By NHI Mgmt Group Editorial TeamPublished 2025-10-12Domain: Governance & RiskSource: Commvault

TL;DR: Business-focused AI solutions are already in use at 73% of organisations, while 68% believe AI increases breach likelihood and 70% have received a ransomware demand, according to Commvault’s commissioned ANZ survey of 408 organisations. The pattern shows that governance, audit, and recovery discipline are lagging the pace of adoption and risk, while recovery expectations remain far ahead of operational reality.


At a glance

What this is: This Commvault-commissioned ANZ report says data sprawl, AI adoption, and recovery gaps are converging into a tougher resilience problem for regional organisations.

Why it matters: For IAM, IGA, PAM, and broader security teams, the report matters because identity, access, and recovery controls increasingly have to operate across hybrid estates, AI workflows, and cross-border regulatory pressure.

By the numbers:

👉 Read Commvault's full State of Data Readiness in ANZ report


Context

The primary issue in this ANZ report is not data growth alone, but the mismatch between expanding hybrid estates, rising AI usage, and the controls organisations say they actually have in place. When data moves across multi-cloud and hybrid environments, recovery, governance, and policy enforcement become harder to coordinate, especially when the business expects fast restoration after an incident.

The AI section sharpens that gap further. Organisations are adopting business-focused AI, but many have not completed the security audits or policy work needed to govern the data those systems create and consume. That makes the report relevant to identity practitioners because access scope, workload trust, and data recovery all depend on whether the underlying control model still matches how the environment now operates.

For ANZ security teams, this is a readiness problem that spans resilience, regulatory pressure, and operational trust. The typical posture described here is one where adoption is ahead of assurance, which is now a familiar pattern across cloud, data, and identity programmes.


Key questions

Q: How should organisations close the gap between recovery targets and actual restoration time?

A: They should test recovery as an identity, data, and service sequencing problem, not a simple infrastructure restart. That means verifying privileged access restoration, data copy availability, and application trust in the same exercise. If those dependencies are not rehearsed together, published recovery targets will stay aspirational rather than operational.

Q: Why does AI adoption create new data governance risk in hybrid environments?

A: AI tools can generate, transform, and redistribute information faster than static policy models assume. In hybrid estates, that matters because data locality, access control, and retention rules differ by platform and jurisdiction. Without pre-deployment review, organisations can approve systems whose data handling behaviour they do not fully understand.

Q: What do security teams get wrong about ransomware readiness?

A: They often focus on backup presence instead of recovery coherence. A usable recovery posture requires access revalidation, dependency ordering, and clean data copies that can be trusted after the event. If those pieces are not tested together, the organisation may have backups but still be unable to restore operations within the expected window.

Q: Who is accountable when AI policies and data resilience controls conflict?

A: Accountability usually sits across identity governance, data governance, and platform ownership, which is why it breaks down when these teams work from separate assumptions. If one team approves access while another controls retention or jurisdictional placement, the organisation needs a shared decision model before an incident forces the issue.


Technical breakdown

Hybrid cloud sprawl and the limits of recovery assumptions

Hybrid and multi-cloud data estates create more copies, more control planes, and more failure points than single-environment designs. In practice, this means recovery is no longer just a backup issue. It depends on whether access, data locality, and change coordination are aligned across environments. When 62% of organisations already operate in blended environments and that share is projected to rise, recovery planning has to account for identity paths, data movement, and policy drift at the same time.

Practical implication: map recovery dependencies across every environment where identity or data is replicated, not just where the primary workload runs.

AI governance gaps in data protection and access control

AI introduces a separate governance layer because the system can create, transform, and expose information in ways that older data policies did not anticipate. A policy deficit is not just a compliance issue. It often means the organisation has no clear answer to who can access prompts, outputs, training data, or embedded sensitive content. If security audits are not performed before deployment, the organisation inherits unknown data handling behaviour at production speed.

Practical implication: require pre-deployment review of AI data flows, access paths, and retention rules before approving production use.

Recovery time objectives that do not match operational reality

The report shows a large gap between executive expectations and restoration capability. That gap usually reflects incomplete assumptions about dependency order, privilege restoration, and service revalidation after a cyber incident. Recovery is not simply bringing systems back online. It is proving that identities, access rights, data copies, and application trust have all been restored into a coherent state.

Practical implication: test incident recovery with identity, access, and data-restoration sequencing, not just application uptime.


Threat narrative

Attacker objective: The objective is to disrupt operations, expose sensitive data, or pressure the organisation into paying through a recovery gap it cannot close quickly.

  1. Entry occurs through the combination of expanded hybrid exposure, AI adoption, and weak pre-deployment assurance, which increases the number of ways sensitive data can be reached or mishandled.
  2. Escalation follows when recovery, access, and policy controls do not line up across environments, allowing a breach or ransomware event to spread operational disruption faster than teams can contain it.
  3. Impact is measured in delayed restoration, policy failure, and business interruption, especially where leaders expect rapid recovery that the operational model cannot deliver.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Data readiness is now an identity and recovery problem, not just a storage problem. The report describes hybrid estates, AI adoption, and regulatory pressure moving at the same time, which means access control, workload trust, and restoration sequencing now sit in the same operational conversation. That is why identity teams should treat data readiness as part of the control plane, not as a downstream infrastructure concern. Practitioners need one view of who or what can reach data, where that data resides, and how quickly trust can be rebuilt after disruption.

