Asian enterprises push into agentic AI as recovery planning lags, Commvault study finds
Commvault research finds Asian firms are increasing AI investment while identity resilience, governance and recovery planning lag behind.
Organisations across Asia are increasing AI investment and deploying agentic AI, but many have yet to update their cyber resilience, governance and recovery planning for more autonomous systems, according to new research commissioned by Commvault and conducted by Omdia.
Table Of Content
The State of Data Resilience Asia 2026 report surveyed 1,234 organisations across Singapore, Indonesia, Hong Kong, Korea, Malaysia, Thailand, Vietnam and the Philippines. It found that nearly all organisations in Asia plan to increase AI investment in 2026, while more than one third are already trialling or deploying agentic AI across IT, cybersecurity and business operations.
Indonesia, Thailand and Hong Kong were identified as regional leaders in agentic AI adoption, with organisations using AI across cybersecurity, data protection and business operations. The report also cited Asia Pacific AI spending as being projected to reach US$175 billion by 2028.
Non-human identities create a new resilience gap
The report points to a gap between how quickly organisations are adding AI-driven systems and how slowly resilience planning is adapting. As companies deploy more AI agents, machine accounts, applications, APIs and automated workflows, more non-human identities are gaining access to critical systems.
Machine identities now outnumber human identities globally by as much as 82 to 1, according to the report. Yet most cyber resilience strategies remain focused on human users.
Across the organisations surveyed, 73% have included human identities in cyber resilience planning, but only 34% have done the same for non-human identities. The gap is wider in Korea, Hong Kong and Malaysia, where the figures are 22%, 23% and 28%, respectively.
This creates an operational problem for enterprises adopting agentic AI. If autonomous systems can access data, applications and workflows, resilience planning has to account for how those systems are secured, monitored and recovered when something goes wrong.
AI governance is still uneven
The research also found that AI governance is not keeping pace with deployment. Only 42% of organisations conducted comprehensive security, governance and compliance reviews before deploying AI, leaving fewer than half confident that they can detect compromised or non-compliant AI systems.
That weakness becomes more serious as AI moves into IT, cybersecurity and business operations. In these environments, a compromised or poorly governed AI system may affect access control, incident response, data protection or operational workflows.
“Asia’s AI ambition is undeniable,” said Martin Creighan, Vice President, Asia Pacific, Commvault. “But as autonomous systems become part of how organisations operate, resilience can no longer sit on the sidelines. Organisations need a new posture entirely, one where recovery isn’t a backup plan, but how the modern business runs.”
The report found that 78% of organisations said agentic AI is increasing the complexity of identity management and resilience operations. For security and IT leaders, that makes AI adoption a recovery and continuity issue as much as a deployment or productivity decision.
Recovery expectations remain far from reality
The study also shows that many organisations are overestimating how quickly they can recover from a cyber incident.
For the third consecutive year, Commvault’s research found a gap between expected and actual recovery times across Asia. Business leaders expect operations to resume within five days of a cyber incident, but the average recovery time remains 28 days.
Only 23% of organisations said they were able to maintain operations without disruption during an incident. Most were forced to operate in a degraded or limited state.
“AI is collapsing the gap between exposure and impact,” commented Gareth Russell, Field CTO, Security, Asia Pacific, Commvault. “When attack surfaces can be mapped overnight and vulnerabilities emerge faster than organisations can respond, the question isn’t whether organisations get hit. It’s whether they can continue operating when they do.”
The survey was conducted by TRA, now part of Omdia, and covered CIOs, CISOs, IT leaders, IT decision makers and direct reports across the eight Asian markets.





