work with no clear benefit, people will skip it. Especially when guidance is vague or overly restrictive.

Designing controls people will actually use

If controls are being bypassed, stricter enforcement is not the answer. Better design is.

The question is not “is this secure?”, it’s “will this still be followed when things get busy?”

Start with the workflow

Map how work actually happens. Where does data enter, move, and leave? Where do AI tools appear? What gets pasted into prompts?

Controls should sit inside these steps, not outside them.

If people have to leave their workflow to be secure, they often will not.

Make the secure path the easiest path

People do not choose the most secure option. They choose the easiest one.

So make it easy:

  • Provide ready to use secure environments
  • Offer approved AI tools with clear boundaries
  • Make safe or anonymised data easy to access
  • Preconfigure tools to prevent accidental exposure
  • Automate access instead of relying on manual approvals

Security cannot be something teams are expected to bolt on later.

Reduce decision fatigue

Every extra decision increases the chance of a shortcut.

Do not ask people to constantly judge what is safe. Decide that upfront.

  • Use data classification rules
  • Separate sensitive and non-sensitive environments
  • Apply role-based access to AI capabilities
  • Block risky actions automatically where possible

Good controls remove decisions. They do not add more.

Design for speed, not perfection

Trying to lock everything down slows work. That is when people go around you.

Instead, match controls to risk:

  • Faster access for low-risk work
  • Stronger controls for sensitive data
  • Monitor usage instead of blocking everything
  • Log prompts and outputs in higher-risk environments

This lets teams move quickly without creating obvious gaps.

Make feedback useful

When something is blocked, how you respond matters.

“Access denied” is frustrating. “Prompt blocked because it contains sensitive data. Use this instead” is helpful.

Clear feedback helps people adjust without breaking flow.

Treat workarounds as signals

If people keep bypassing something, that is useful information.

Maybe access is too slow. Maybe the approved tools are not good enough. Maybe the guidance arrived too late.

Fix the experience, not the people.

Security is a team sport

Security is not owned by one team.

Security teams design controls.
Data teams decide how work actually gets done.
Leadership decides what gets prioritised.

If leadership pushes only for speed, teams will optimise for speed.
If there is no time for safer approaches, workarounds become inevitable.

Good security happens when these pieces align.

That means:

  • Leadership backing secure ways of working
  • Teams given time to build safer patterns
  • Security working alongside teams, not after them
  • Shared ownership of risk

When security becomes part of how work gets done, behaviour starts to shift.

Measuring what actually matters

Many organisations still measure success through compliance. Policies written. Training completed. Boxes ticked.

That does not tell you what happens under pressure.

Better questions are:

  • Are teams using approved AI tools or finding their own?
  • Where is data actually being exported?
  • How often are exceptions revisited?
  • Do teams have realistic safe alternatives?
  • What do workflows look like when deadlines hit?

The real test is simple.

What happens when someone needs to move fast?

If the control gets skipped, it is not working. No matter how good it looks on paper.

Final thought

Security in data and AI is not just technical. It is human.

People will always optimise for progress. Deadlines and curiosity will win.

Do not fight that. Design for it.

Build controls that fit naturally into workflows. Give teams the tools and time to do things properly. Align expectations with secure ways of working.

Make the secure option the easy option. Make it something everyone owns.

That is when security stops being something people work around.

It becomes something that just happens.

Cybersecurity Month at The Data Lab Community

In July, we’re shining a spotlight on cybersecurity.

Here’s what we’ve got lined up:

  • You’re Easier to Hack Than You Think – 21 July 12:30 – 13:30 BST [Online]
  • Inside an Incident: Lessons from the Front Line of Cyber Response – 23 July 12:30 – 13:30 BST [Online]
  • Security in AI-enabled Organisations: Why Culture, Controls and Common Sense Still Matter – 29 July 17:30 – 19:30 BST [Edinburgh and Online]
  • Guardrails and Governance for Secure AI Exploration and Automation – 30 July 13:00 – 13:50 BST [Online]

Innovate • Support • Grow • Respect

Get in touch

t: +44 (0) 131 651 4905

info@thedatalab.com

Follow us on social

  • Bluesky
  • YouTube
  • Instagram
  • LinkedIn
  • TikTok

The Data Lab is part of the University of Edinburgh, a charitable body registered in Scotland with registration number SC005336.

  • Contact us
  • Partnerships
  • Website Accessibility
  • Privacy Policy
  • Terms & Conditions

© 2026 The Data Lab