AI governance fails first at the policy boundary. Only 29% of organisations have comprehensive policies for AI-generated data and content, which suggests the control framework is still catching up to the way AI systems create and reshape information. In identity terms, that creates unclear entitlement boundaries for humans, service accounts, and automated workflows that consume AI output. The practical conclusion is that AI governance cannot be separated from access governance once production use begins.

Recovery expectation drift: is the gap between what leaders expect and what operations can actually restore under breach conditions. When 80% of business leaders expect recovery in five days but restoration takes four weeks on average, the governance issue is not optimism. It is a planning model built on assumptions that no longer match blended, regulated, multi-environment operations. Practitioners should read that as a signal that recovery accountability must move closer to identity, data, and service ownership.

Regulatory fragmentation is forcing identity-led resilience decisions. More than a third of organisations face conflicting data regulations across geographies, while AI-specific compliance is already affecting 28% and is expected to reach 40% within a year. That combination pushes IAM, IGA, and data governance teams into shared decision-making about where data can live, who can access it, and how audit evidence will be produced. The field is moving toward policy enforcement that is geography-aware and identity-aware at the same time.

Experience is becoming the strongest governance differentiator. Breached organisations are 1.5 times more likely to review AI tools thoroughly and twice as likely to test mission-critical workloads in incident response. That is not a product lesson, it is a maturity lesson. Organisations learn resilience after failure unless they deliberately encode those lessons into identity review, data protection, and recovery exercises before the next event.

From our research:

What this signals

Recovery discipline is becoming a control-plane issue for identity programmes. When leaders expect restoration inside five days but operational reality extends to weeks, the gap lands on identity, access, and service ownership teams first. That is where privilege restoration, access recertification, and dependency ordering either shorten or extend recovery.

With 62% of organisations already operating in blended environments, the practical challenge is not cloud adoption itself but the coordination cost of enforcing policy across fragmented estates. Identity teams need to treat multi-cloud and hybrid recovery as a governance model, not just an infrastructure topology.

The next maturity step is to make AI governance and data resilience part of the same operating rhythm. That means pre-deployment review, access boundaries, and jurisdictional controls must be exercised before the incident, not after the breach.


For practitioners

  • Tie recovery planning to identity and access restoration Validate that privileged access, service accounts, and application trust are restored in the correct order after an incident, not just that systems boot successfully.
  • Audit AI data flows before production approval Review how prompts, outputs, training data, and retained content are stored, shared, and accessed, then require explicit security sign-off before live deployment.
  • Map regulatory obligations by geography and workload Document where data copies must exist, where they must not exist, and which access controls support each regulatory requirement across jurisdictions.
  • Test incident response against multi-cloud dependency chains Run recovery exercises that include data locality, identity revalidation, and cross-environment dependencies so the organisation can see where restoration time is actually lost.

Key takeaways

  • ANZ organisations are adopting AI and hybrid data models faster than they are building the governance needed to control them.
  • Recovery expectations are materially ahead of operational reality, which makes identity and data sequencing a core resilience issue.
  • Teams that want better cyber resilience need to unify access, data, and recovery governance instead of treating them as separate programmes.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0RC.RP-1Recovery planning and restoration timing are central to the report's resilience gap.
NIST SP 800-53 Rev 5CP-10Backup and recovery control families fit the report's restoration and readiness findings.
ISO/IEC 27001:2022A.5.30ICT readiness for business continuity matches the report's recovery and resilience theme.
GDPRArt.32The report's data governance and AI policy issues intersect with security of processing obligations.

Use CP-10 to validate backup recoverability and rehearse full restoration, not just data retention.


Key terms

  • Data readiness: Data readiness is the degree to which an organisation can protect, govern, restore, and use data reliably across normal operations and incident conditions. It combines resilience, policy enforcement, access control, and recovery sequencing, especially where data spans multiple cloud environments and regulated jurisdictions.
  • Recovery expectation gap: Recovery expectation gap is the distance between the time business leaders believe restoration should take and the time operations can actually deliver. It usually exposes missing dependency mapping, weak restoration testing, and identity or access steps that are not included in incident plans.
  • AI governance policy deficit: An AI governance policy deficit exists when organisations deploy AI systems without clear rules for data use, access, retention, or review. In practice, this leaves the organisation unable to control what the system reads, creates, stores, or exposes across human and machine workflows.
  • Blended data environment: A blended data environment is an operating model where data is spread across on-premises systems, private cloud, public cloud, or multiple cloud providers. That mix increases coordination complexity because identity, locality, compliance, and recovery controls must work consistently across separate platforms.

What's in the full report

Commvault's full report covers the operational detail this post intentionally leaves for the source:

  • The full ANZ survey breakdown by company count, industry context, and regional differences in readiness.
  • Detailed findings on ransomware payment behaviour, recovery time expectations, and the gap between leaders and IT teams.
  • The AI compliance section with the survey’s full policy and audit results, useful for deeper programme planning.
  • The regulatory discussion on cross-border data obligations and separate cloud copy requirements.

👉 Commvault's full report covers the regional survey data, AI compliance findings, and recovery expectation gap in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-10-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org