NIST’s new draft practice guide on data classification, SP 1800-39, is an important signal for the industry. Published by the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST), it shows in practical terms how organizations can use automated tools to discover, identify, and label unstructured data. For security and data teams still formalizing their classification programs, that is a valuable step forward.
The guide reinforces three realities that security teams feel every day:
- You can’t protect what you can’t see.
- Manual discovery and classification processes do not scale across modern enterprise environments.
- Automated classification is increasingly essential for Zero Trust and AI readiness.
What NIST Actually Tested
The NCCoE build started with a synthetic dataset of 25,884 unstructured files derived from SyntheticMass, a source of realistic but fictional patient and population data. Synthetic data made sense for this kind of demonstration because it allowed the project to test classification workflows at scale without exposing real sensitive information. NIST also focused on unstructured data for a good reason: most enterprise data is unstructured, and it’s typically the hardest category to inventory, interpret, and govern consistently.
The dataset included both reactive and non-reactive files so the tools could distinguish sensitive from non-sensitive content. Across the corpus, NIST defined 12 target data types, including names, addresses, birthdates, patient IDs, passport numbers, and synthetic customer and billing numbers. In other words, the challenge was not just to find files, but to identify the specific sensitive elements inside them and apply labels based on a defined schema.
Each participating vendor configured its tool using its own classification schema and workflow. In the file-based demonstrations, the tools were deployed in isolated lab environments, pointed at known storage locations, and then used to scan the synthetic files, identify sensitive content from metadata and file contents, assign labels according to the configured schema, and generate reports for review. The specific schemas differed by product, but the overall pattern was consistent: discover, identify, label, report.
A Good First Step
Taken on its own terms, SP 1800-39 is a useful proof point that automated discovery and classification of unstructured data is feasible. It should be especially helpful to organizations that are still building their first formal classification program. But for larger enterprises with mature governance requirements and sprawling data estates, the next generation of demonstrations should go further and test these approaches under conditions that more closely resemble the real world.
For example, the approaches demonstrated in the draft are centered on schemas, configured policies, and deterministic identification methods. Those techniques are useful when organizations are classifying well-defined identifiers in environments that are already known and accessible. But at enterprise scale, data is rarely confined to neatly inventoried repositories with stable formats and clearly defined identifiers.
Large organizations often manage petabytes of unstructured data spread across hundreds or thousands of repositories. Much of it is dark, partially inventoried, or constantly moving between on-premises systems, SaaS platforms, and cloud services. In that environment, schema-heavy approaches become harder to sustain. As data volume, velocity, and variety grow, deterministic systems require continuous tuning to account for new identifiers, shifting business context, multilingual content, and evolving regulatory expectations.
Just as important, while SP 1800-39 shows that tools can scan a defined location and apply labels according to configured schemas, it does not publish metrics on precision, recall, or per-data-type performance. For enterprise buyers and practitioners, those are not academic details. They are the difference between a tool that looks good in a controlled demo and one that can be trusted in production.
The real test is whether a tool can achieve speed, scale, and precision in a complex enterprise environment. That’s why future NIST guidance should explicitly evaluate AI-native and LLM-based classification approaches alongside deterministic methods. Rules and patterns still matter for well-defined identifiers. But large enterprises also need classification engines that can understand semantic context, disambiguate sensitive business content, and recognize meaningful differences that cannot be captured reliably through patterns alone.
From a Controlled Demo to Enterprise Reality
At Cyera, we see this every day. Beyond the out-of-the-box classifiers that many organizations share, a substantial portion of enterprise-sensitive data often falls into learned classifications that are unique to a specific business, industry, or operating environment. Those are exactly the cases where contextual understanding matters most, because the sensitivity of the content depends less on a pattern match than on what the data actually means.
This is also why measurement matters. Because the NIST dataset includes both reactive and non-reactive files, future iterations of the project should be able to publish confusion matrices or comparable metrics that show precision and recall across data types and approaches. That would give practitioners a much clearer basis for evaluating which methods perform best, where they break down, and how much operational overhead they require.
In its current form, NIST SP 1800-39 demonstrates that automated data discovery and classification can be operationalized through repeatable workflows. That’s a meaningful contribution, especially for organizations that still rely heavily on manual labeling and ad hoc processes. But the next generation of guidance should answer the harder question enterprise teams actually face: not whether a tool can classify data in a controlled lab, but whether it can discover and classify the right data across massive, fast-changing, partially unknown environments with measurable accuracy and manageable overhead. That is the standard modern data security programs need, and it is the standard future industry evaluations should meet.
Get your AI Security Assessment
.png)
.svg)