Securing AI in Indonesia: Inside the Enterprise Cybersecurity Response

NetworkingIndonesiaData & AICybersecurity
Written By Aizat Sultan

TLDR:

  • AI adoption across ASEAN enterprises is accelerating faster than governance frameworks can adapt.

  • Indonesia’s Personal Data Protection Law (PDP) sharpens accountability even as AI-specific regulation remains limited.

  • The structural risk in AI in Indonesia is fragmentation of tools, oversight and responsibility 

  • Identity and machine-level monitoring are becoming central control surfaces for AI enterprise security. 

  • Digital trust must scale at the same speed as AI deployment.

Cyber risk in Indonesia is no longer peripheral. It is operational, persistent, and increasingly tied to AI risk across enterprise systems. AIBP’s 2025 Cyber Resilience in ASEAN 52 percent of organisations plan to increase cybersecurity in Indonesia and across the region, with budgets set to rise in the next 12 months, reflecting heightened executive attention to resilience. At the same time, persistent exposure across cloud environments, identity management and monitoring discipline continues to shape enterprise risk profiles.

These dynamics were examined during a luncheon in Jakarta, supported by Zscaler and held as part of the AIBP Executive Briefing 2025 to 2026 Insights, AI and Data, and Cyber Resilience, where it was clear that AI in Indonesia is embedded in daily enterprise workflows and governance models must adapt at pace.

The issue is whether AI can scale without increasing operational or compliance risk. Security design and identity governance will determine the outcome.

Machine Speed Risk: How AI in Indonesia Is Reshaping Cyber Threats 

AI in Indonesia is altering operating velocity across enterprises. It increases productivity, but it also compresses detection windows and expands attack surfaces, a growing AI risk for enterprise environments. Defensive models designed for slower environments are under pressure as AI for security has not yet caught up with the pace of automation embedded across enterprise systems 

Brad Lee, Managing Director ASEAN Region, Zscaler, captured this shift directly: “we are not fighting with a human being. We're fighting with the machine.”

Enterprises are observing similar pressure internally. Isa Falaq Albashar, Dept Head SOC, Bank Negara Indonesia, reflected on how defensive assumptions must evolve: “We should also consider the possibility of a breach. Once we have established our parameters, configured the firewalls, and updated our signatures, we must ensure that attackers can be detected if they manage to penetrate our system. So we need to create rules to detect any anomalies in our system.

Acceleration reshapes exposure. Security controls must therefore operate continuously rather than reactively.

From Policy to Architecture: Governing Cybersecurity in Indonesia

As AI moves from pilot environments into production systems, AI governance is shifting from advisory policy to enforced architecture. Visibility is foundational, but structure determines consistency.

Felix Lam, Head of Solution Engineering (ASEAN), Zscaler, emphasised the starting point: “Everyone agrees that the first step is to have visibility, because you can't see, you can't control what you cannot see.”

Enterprises are pairing visibility with structural containment. Danny Natalies, Head of Corporate Information Technology and System, Kalbe Farma, described IT governance in Indonesia as a business risk discipline rather than a standalone compliance function.  Operating across e commerce, telemedicine and laboratory services, the organisation treats employee data with the same safeguards as customer data and consolidates data governance within a single entity to contain exposure across business lines.

At the implementation layer, Reza Setiadi, Head of SRE, DANA, explained how this translates into system control: “We ensure every AI tool, or every productivity AI tool that we are using, is enterprise-ready. What we mean by enterprise is that we need to ensure that every prompt, every response or result generated by the AI, is never stored by the provider… we govern all the models… So we call it the AI gateway.”

Embedding AI governance framework into architecture reduces reliance on post deployment oversight and strengthens auditability under PDP law Indonesia obligations.

Regulatory Ambiguity, Enterprise Responsibility

Indonesia's PDP establishes accountability for personal data management, forming a key pillar of cybersecurity in Indonesia. However, AI specific governance standards and personal data protection frameworks remain less defined. Enterprises are therefore building internal AI risk management frameworks while regulation evolves.

Mohamad Diaz Permana, AI Governance Team Leader, Bank Rakyat Indonesia, described how institutions look beyond domestic regulation when shaping standards: “The common issue in banking is that we don’t have any regulation specific to AI, so we tend to look externally for guidance. We get references from other countries … basically how we can develop AI in a way that is safe, fair and responsible, and how we can use AI tools like Copilot and GPT, but in a safe and secure way.”

Governance, in this context, becomes an internal operating discipline rather than a compliance afterthought.

Identity as the New Control Surface: Zero Trust Security in Enterprise AI

As AI integrates deeper into enterprise environments, identity becomes central to control, both human and machine.

Srinivas Kannan, Business Value Consulting, Zscaler, articulated the zero trust security architectural principle: “We want to move towards what we call as zero trust, which means any interaction, anything and everything to do with users and the data, you do not have any trust towards it, and you have to verify every aspect of it.”

Enterprises are observing how AI threat focus extends beyond user credentials.  Raditio Ghifiardi, Vice President Head of IT Security Strategy and Architecture, Indosat Ooredoo Hutchison, noted the growing risk surface: “The threat actors try to focus on identity. They try to go to the machines that we are less concerned about. We are concerned about user access. But they also try to attack machine identities. Then the service accounts, because service accounts have less attention. So first, we must monitor, and then we can control it.”

Monitoring through zero trust network access therefore extends to service accounts, machine credentials and automated processes that historically received less scrutiny.

Governance as Operating Discipline

Embedding governance at the start of development reduces downstream risk and strengthens operational stability.

Mohammad Ramadlan, AVP Security Architecture Manager at Superbank, described how this discipline is institutionalised: “We align with governance first. We set everything up from a governance perspective, including defining red lines. We also refer to the circular issued by OJK, and then we build our standards for AI accordingly.”

Where AI governance is architectural, enforced and identity driven across SOC AI functions, resilience improves.

Digital trust, in this environment, is the outcome of design decisions.

What This Means for AI in Indonesia and ASEAN Enterprises

Senior leaders should prioritise five structural decisions:

  • Centralise AI enterprise model access rather than allowing distributed experimentation. 

  • Embed PDP accountability directly into AI workflows and data governance.

  • Integrate AI risk management into development pipelines before deployment. 

  • Shift from perimeter based security to zero trust security and anomaly based monitoring. 

  • Consolidate governance across subsidiaries to reduce structural fragmentation.

These are architectural decisions, not incremental controls.

Do you have an interesting cybersecurity project that utilizes innovative digital tools or technologies? We want to hear about it! Nominate your project for our upcoming awards here.

About ASEAN Innovation Business Platform (AIBP)

Since its inception in 2012, ASEAN Innovation Business Platform (AIBP) is an initiative focused on enabling innovation and strategic partnerships across public and private organisations in Southeast Asia. Through curated engagement activities, AIBP supports the growth of regional government agencies, enterprises and solution providers in navigating key themes such as innovation, digital transformation, and sustainability.


Learn more at www.aibp.sg 

Aizat Sultan
Previous

Digital Transformation Indonesia: Sustainability, Trust, and Talent
Next

AI Is Scaling Faster Than It Can Be Secured: Cybersecurity Indonesia's Enterprises Are Fixing First