By NHI Mgmt Group Editorial TeamPublished 2025-10-20Domain: Governance & RiskSource: Commvault

TL;DR: A survey of 1,218 organisations across eight Asian markets found 40% average data growth, 63% multi-cloud or hybrid adoption, and 73% of respondents saying AI increases breach risk, according to Commvault and Tech Research Asia. Recovery confidence, regulatory consistency, and AI governance are now the real resilience tests.


At a glance

What this is: This report finds that Asian organisations are expanding data, cloud, and AI usage faster than their recovery and governance capabilities can keep pace.

Why it matters: It matters because identity, access, and recovery controls increasingly need to account for sprawling data, machine-driven workloads, and AI-related exposure across operational environments.

By the numbers:

👉 Read Commvault's report on data readiness, AI risk, and recovery in Asia


Context

Asia’s data readiness problem is not just about storage volume. It is a governance problem shaped by faster data growth, broader cloud adoption, more AI use, and more fragmented regulatory obligations than many operating models were built to handle.

For identity teams, the important question is whether access, recovery, and audit controls still work when data is distributed across multi-cloud estates, AI tools are entering production faster than policy, and recovery expectations are diverging from actual restoration capability. That mismatch is now a programme risk, not a technology detail.


Key questions

Q: How should organisations govern AI tools that touch sensitive data?

A: Treat AI tools as governed data pathways, not as isolated applications. Define what data they may ingest, generate, store, and forward, then align those rules with access approvals, logging, retention, and recovery ownership. If the organisation cannot show where AI-connected data travels, it cannot credibly say it controls exposure.

Q: Why do multi-cloud environments make recovery harder?

A: Multi-cloud environments fragment backup, access, and restoration authority across different control planes. That means recovery depends on consistent identity and policy enforcement, not just on having copies of the data. When permissions, approvals, or ownership differ by platform, recovery time stretches and evidence becomes harder to prove.

Q: What do security teams get wrong about AI risk?

A: Teams often focus on model behaviour while underestimating the governance around data access, storage, and onward sharing. The bigger issue is whether AI tools have been placed inside a clear entitlement model. Without that, the organisation creates a new data channel before it creates the controls to supervise it.

Q: Who should own recovery readiness in a hybrid cloud programme?

A: Recovery readiness should be shared across infrastructure, IAM, security, and resilience owners, because restoration depends on access rights as much as on backups. The right question is not who owns the backup, but who can actually restore data, validate integrity, and prove the result under incident conditions.


Technical breakdown

Why multi-cloud data estates weaken recovery assumptions

When organisations spread data across hybrid and multi-cloud environments, recovery becomes a coordination problem rather than a storage problem. Access paths, backup dependencies, retention rules, and restoration permissions often sit in different control planes. That makes recovery planning dependent on consistent identity, privilege, and policy enforcement across domains. In practice, the more fragmented the estate, the easier it is for one weak link to disrupt restoration, delay forensic access, or leave protected data unrecoverable after an incident.

Practical implication: map recovery authority, not just backup location, across every cloud and platform in scope.

AI adoption changes the data protection boundary

Business AI introduces new pathways for data exposure because sensitive content can be copied into prompts, outputs, logs, and connected workflows. The risk is not only model misuse, but also governance drift around what data AI tools can access, where generated content is stored, and which identities can move that data onward. If policies do not explicitly cover AI-generated data and AI-connected access, the organisation can expand exposure faster than it expands oversight.

Practical implication: treat AI tools as data-handling systems with explicit access and retention controls, not as side utilities.

Regulatory conflict turns governance into a mapping exercise

When organisations face different data rules across geographies, the problem is rarely a lack of policy language. The real issue is translating competing obligations into control requirements that can be applied consistently to identities, workloads, and data locations. Without that translation layer, teams end up with overlapping or contradictory approval paths, uneven audit evidence, and control gaps that only appear during incidents or regulatory review.

Practical implication: create a control mapping that ties regulatory obligations to specific identity, data, and recovery processes.


Threat narrative

Attacker objective: The objective is to steal data, disrupt recovery, or force operational and financial pressure after an incident.

  1. Entry occurs when attackers exploit complex cloud and AI-connected environments to reach data, backup, or recovery systems through exposed identities or weak governance boundaries.
  2. Escalation follows when broad platform access, inconsistent policies, or poorly controlled AI-connected workflows let the attacker move from one data domain to another.
  3. Impact is data exfiltration, failed restoration, prolonged downtime, or ransom pressure that exposes the gap between expected recovery and actual capability.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Recovery confidence is now an identity and governance problem, not a backup problem. The report shows a wide gap between what leaders expect after an incident and what organisations can actually restore. That gap usually appears when access, ownership, and recovery permissions are not governed as tightly as the data itself. The implication is that resilience programmes must treat restoration authority as part of the identity model, not as a separate ops concern.

