AI's Double-Edged Sword: Governance Imperatives for ASEAN Enterprises
Southeast Asia is rapidly embracing Artificial Intelligence, with the promise of significant returns on investment. The Philippines, for instance, anticipates a US$92 million AI productivity dividend by 2030, driven by a 50% year-on-year growth in AI activity. However, this accelerated adoption presents a critical tension: the pace of innovation is far outstripping the maturity of governance and cybersecurity frameworks. For CIOs, CTOs, COOs, and CDOs across the region, the challenge is no longer merely deploying AI, but ensuring its secure and compliant integration to truly realise value without incurring prohibitive risks.
Source: DTI
Shadow AI and Data Leakage
The enthusiasm for AI often leads to decentralised adoption, creating a 'shadow AI' problem within enterprises. A recent AIBP survey of over 900 Southeast Asian enterprise leaders, including those in the Philippines, revealed that while 92% have deployed some form of AI, 65% of these initiatives remain stuck in proof-of-concept (POC) stages, primarily due to data security and data loss prevention (DLP) concerns. Worryingly, 89% of staff in the Philippines reportedly use unapproved IT tools, with a mere 23% recognising that inputting sensitive data, such as Know Your Customer (KYC) information, into public Large Language Models (LLMs) constitutes a violation of data privacy regulations.
This human element is a significant vulnerability; industry observations suggest that nearly 79% of PII leaks stem from employees inadvertently sharing private information with LLMs, rather than from external threat actors. This highlights a critical governance gap that exposes organisations to substantial legal and financial liabilities, with regulatory fines potentially reaching up to 3% of gross annual income in some ASEAN jurisdictions.
Read more in the 2025/26 AIBP Enterprise Innovation Market Overview here.
Legacy Security's Losing Battle
Traditional network security architectures, reliant on firewalls and VPNs, are proving inadequate against the sophisticated, AI-accelerated threats of today. These legacy systems often grant broad network access upon authentication, creating a fertile ground for lateral movement by malicious actors. What once took weeks or months for threat actors to map a network and identify critical assets can now be achieved in minutes, if not seconds. Security experts note that the mean time to a critical incident has plummeted to as little as 16 minutes.
This vulnerability is further compounded by the convergence of IT and Operational Technology (OT) environments. As critical infrastructure and manufacturing plants increasingly connect for monitoring and predictive maintenance, a breach in the IT layer can swiftly compromise OT systems, leading to severe operational disruptions, as evidenced by recent global incidents. The imperative is clear: security must evolve from a perimeter-based defence to a more granular, identity-centric model.
More insights are available in AIBP’s AI in Cyber Resilience Study here.
The Governance Imperative
Effective AI governance extends beyond mere compliance; it requires a proactive, visibility-first approach. As one industry leader aptly put it, "governance is not about control; it's about visibility. It starts with visibility because you can't govern what you can't see." This necessitates comprehensive AI/ML system registries, categorising tools (approved, exploratory, prohibited), and implementing varied access controls. For highly regulated sectors like banking, where governance maturity scores can be as low as 0.9 out of 3, embedding risk assessments into every project phase is crucial.Furthermore, AI agents themselves must be treated as 'users,' requiring their own identities and access policies. Legal and compliance functions, rather than acting as blockers, should serve as enablers, building "safer bridges" for innovation by ensuring clear accountability and human-in-the-loop checkpoints.
Rethinking Security Investment
The current landscape is characterised by significant 'tool sprawl,' with organisations often deploying an average of 47 different security tools. This complexity leads to inefficiencies, with up to 60% of operational teams' effort dedicated to managing these tools, rather than proactive threat hunting. This drives up IT costs, increases employee expenses due to the need for specialised skills for each tool, and yet, as Srinivas Kannan, Head of Value Consulting, APJ, Zscaler observed, “Organisations are spending a lot more money on security nowadays, but they are buying less security.”
The solution lies in strategic investment: consolidating platforms, reducing reliance on outdated infrastructure-based security, and redirecting resources towards integrated, identity-centric solutions that offer a unified view and real-time protection.
What This Means for ASEAN Enterprises
Leaders may consider prioritising the establishment of comprehensive AI/ML registries and real-time monitoring systems to gain more proactive oversight of AI deployments and data flows. This shift suggests a move toward Zero Trust principles and identity-centric access management, where organisations can benefit from inspecting all traffic and ensuring access is granted based on the concept of "least privilege."
There is also an opportunity for organisations to address tool sprawl by exploring the consolidation of disparate security functions into integrated platforms. This approach often leads to more effective real-time data loss prevention and consistent protection for AI models. Alongside these technical enhancements, leaders may find value in cultivating a "human firewall" through ongoing employee education and clear internal policies, which helps naturally mitigate the risks of inadvertent data sharing.
As AI agents begin to play a more integral role in daily operations, enterprises could benefit from evolving their Identity and Access Management frameworks to recognise these agents as distinct digital entities. By assigning specific roles, granular permissions, and clear lines of accountability to autonomous agents, organisations are better positioned to manage the unique responsibilities that come with an expanding "digital labor" force.
Conclusion
The pursuit of AI-driven ROI in Southeast Asia is undeniable, but it must be tempered with a pragmatic approach to security and governance. The tension between rapid innovation and robust protection is the defining challenge for enterprise leaders. By moving beyond reactive measures and embracing proactive, identity-centric security strategies, ASEAN organisations can navigate the complexities of the AI era, unlock its full potential, and build resilient, future-ready digital foundations.
Join the Dialogue Are you ready to transition from AI pilots to enterprise-wide decision authority? This writeup is based on discussions from the AIBP closed-door focus group workshops held on 15 April 2026. To join upcoming peer-learning sessions visit https://www.aibp.sg/upcoming.
