Why is AI the top data security risk in Asia Pacific?

Thales' 2026 Data Threat Report finds that 71% of organizations in Asia Pacific now see AI as their top data security risk.

Data protection and insurance. Concept of business security system.

AI is quickly becoming one of the biggest security concerns for businesses in Asia Pacific. The Thales 2026 Data Threat Report, based on research by S&P Global 451 Research, shows that 71% of organizations in the region now see AI as their top data security risk. The concern goes beyond criminals using AI. It also focuses on how much access companies are giving these systems as they become part of daily operations.

Across sectors such as automotive, energy, finance, and retail, AI is now built into workflows, analytics, customer service, and development. As a result, many AI systems have broad and automated access to company data. In some cases, the controls around them are weaker than those applied to human employees.

Sebastien Cano, Senior Vice President of Cybersecurity Products at Thales, says insider risk is no longer just about people. It also involves automated systems that may have been trusted too quickly. When identity governance, access policies, or encryption are weak, he warns that AI can amplify those weaknesses across corporate systems far faster than any human could.

Gaps in data visibility

The speed of adoption is adding pressure. Andy Zollo, Senior Vice President for Application & Data Security (APJ) at Thales, says organizations across Asia Pacific are embedding AI into operations at a rapid pace. While that momentum can drive growth, he notes that protection is not keeping up. Credential theft and human error still sit at the center of most breaches.

For leaders in 2026, he argues, the challenge is not just adopting AI, but gaining clear visibility into where data lives and how identities are being used. As he puts it, you cannot secure what you cannot see, and in an AI-driven environment, that lack of visibility is a risk businesses cannot afford.

The report highlights a gap between AI expansion and basic data control. Only 35% of organizations in Asia Pacific say they know where all their data is stored. Just 40% can fully classify it. At the same time, 47% of sensitive cloud data remains unencrypted. Visibility is even lower in Singapore, New Zealand, and South Korea, where fewer than three in ten organizations report complete awareness of their data locations.

This lack of clarity makes it harder to enforce least-privileged access, meaning users and systems receive only the access they truly need. If credentials are stolen, overly broad permissions can widen the damage.

Identity systems have become a prime target. Nearly 70% of organizations in the region cite credential theft as the main attack method against cloud management infrastructure, slightly higher than the global average. Hong Kong shows a different pattern. There, fewer organizations report credential theft, while 67% point to weaknesses linked to third parties, including external code and APIs.

Managing machine identities is also becoming more complex. Forty-two percent of respondents rank secrets management among their top application security challenges, reflecting the difficulty of controlling API keys, tokens, and other machine credentials at scale.

AI is strengthening attack tactics

Attackers are also adopting AI. Close to 60% of companies in Asia Pacific report facing deepfake-driven attacks. Half say they have suffered reputational harm tied to AI-generated misinformation or impersonation campaigns. India reports higher exposure, with 65% experiencing deepfake attacks and 55% reporting reputational damage.

Human error continues to play a major role, contributing to 30% of breaches in the region. With automation layered on top, small mistakes can spread faster and affect more systems.

Some organizations are adjusting their budgets. Around 31% in Asia Pacific now set aside dedicated funding for AI security, with Singapore and Hong Kong reporting higher levels of targeted spending. Yet 51% still depend largely on traditional security programs designed for human users and perimeter defenses, even as machines take on more active roles.

Eric Hanselman, Chief Analyst at S&P Global 451 Research, says that as AI becomes deeply embedded in enterprise operations, continuous data visibility and protection are no longer optional. In his view, companies must treat data security strategy as foundational to innovation, not something separate from it.

AI is not replacing older threats. It is accelerating them by increasing their speed and scale. As machines gain more autonomy and broader access to data, companies may need to rethink identity controls, encryption, and visibility as core systems rather than secondary safeguards. Organizations that build stronger governance into their AI strategies are more likely to reduce the risk of turning automated systems into their newest insider threat.