Skip to main content
CybersecurityVulnerability Management

AI Adoption Exposes New Vulnerabilities in APAC Cybersecurity

Rows of computer servers and network equipment in a brightly-lit server room with neatly organized cables and wires.

"Visibility is a starting point; you cannot protect what you cannot see," said Andy Zollo, Senior Vice President, Application & Data Security (APJ) at Thales, summarizing the security dilemma that organisations across Asia Pacific face in 2026.

AI systems have become an 'insider' risk

Zollo tells iTNews Asia that the defining change this year is who, or what, now counts as the insider threat: AI systems. According to Thales' 2026 Data Threat Report, seven out of 10 organisations across Asia Pacific identify AI as their top data security risk. Those systems no longer sit purely as tools for humans; they "authenticate, they access data, and they make decisions with a speed and scale that no human team can match," Zollo said. The report argues organisations have often granted AI access to enterprise data with far fewer controls than those applied to human users — a structural vulnerability at the heart of current CISO concerns.

Data visibility and classification as the first line of defense

Only a third of organisations in the region know where all their data resides, the report finds — an especially acute problem when AI agents continually ingest and act on distributed data. Zollo recommends a "data-first AI security strategy": classify data before AI systems touch it, define access policies for those systems, and ensure encryption and key management extend into the environments where AI operates. When organisations skip classification and policy work, Zollo warns, "the AI will effectively answer" questions about access and retention through its behaviour, potentially exposing sensitive information or creating compliance risks.

Identity infrastructure, credential theft, and sprawling SaaS estates

Identity infrastructure is now the primary attack surface in APAC, the interview reports. Seven of 10 organisations cite credential theft as the leading attack technique against their cloud infrastructure. Compounding the problem, organisations manage an average of 89 SaaS applications — each integration point an entry path. Zollo stresses that least-privileged access must be applied to AI systems as rigorously as it is to human users, and that multi-factor authentication and identity governance are critical parts of the response.

Encryption gaps and uneven investment in AI security

Encryption is not yet universal: the report found nearly half of sensitive cloud data in Asia Pacific remains unencrypted. At the same time, only about a third of organisations have dedicated budgets for AI security, leaving many to try to retrofit AI risk controls into legacy security programs. Zollo notes that Singapore and Hong Kong are ahead of the APAC average on dedicated AI security budgets, which suggests pockets of greater awareness but uneven translation into action across the region.

Monitoring tools, tool sprawl, and the governance gap

Monitoring tools are necessary but insufficient, Zollo argues. Three quarters of APAC organisations surveyed run five or more data protection and monitoring tools simultaneously, yet only about a third say they have high confidence in their understanding of the tools they already have. That tool sprawl can create coverage gaps and operational burden. Equally important, when alerts and logs do not have clear escalation paths to leadership, detection-level improvements do not translate into better decisions at the top. The remedy Zollo prescribes is not more layers of monitoring, but consolidated tooling combined with clear data governance frameworks.

What this means for technologists, procurement leaders, and smaller enterprises

  • Technologists and security teams: Prioritise data classification, identity governance, and encryption for cloud and SaaS environments before expanding AI access — these are the "highest-impact fundamentals" Zollo highlights.
  • Procurement and enterprise leaders: Demand SaaS and cloud providers that support strong encryption and key management options rather than forcing the organisation to build that capability internally.
  • Smaller enterprises: Focus on proportionate measures — know where sensitive data lives, apply multi-factor authentication consistently, and choose providers with built-in encryption — because resources to build bespoke AI-aware infrastructure may be limited.

Agentic AI raises the stakes further, Zollo warns: AI agents that operate continuously and adapt in real time make attacks "faster and harder to interrupt." His prescription is practical and specific: start with clear data visibility, enforce identity controls and least-privilege access for AI systems, and treat encryption as baseline hygiene. Put another way, the path to secure AI adoption in APAC is not just more tooling; it is the hard work of data governance and identity controls done before AI is granted broad access. For organisations that move quickly on those basics, strong governance will accelerate AI use; for those that delay, the report suggests, incidents will force the conversation on far less favourable terms.

Original story: iTNews Asia — A data-first AI strategy is critical to managing security threats in 2026