Organizations across various markets including automotive, energy, finance and retail say the rapid pace of AI-driven transformation is now their biggest security challenge, according to a report from Thales.
Based on a study conducted by S&P Global 451 Research, 71% of organizations in the Asia-Pacific (APAC) region cite AI as their top data security risk. The concern is not only about malicious AI, but about the access it is being granted as it shifts from a tool to a trusted insider.
As enterprises embed AI into workflows, analytics, customer service, and development pipelines, these systems are being granted broad, automated access to enterprise data, often with fewer controls than those applied to human users in a corporate environment.
“Insider risk is no longer just about people. It is also about automated systems that have been trusted too quickly,” said Sebastien Cano, SVP of cybersecurity products at Thales.
“When identity governance, access policies, or encryption are weak, AI can amplify those weaknesses across corporate environments far faster than any human ever could,” said Cano.
Andy Zollo, Thales SVP for application and data security in APJ, saidthe real challenge for APAC leaders isn’t just adopting AI, but it’s about gaining visibility into where data lives and how identities are being used.”
The report reveals a troubling disconnect between AI adoption and data control. Only 35% of organizations in APAC know where all their data resides, regardless of criticality, and just 40% can fully classify it.
Meanwhile, nearly half (47%) of sensitive cloud data remains unencrypted. Data visibility is notably lower in Singapore (28%), New Zealand (29%) and South Korea (29%), where fewer organizations have complete knowledge of where their data is stored.
As AI systems ingest and act on data across cloud and SaaS environments, limited visibility makes enforcing least-privileged access increasingly difficult, that is granting only the strictly necessary access rights. This increases the extent of exposure if credentials are compromised.
Identity infrastructure in APAC is now the primary attack surface, mirroring global trends. Nearly 70% of organizations cite credential theft as the leading attack technique against cloud management infrastructure, exceeding the global average of 67%.
Hong Kong stands out as an exception, with a comparatively lower incidence of credential theft (44%). Instead, organizations there point to vulnerabilities stemming from third parties, including external code and APIs (67%), highlighting a different but equally pressing cloud risk profile.
At the same time, 42% of APAC respondents rank secrets management among their top application security challenges, underscoring the growing complexity of governing machine identities, API (application programming interface) keys, and tokens at scale.
AI is powering more convincing attacksincluding AI-enabled deepfakes and misinformation which can drive identity-based attacks.Credential theft is the leading attack technique against cloud management infrastructure (70%).
Like global trends, nearly 60% of companies in APAC have experienced deepfake-driven attacks, and 50% report reputational damage tied to AI-generated misinformation or impersonation campaigns. However, India (65%) stands out for its higher levels of deepfake exposure and reputational fallout (55%).
As AI introduces new risks, it also increases existing ones. Human error already contributes to 30% of breaches in the region, and with automation layered on top, small mistakes can scale faster and spread wider.
While organizations recognize the need to adapt, investment is not keeping pace with the rapid expansion of AI-driven access and automation. In APAC, 31% now dedicate specific budgets to AI security, with Singapore (41%) and Hong Kong (39%) leading the region on dedicated AI security budgets,
However, the majority (51%) still depend on traditional security programs built primarily for human users and perimeter-based controls. As machines increasingly authenticate, access, and act autonomously, many security strategies have yet to adjust to this shift in operating models.
“As AI becomes deeply embedded into enterprise operations, continuous data visibility and protection are no longer optional,” said Eric Hanselman, chief snalyst at S&P Global 451 Research. “Organizations must treat data security strategy as foundational to innovation, not separate from it.”
