TL;DR: Business-focused AI solutions are already in use at 73% of organisations, while 68% believe AI increases breach likelihood and 70% have received a ransomware demand, according to Commvault’s commissioned ANZ survey of 408 organisations. The pattern shows that governance, audit, and recovery discipline are lagging the pace of adoption and risk, while recovery expectations remain far ahead of operational reality.
NHIMG editorial — based on content published by Commvault: the fifth edition of the State of Data Readiness in ANZ report
By the numbers:
- The annual data growth rate in ANZ has marginally slowed from 28% last year to 27% this year.
- 20% admitted to paying it., anisations have received a ransomware demand, and of those, 20% admitted to paying it.
- Only 29% of companies have comprehensive policies in place to protect the data and content generated by AI solutions.
Questions worth separating out
Q: How should organisations close the gap between recovery targets and actual restoration time?
A: They should test recovery as an identity, data, and service sequencing problem, not a simple infrastructure restart.
Q: Why does AI adoption create new data governance risk in hybrid environments?
A: AI tools can generate, transform, and redistribute information faster than static policy models assume.
Q: What do security teams get wrong about ransomware readiness?
A: They often focus on backup presence instead of recovery coherence.
Practitioner guidance
- Tie recovery planning to identity and access restoration Validate that privileged access, service accounts, and application trust are restored in the correct order after an incident, not just that systems boot successfully.
- Audit AI data flows before production approval Review how prompts, outputs, training data, and retained content are stored, shared, and accessed, then require explicit security sign-off before live deployment.
- Map regulatory obligations by geography and workload Document where data copies must exist, where they must not exist, and which access controls support each regulatory requirement across jurisdictions.
What's in the full report
Commvault's full report covers the operational detail this post intentionally leaves for the source:
- The full ANZ survey breakdown by company count, industry context, and regional differences in readiness.
- Detailed findings on ransomware payment behaviour, recovery time expectations, and the gap between leaders and IT teams.
- The AI compliance section with the survey’s full policy and audit results, useful for deeper programme planning.
- The regulatory discussion on cross-border data obligations and separate cloud copy requirements.
👉 Read Commvault's full State of Data Readiness in ANZ report →
ANZ data readiness, AI risk, and recovery gaps: what should teams do?
Explore further
Data readiness is now an identity and recovery problem, not just a storage problem. The report describes hybrid estates, AI adoption, and regulatory pressure moving at the same time, which means access control, workload trust, and restoration sequencing now sit in the same operational conversation. That is why identity teams should treat data readiness as part of the control plane, not as a downstream infrastructure concern. Practitioners need one view of who or what can reach data, where that data resides, and how quickly trust can be rebuilt after disruption.
A few things that frame the scale:
- 54% of Australian and 63% of New Zealand businesses feeling unprepared, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- Another 62% of NHI tokens are exposed in the wild, being sent or stored over collaboration tools, tickets, pages, and code commits, according to The 2025 State of NHIs and Secrets in Cybersecurity.
A question worth separating out:
Q: Who is accountable when AI policies and data resilience controls conflict?
A: Accountability usually sits across identity governance, data governance, and platform ownership, which is why it breaks down when these teams work from separate assumptions. If one team approves access while another controls retention or jurisdictional placement, the organisation needs a shared decision model before an incident forces the issue.
👉 Read our full editorial: ANZ data readiness is lagging behind AI and recovery risk