AI governance fails first at the data boundary, then at the control boundary. The report’s AI findings point to a familiar pattern: organisations adopt AI before they have fully defined what the tool may access, store, generate, or share. That creates a governance blind spot where AI becomes a new data pathway without a matching entitlement model. This is exactly where identity, data handling, and audit evidence need to converge.

Conflicting regulation is forcing control harmonisation across identities and workloads. When more than one jurisdiction applies, policy text alone is not enough. Teams need a consistent way to map requirements to access controls, retention rules, and recovery evidence across cloud estates and AI tools. The discipline is shifting from writing policy to proving control alignment, and practitioners should expect that pressure to keep rising.

Data readiness is becoming a proxy for non-human identity maturity. As data estates expand, the identities that move, store, transform, and recover that data become more numerous and more consequential. Service accounts, workload credentials, and AI-connected access paths now sit inside the same operational trust chain as human access. The practical conclusion is that data resilience cannot outpace identity governance; it can only reflect it.

Identity blast radius: the organisation now inherits risk through every connected workload and AI path. That blast radius expands when data growth, cloud sprawl, and weak approval discipline all coexist. The report suggests the field is moving toward more interdependent control models, where recovery, audit, and data governance can no longer be managed independently. Practitioners should plan for shared control ownership across IAM, security, and resilience teams.

From our research:

What this signals

Identity ownership will increasingly be measured by restoration outcomes. As data estates spread across hybrid and multi-cloud environments, resilience teams will need to prove that recovery permissions, not just backups, are usable under pressure. The organisations that can map those permissions cleanly will be better placed to survive incidents without improvising access during a crisis.

AI governance will be judged by data-path control, not policy volume. The report suggests many organisations already know AI adds risk, yet still deploy before completing security audits or defining data handling rules. That gap will push practitioners toward tighter entitlement mapping for AI-connected workflows, especially where human and non-human identities share the same data paths.

With 91% of former employee tokens remaining active after offboarding, according to The 2025 State of NHIs and Secrets in Cybersecurity, lifecycle discipline is becoming a resilience prerequisite rather than an admin task.


For practitioners

  • Reconcile recovery authority with identity ownership Document who can restore, decrypt, or rehydrate each critical dataset across cloud platforms, and verify that those permissions are reviewed alongside service account and workload access.
  • Inventory AI-connected data paths Track where business AI tools ingest, generate, store, and forward sensitive data, including logs and downstream workflow systems, so access boundaries reflect actual data movement.
  • Map regulatory obligations to specific controls Translate cross-border requirements into concrete rules for access, retention, evidence, and recovery, then assign each control to an accountable owner.
  • Test restoration under access constraints Run recovery exercises that include least-privilege restrictions, privileged account unavailability, and delayed approvals so the team sees whether recovery still works under realistic governance conditions.
  • Separate confidence from capability metrics Report both expected and actual recovery times, plus successful restoration rates, so leadership can see whether resilience claims match operational reality.

Key takeaways

  • Asia’s data, cloud, and AI growth is outrunning the governance models meant to protect and recover it.
  • The scale of the problem is already visible in recovery gaps, regulatory conflict, and weak AI due diligence.
  • Identity-led control mapping is the practical way to connect resilience promises to operational reality.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0RC.RP-1Recovery planning and execution are central to the report's resilience gap.
NIST SP 800-53 Rev 5CP-10CP-10 covers system recovery and fits the report's restoration concerns.
NIST Zero Trust (SP 800-207)Multi-cloud and AI-connected access benefit from explicit trust boundaries.
GDPRArt.32Cross-border data handling and breach recovery touch security of processing obligations.

Align recovery testing to RC.RP-1 and validate that restoration works under real access constraints.


Key terms

  • Recovery authority: Recovery authority is the ability to restore data, systems, or services after an incident. In identity terms, it is the set of permissions, approvals, and ownership rules that determine who can execute restoration and prove it was completed correctly.
  • Data-path governance: Data-path governance is the control of how data moves, changes form, and is retained across applications, clouds, and AI tools. It matters because exposure often happens in transit between systems, not only where data is originally stored.
  • Identity blast radius: Identity blast radius is the amount of systems and data that can be reached if an identity is misused or compromised. The wider the blast radius, the more quickly a single access failure becomes a business-wide recovery and containment problem.

What's in the full report

Commvault's full report covers the operational detail this post intentionally leaves for the source:

  • Country-by-country survey breakdowns across Indonesia, Hong Kong, Korea, Malaysia, Philippines, Singapore, Thailand, and Vietnam
  • Detailed recovery benchmarks showing where organisations think they stand versus how long restoration actually takes
  • Comparative findings on breach experience, ransom payment behaviour, and AI risk perception
  • The underlying survey methodology and respondent profile behind the 1,218-company dataset

👉 The full Commvault report includes country-level findings, recovery benchmarks, and survey methodology.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity, security, or governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-10-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org