BeyondTrust focused on driving identity security for organizations in Asia

With 98% of cyberattacks last year involving an identity component, the need to treat identity management risks is imperative for organizations, says Morey J. Haber, Chief Security Advisor at BeyondTrust.

Agentic AI will become the ultimate attack vector in 2026 as rushed deployments and limited oversight could create new vulnerabilities. This was among the cybersecurity predictions revealed by BeyondTrust for 2026. The global identity security vendor also predicts that a growing number of individuals and organizations will opt out of AI usage altogether, citing privacy, ethics, and environmental concerns.

Known as the “AI Veganism” movement, this change could push companies toward greater transparency and “opt-out” options in AI-driven products and workflows. With privacy remaining the biggest concern in AI, BeyondTrust also believes governments will begin taxing or restricting digital services provided across borders, to create “digital tariffs” that drive regional innovation and alter global data flows.

However, as data continues to increase, businesses are leveraging both on-premises infrastructure and the cloud to run their AI workloads. This hybrid multi-cloud infrastructure is where Morey J. Haber, Chief Security Advisor at BeyondTrust believes challenges will come from.

According to Haber, while these are global predictions, the APAC region could pretty much be at the core of it. While there is still a lot big migrations to the cloud, both regionally and globally, Haber believes that organizations remain challenged in really understanding what identity risk looks like across that new hybrid multi-cloud infrastructure.

“A lot of the businesses that we're speaking to on this cloud journey are really trying to understand how to contain and control identity as they look to expand very rapidly? So, that is the identity risks associated with expanding into cloud and some of the misconfigurations they might have in those IDPs. Customers onboarding are also looking at agentic AI and the challenges around that and the risks around utilizing that. As such, a lot of these big digital transformation projects are driving a big need around privileged access and identity security,” said Haber.

Is sovereign AI the answer?

For Haber, sovereign AI is becoming increasingly a priority in the APAC region. This means that AI workloads are now kept on premises and are not connected to the cloud. But Haber feels this can be a challenge as well.

“The truth is, computational power doesn't exist yet, nor does the vast array of training data. So, while you can train sovereign AI on your own data sets, the results are always going to be limited to what you know and only you know. At the same time, if you're doing it solely on-premises, you'd be the first to know if an AI is not going to help you. So, that distinction has been quite interesting because the region does have a lot of on-premises technology,” explained Haber.

Haber believes technologies in the region will see faster adoption as companies will want to remain competitive. For Haber, sovereign AI is going to be something that is going to be coming a year or two later, with comparable AI technology in the cloud being available on-premises. This is because some organizations are not willing to go to the cloud, or they're not willing for it to leave their geopolitical borders.

“I think that's something that, as prediction, the vendors in the space will have to address. It doesn't negate the need for AI. In fact, it just helps grow it in a different form,” said Haber.

The APAC challenge

Breaking down the challenges in the region, Haber pointed out that it often varies from country to country. For example, in the Philippines, there is lots of rapid digital transformation with lots of hybrid on-prem infrastructure and the challenges are with stuff that sits on-prem today which requires lots of legacy care. On the other hand, in Singapore, the market is further along in terms of maturity.

“Therea are a few topics that we are talking about in particular. First is identity risk. A lot of businesses just don't know where that risk sits today and how to quantify it. So that tends to be CIO, CISO level, just getting a grasp on where to have the identity risk. Next is supply chain risk which is still a really big challenge across Asia, we see. There are lots of third parties being relied on to provide services and manage services and need access to on-premises infrastructure, resources in the cloud,” he explained.

Apart from that, Haber also highlighted the need for proliferation of cloud native applications whereby organizations struggle with controlling entitlements within those and getting closer to that side of things.

“Privileged Access Management (PAM), traditional privileged access management, everybody's kind of doing it in some form or another. Some have just done the very basic password manager type solutions. Some are a little bit more down the road in terms of maturity. But the bigger topics are now around that identity piece. We're seeing a lot of focus there,” he said.

For example, having visibility on identities. Are they behaving how they should be? Is a machine behaving like a human or a human behaving like a machine? Are there dormant accounts that have been turned on?

“That's what a modern vulnerability or risk management program looks like. That's what we're doing with new products. And the recommendations almost always are those privileged accounts that can be exploited based on these identities. Why aren't they secure? And we give a person or organization a way to basically mitigate that risk,” said Haber.

At the end of the day, this is a really big part of helping organizations understand the risks that are there.

“So, we've entered into a lot of conversations, and a customer might have a vision on what they want to do next and what the roadmap might be. But often we've missed some really key parts of their organization or misconfiguration in an IDP that should actually take precedent. So, we're able to help customers uncover some of these threats they didn't know existed before and allow them to sort of change their course and their direction to address high-risk items first,” he added.

Understanding identity security

According to Haber, 98% of attacks last year had an identity component to it. Hence, the need to treat identity and its management as a risk is imperative for organizations.

“When you think of IAM, you think of single sign-on, MFA, access management, PAM, everything. All of that is called identity fabric, everything that plumbs together. So, organizations need to think about the risks of all of their identity providers and how identity accounts are created to join, remove, or leave a process and what's the risks if they don't follow it strictly,” explained Haber.

For example, an employee that has changed roles five times still has access to payroll. Something as simple as this would normally be considered an IGA function, but it has an inherent risk because now an insider has access to things they shouldn't.

“Organizations need to treat identity as a potential risk and manage those risks. We can handle it from a privilege standpoint, and then that discovery and recommendation is based on runtime,” he added.

However, organizations can also be challenged to pick the right cybersecurity vendor to help them with this. Haber pointed out that there is often a confusion of IAM and PAM or access management.

“IAM is like a big house. Inside the house, you have single sign-on, you have MFA, you have IGA, you have PAM. What you need to do is find vendors who are your own technology. That basically brings those closest together. So, PAM actually has nine different disciplines underneath it. Single sign-on has multiple, including customer and employee. So if you were going to say, I'm going to have a different SSO for customers and employees, you're not helping yourself. You'd probably be best going off with something like Okta. So for all the buckets, you'd find the vendor that meets or something that you have and that integrates together with partnerships,” explained Haber.

Haber also pointed out that not all vendors play with Okta because they compete with Okta. Also, not all vendors work well with Microsoft if you're a pure Microsoft shop. So, Haber recommends organizations to find their alignment based on what they have and the vendors that have partnerships and integration. That would be the route to go.

“Now, there's only one or two vendors that cover all of IAM. They're like the RSAs of the world and the MACPs of the world. You're not getting best of breed anymore. You're getting that checkbox. So, you need to be aware that, yes, they may have this piece, but is it the best, strongest technology for you? And that's a risk that someone will have to sign off on,” he said.

The role of partners

Knowing which solution works best eventually goes down to working with the right partner. Haber highlighted that partners are key as they would ultimately be the ones that bring it all together.

“We can do our bit very well and we can recommend on these are the tools and technologies and workflows that go very well, but ultimately the partner is someone who's going to bring that all together. They'll know the integrations. They'll know the business workflows. They'll know any custom APIs. For example, everybody integrates with ServiceNow, but everybody integrates with different ways. You're allowed to launch a session directly from ServiceNow for our products. The others don't have that integration,” he said.

For Haber, as partners know the integration, organizations need to make the best workflow for the client.