Companies are inadvertently creating a new identity-centric attack surface through the growing use of AI and cloud, according to a report from CyberArk.
Vanson Bourne conducted a study across private and public sector organizations of 500 employees and above, covering 2,600 cybersecurity decision makers.
Respondents were based in Brazil, Canada, Mexico, United States, France, Germany, Italy, the Netherlands, Spain, the United Kindgom, United Arab Emirates, Saudi Arabia, South Africa, Australia, India, Hong Kong, Israel, Japan, Singapore and Taiwan.
Machine identities are mostly unknown and uncontrolled within organisations, while the primary roadblocks to agentic AI adoption involve security concerns around external manipulation and sensitive access, signposting the emergence of a new and potent identity security challenge.
Driven primarily by cloud and AI, machine identities, now vastly outnumber human identities within organisations and close to 40% have sensitive or privileged access.
However, many enterprises leave both human and machine access to critical systems under-secured.
In the Asia-Pacific region, there are 82 machine identities for every human identity in organisations.
Human and machine identities – many of them with privileged access – are expected to double in 2025.
In 89% of APAC organisations, the definition of a “privileged user” applies solely to human identities despite 39% of machine identities having privileged or sensitive access.
Among APAC respondents, 82% faced successful identity-centric breaches due to phishing attacks in the past 12 months.
The anticipated top three drivers of 2025 cybersecurity spending among APAC organisations are: AI and Large Language models (LLMs) and tools adoption (59%); security operations – threat detection and response (48%); and adoption of zero-trust and identity security (39%).
Also, sanctioned and unsanctioned adoption of AI and LLMs are simultaneously transforming organisations while amplifying cybersecurity risks.
Concerns around the emergence of AI agents and their privileged access underscores the urgency for targeted identity security investment.
Among APAC firms, 69% lack identity security controls for AI.
AI is expected to drive the creation of the greatest number of new identities with privileged and sensitive access in 2025.
In APAC, 46% of respondents cannot secure shadow AI usage in their organisation.
AI agent adoption roadblocks include manipulation and sensitive access concerns.
Further, fragmented identity security programs and poor environmental visibility are diminishing resilience in the face of evolving cybersecurity threats. In addition, most organisations face increased privilege-related compliance pressure.
Among APAC security professionals, 76% agree that their organisations prioritise business efficiencies over robust cybersecurity.
In APAC, 88% of organisations are under increased pressure from insurers mandating enhanced privilege controls.
Clarence Hinton, chief strategy officer at CyberArk, said the race to embed AI into environments has inadvertently created a new set of identity security risks centred around the access of unmanaged and unsecured machine identities – and the privileged access of AI agents will represent an entirely new threat vector.
“To stay resilient, CISOs and security leaders must modernise their identity security strategies to contend with a new and expanding attack surface characterised by the proliferation of identities with privileged access and made worse by damaging identity silos,” said Hinton.
Lim Teck Wee, CyberArk area VP in ASEAN, said that as AI becomes more embedded in business operations, organisations need to adopt a proactive, identity-first approach to building cyber resilience and maintaining trust.
