Your Data Governance Gap is the Real AI Risk

Every hospitality operator presenting an AI strategy to their board this year has a slide about the technology. Almost none of them have a slide about data governance. That asymmetry is precisely why 74 to 88% of enterprise AI projects never make it from proof of concept to production.

Sol Rashidi was direct about this at MURTEC 2026. Data governance and AI security receive only 10 to 12% of time and funding in most AI initiatives, despite being the single most critical pillar for successful production deployment. The organizations that understand this and act on it before they scale are the ones whose AI investments survive the board’s ROI review eighteen months from now.

The POC-to-Production Gap Explained

The path from proof of concept to production is where enterprise AI investments go to die, and the cause is almost always the same. An organization runs a compelling POC in a controlled environment with clean, curated data. The results are impressive. The decision is made to scale. And then the deployment hits the full complexity of the organization’s actual data environment and stalls.

In hospitality, that data environment is genuinely complex. A full-service hotel brand operates across property management systems, central reservations platforms, loyalty databases, food and beverage point-of-sale systems, spa and activity booking tools, revenue management systems, and customer relationship management platforms. Each system was built at a different time, by a different vendor, with different data standards, and different integration architectures.

Guest data flows across all of them, and in most organizations, nobody has a complete picture of where that data lives, how it is being used, who has access to it, and whether that access is appropriate. An AI system deployed into that environment does not fix the fragmentation. It amplifies it, and the consequences are not just technical.

What is Actually at Stake

The data governance stakes are compounded by the nature of the data involved for hospitality providers. Guest profiles contain behavioral patterns, preference histories, and spending data that represent genuine competitive intelligence. Payment information carries regulatory exposure under PCI DSS. Loyalty data is both a relationship asset and a liability if mishandled. Pricing strategy and competitive rate intelligence are proprietary business data that most organizations would not want surfaced in an unsanctioned AI interaction.

An AI system trained on improperly governed guest data is not just a technology risk. It is a brand risk and a legal liability. When a generative AI tool surfaces a guest’s previous complaint history in a context where it should not, or when an agentic pricing agent incorporates competitive intelligence gathered through channels that violate terms of service, the consequences extend well beyond the technology failure.

Rashidi’s foundational requirements for any production AI deployment are non-negotiable: automated, real-time Data Security Posture Management (DSPM) and Data Loss Prevention (DLP). Organizations must know how much data they have, where it is being used, whether that usage is sanctioned or unsanctioned, who has access, and who should not.

Most hospitality operators cannot answer all five of those questions today.

The Five Questions Every Operator Must Be Able to Answer

Rashidi’s data governance framework reduces to five operational questions. These are not aspirational governance principles. They are the minimum viable requirements for scaling any AI deployment beyond a controlled POC environment.

How much data do we have? This sounds straightforward. For most multi-property hospitality operators, it is not. Data created across ten years of PMS migrations, loyalty program iterations, and CRM platform changes lives in places that are no longer actively managed. The first step in data governance is a complete inventory.

Where is our data being used? This includes sanctioned uses in managed systems and unsanctioned uses by employees accessing data through consumer AI tools, personal devices, and third-party integrations that were never formally approved. Both categories are part of the data usage picture.

Is that usage sanctioned or unsanctioned? The emergence of consumer generative AI tools has created a shadow AI ecosystem inside most organizations. Employees processing guest data through publicly available AI tools without organizational policy governing that usage represent a real data governance gap, regardless of their intentions.

Who has access? Role-based access control in hospitality technology systems is frequently inconsistent. Staff who changed roles years ago often retain access credentials from their previous positions. Contractors and third-party vendors frequently have broader data access than their function requires.

Who should not have access? This is a different question from who has access, and it requires active governance rather than passive audit. The answer changes as staff turn over, as third-party relationships evolve, and as AI systems acquire the capability to access and combine data in ways that were not anticipated when access permissions were originally set.

DSPM and DLP: The Non-Negotiable Foundation

Rashidi specified two technical capabilities as non-negotiable prerequisites for production AI deployment: Data Security Posture Management and Data Loss Prevention.

DSPM provides continuous, automated visibility into where sensitive data lives, how it is being used, and whether its current security posture matches the organization’s policies. For a hospitality operator scaling AI across a multi-property environment, DSPM replaces the manual data audit process that is too slow and too incomplete to keep pace with AI-driven data access.

DLP prevents sensitive data from leaving the organization’s controlled environment through unsanctioned channels. In the context of generative AI, this means preventing guest PII, pricing strategy, and competitive intelligence from being incorporated into public AI model training through employee prompting behavior.

Together, DSPM and DLP form the governance infrastructure that makes the difference between an AI deployment that scales successfully and one that stalls at POC because the organization’s legal and security teams cannot approve production rollout without them.

The Governance Investment Case

Data governance is not the exciting part of an AI strategy presentation. It does not generate the enthusiasm that agentic booking agents and AI-powered revenue management do. But it is the investment that determines whether those capabilities ever make it to production.

The math is straightforward. An organization that invests 10 to 12% of its AI budget in data governance, the current industry average Rashidi cited, is under-investing by a significant margin in the capability that determines whether the other 88 to 90% of the investment produces a return.

The organizations that will win the AI era in hospitality are not the ones with the most advanced AI tools. They are the ones whose data infrastructure is mature enough to support those tools in production. Governance is not a cost of doing AI. It is the foundation on which every other AI investment either stands or collapses.

The Bottom Line

The POC looked great. The production deployment stalled. In almost every case, the reason is data governance, and in almost every case, the organization knew the governance was insufficient before it started.

Rashidi’s message at MURTEC 2026 was not that governance is complicated. It is that governance is skipped because it is unglamorous, and the skipping is what kills the deployment.

Implement automated, real-time DSPM and DLP before you scale. Know your data: where it lives, who accesses it, and whether that access is sanctioned. Answer the five questions. Then build the AI strategy on top of a foundation that will actually support it.

Up Next in the Series:

This was Post 5. Post 6 examines the four human capabilities Sol Rashidi identified at MURTEC 2026 that AI cannot replicate, and why hospitality’s entire competitive differentiation is built on three of them.

IHL Group covers retail and hospitality technology markets globally. For more information on our research, visit https://www.ihlservices.com. Sol Rashidi keynoted MURTEC 2026 in Las Vegas. All data and frameworks cited in this post are attributed directly to her presentation.