The ability to identify what sensitive data is for your organization, gain visibility into where it is located, and tag it to inform controls for data access, data use, and the data’s lifecycle underpins your efforts to protect that data. Sensitive data discovery and classification is foundational for Zero Trust data security, privacy, and AI governance.

The landscape of technologies available with this capability spans from standalone offerings to parts of a broader extensible platform, such as a data security platform, privacy management software, and technologies for data management and governance. The evaluation for The Forrester Wave™: Sensitive Data Discovery And Classification Solutions, Q2 2026 focuses on data security use cases from standalone offerings and surfaces key considerations for informing a purchase decision such as:

    • Accuracy, performance, and scaling claims alone don’t tell the whole story. It’s common to see accuracy rates in the 95%-plus range. Offerings are designed for performance and scalability such as via distributed scanning approaches and differential scans, and use of microservices and autoscaling.

What to do: Probe into how the offering can achieve a high accuracy rate for your data types and data environments. For example, what level of pre-tuning may be involved as a part of configuration, or tuning to improve accuracy after deployment? Techniques for automated classification matter, as well as approaches for enrichment for classification, such as the offering’s ability to incorporate additional context like data lineage, permissions, metadata attributes, and more. Test the automated classification techniques through a proof of concept, and map out what enrichment is important now and in the near future to compare solutions. Look at pricing models. With many offerings priced by data volume, you may face a tradeoff between compute and cost based on your data environment and requirements.

    • Data source coverage is less of a worry with modern solutions. Expect coverage across common cloud and on-premises data sources, including support for mainframe environments such as Db2. While use of connectors to data sources is still the most common approach, some offerings utilize in-motion scanning to identify data within real-time data flows too.

What to do: Dig deeper into how you actually connect data sources, what is supported out of the box, and what the path forward is for delivering custom or unsupported connectors. It could be through an approach like the use of REST APIs, but it may also require professional services.

    • Alignment with data and business stakeholders drives more outcomes. Zero Trust data security and AI governance and security are areas where security teams require cross-functional alignment to fully understand the organization’s data and how it needs to be used.

What to do: Look further into native integrations, data risk visibility, and reporting capabilities to see how an offering can enable different outcomes. For example, some offerings have bidirectional integrations with data catalogs like Collibra and Alatian to help improve security’s understanding of data purpose and other data attributes captured within the catalog, as well as highlight use cases and benefits for additional enterprise stakeholders beyond security teams.

How To Use The Forrester Wave™

In The Forrester Wave™: Sensitive Data Discovery And Classification Solutions, Q2 2026, I evaluated the vendors that matter most with standalone solutions that primarily focus on data security use cases. Each vendor brings a different perspective on the outcomes it enables, from AI governance and data minimization to compliance and Zero Trust enforcement. This Wave evaluates their current offering across 15 different criteria, and strategy across 7 different criteria.

Forrester clients can access the interactive Wave experience to filter, compare, and surface which vendors are best suited based on the criteria that matter to them for vendors evaluated in this Wave. They can also leverage the current offering evaluation criteria within this Wave as they assess other solutions not in this Wave that have sensitive data discovery and classification capabilities. Or schedule a guidance session with me to discuss your requirements, and we can dig deeper into learnings from this evaluation.