The Hidden Risk Layer in Modern Marketing

How marketing quietly became one of the most exposed functions in the business If you look at marketing today, it doesn’t look risky.

It looks productive. Faster. More automated than ever. Campaigns are built with AI. Content is generated in minutes. Customer data flows across tools, platforms, and teams. From the outside, this feels like progress. But underneath it, something else is happening. Marketing has quietly become one of the most data-intensive and system-connected functions in the company and with that, one of the most exposed. Not because marketers are careless. But because the way we work has changed faster than the way we think about responsibility. We paste data into AI tools. We connect multiple platforms through integrations. We reuse insights across teams and channels. We rely on third-party tools we don’t fully audit.

And rarely stop to ask: Where does this data go? Who has access to it? And who is actually responsible for it?

That’s the layer I would like to talk about with Lubova Vaivode, Cybersecurity Leader, Women4Cyber Latvia member. So I asked:

Where do you see marketers creating risk without realizing it?

Lubova: Marketing operates with information of great value to the company - strategic data, market insights, and customer surveys. Marketing is expected to be creative and experimental, so this information (including financial indicators, personal data, and some pre-release plans) has a chance to land on some innovative, however risky and unverified tools. Another vector is external information. Marketing specialists need insights into their competitors' businesses, market trends, and facts. By browsing the internet, clicking links, and downloading this and that, there is a very high chance of introducing malware to the company device. Recent breaches at some reputable companies via the simplest phishing links just confirm that.

What makes this challenging is that the risk doesn’t feel like risk. It looks like normal work. A marketer uploads data into an AI tool to analyze segments. A campaign brief includes sensitive company or product information in a prompt. A team connects CRM, ad platforms, and enrichment tools without clear data boundaries. Content is generated using internal insights that were never meant to leave the company. None of these actions feel critical in isolation. But together, they create something else. A system where data moves faster than governance. And where marketing decisions increasingly rely on tools that operate outside traditional control structures. This is where the gap appears. Marketing is optimizing for speed, output, and performance. But risk is accumulating in data exposure, unclear ownership, and the absence of internal policies. And most teams don’t see it, because nothing has broken yet. That raises another important question:

What would surprise most marketing teams about how they handle data?

Lubova: Usually, marketing teams evaluate the performance of their tools, not the security part. A few of us have ever read Terms & Conditions of the tools we use: what is the retention period of information that was uploaded to the tool, can we really delete our data from that external tool, how much of your information would be shared with the third-party’s subprocessors, and is your data used for model training purposes? Integrations are another pain point. Wide access to data, lack of role-based permissions for your team (Admin as core role for every team member) - that is a recipe for a potential disaster. And at the end, shadow IT tools. Trials, free personal accounts - because it is faster and there are no extra expenses. Risks are waiting for you there - many tools are prohibiting free and trial usage for commercial purposes.

So, add licence terms breach to the previously mentioned risks. One of the most interesting tensions in this shift is ownership. Ask a simple question internally: who is responsible for AI usage in marketing? The answers are usually fragmented. IT handles tools. Legal handles compliance. Marketing handles execution. But AI doesn’t sit neatly in any of those categories. It touches data, tools, usage, and decisions at the same time. Which creates a gap. Everyone is involved. But no one fully owns it. And in practice, that means responsibility often falls to the person using the tool, usually a marketer under pressure to deliver faster results. So the real question becomes:

Who should actually own responsibility for AI usage in companies?

Lubova: There is no silver bullet for this question, as AI tooling brings a whole spectrum of risks to the company. The shared responsibility matrix would fit best here. The IT takes care of the technical setup and security configurations, the Legal validates ownership rights for the created content, while the data privacy officer ensures personal data is handled safely. The last piece of the puzzle to this concept is a user who trusts their critical thinking and awareness while collaborating with AI tooling. Right now, many teams operate under a simple assumption: if the tool is widely used, it must be safe. But adoption is not the same as control. And convenience is not the same as compliance. The real risk is not in using AI. It’s in using it without clear boundaries. Without defined data policies. Without approved tools and workflows. Without clarity on what can and cannot be shared. This is where most companies are today. Advanced in usage. Early in governance. Which leads to one of the biggest misconceptions:

What’s the biggest misconception marketers have about “safe” AI usage?

Lubova: As you mentioned, Kristine, well-known and popular is not equal to being secure. When teams are selecting tools, they briefly check the Trust Centre (a page for implemented security controls). If they find security promises and certifications, they just go with that tool, while the appropriate security level for your data is ensured only at the highest paid tier, like Enterprise. Another thing that is worth understanding: disabled model training does not result in zero retention. While your data is not being used to train the model (however, there is no mechanism to fully verify that), it may still be kept within a third-party account unless manually deleted. One of the most popular chatbots keeps user data until the user goes and deletes all their chats. And the final argument, personal data. A golden rule is to keep personal data off any AI tool, even if they are business subscriptions. Instead, an anonymization technique must be used, so personal data is removed from the input to avoid exposure. If someone from cybersecurity or governance joined your company tomorrow, marketing would likely be one of the first places they look. Not because it’s the weakest function. But because it’s highly connected, fast-moving, tool-heavy, and often less structured than finance or IT when it comes to control. Which makes it a natural entry point for risk. So I asked one final question:

If you joined a company tomorrow, what would you audit first in marketing?

Lubova: Information security is generally powered by risk assessments. Every risk assessment starts with an asset inventory, so I would follow the same approach. The initial understanding of tools in use, followed by a user access and configuration review. The parallel step - awareness training for marketing, specifically, explaining the attack trends and how to carry out a sanity check for a weird email or a new tool you read about on Reddit. A well-educated marketing team that is aware of the risks they face is a true gem to have at any company. Marketing is also changing in responsibility. It is increasingly a data handler, a system integrator, and a decision influencer. And that comes with a different expectation. Not just to perform, but to operate responsibly. The companies that will move ahead are not the ones using the most tools. They are the ones that define clear boundaries. What data can be used and where. Which tools are approved and why. Who owns decisions and accountability. Because in a world where buyers value trust more than ever, how you handle data and technology becomes part of your brand. Not always visible. But decisive over time.