False confidence in releases
Systems appear ready – until they aren’t
Most organisations know they shouldn’t be using raw production data in testing anymore, so they’ve taken steps to mask sensitive data, anonymise records and generate synthetic datasets. That feels like progress.
But in many cases, it creates a new, less visible problem. The data is safer, but it no longer behaves like the real systems it’s meant to represent. As a result, testing starts to lose its reliability. In many cases, defects then go undetected and AI models get validated against unrealistic scenarios.
Everything looks fine on paper. But when those systems are exposed to real-world conditions, the gaps start to show. You’re still testing your systems, just not as they actually work.
Why this is a hidden risk for AI assurance and NIS2
NIS2 is raising expectations around resilience, risk management and the ability to demonstrate that systems and controls really work in practice. And that scrutiny doesn’t stop at production. It extends across the full lifecycle of your systems.
At the same time, the growing use of AI is increasing dependency on large volumes of realistic data, as well as continuous testing and validation to ensure models behave as expected.
That creates pressure in both directions. Organisations can no longer expose sensitive data in lower environments, but they also can’t afford to reduce realism without weakening assurance.
If your test data isn’t representative of how your systems really behave, then neither is the evidence you rely on to prove they are secure and resilient.
The hidden issue: broken data relationships
The hidden issue: broken data relationships
Here’s where most organisations fall short. In the process of masking or generating data, they often break the relationships that make systems behave correctly – how customers link to their orders, how payments tie back to accounts and how processes connect across systems.
This is often referred to as referential integrity – the idea that those relationships remain intact.
For example, imagine you have customer data and order data. Each order should link back to a valid customer. If that link is broken – for instance, an order exists but no longer points to a real customer – the data might still look complete, but the relationship is no longer valid.
That’s where problems start. Systems can’t find the data they expect, tests return misleading results, and environments stop reflecting real-world behaviour.
If your data doesn’t reflect how things connect in the real world, your testing becomes unreliable.
That’s why leading teams focus on more than just “safe data”. They focus on data that still behaves like production, preserving the relationships, dependencies and flows that real systems depend on.
When data isn’t realistic, the impact is bigger than testing
Unreliable AI outcomes
Models trained or tested on unrealistic inputs lose accuracy
Missed system-level failures
Cross-system issues never show up in test
Weak compliance position
Harder to demonstrate that controls and validation actually work
And that’s exactly where scrutiny will increase.
The shift organisations are making
Leading organisations are moving beyond data protection as a one-off activity and treating test data as part of their overall control environment. The focus is shifting toward data that is not only privacy-safe, but also representative of how systems behave in the real world. That means ensuring sensitive information is never exposed outside production, while still preserving realistic patterns, dependencies, and relationships across datasets.
At the same time, organisations are investing in making test data available on demand rather than relying on slow, manual preparation processes. This allows teams to test more frequently, validate AI models more effectively and respond faster to change. Just as importantly, these approaches are designed to be repeatable and auditable, making it easier to demonstrate that controls are applied consistently and that systems have been properly validated.
The result is stronger, more reliable testing, better confidence in AI outcomes, and a clearer path to meeting the expectations set out by regulations like NIS2.
The bottom line
You don’t just need safer data.
You need data that is safe and trustworthy enough to test your systems properly.
Because under NIS2 resilience must be demonstrated, controls must be evidenced and assurance must stand up to scrutiny
And that only works if your data does.
Want to find out more about this topic?
I’ll be presenting on a Resillion webinar on 30 June 2026 with Finn Lawford Mee from Synthesized, where we’ll explore how test data automation can help organisations reduce production data risk, preserve realism and strengthen assurance for AI and NIS2.
LIVE WEBINAR
Supercharging AI assurance with Test Data Automation
Is your test data ready for scalable AI assurance under NIS2?
Get in touch
Providing solutions in a unified, structured approach across all critical domains to enable end-to-end quality – Because we’re the only ones who can.
