Trust on the line: how the integrity question looks across sectors in Southeast Asia
At the same retreat, a different room worked through the trust agenda for AI. The conversation moved fast through familiar terrain. Integrity, security, hallucination, governance, RACI. The conceptual ground on these is now well-developed; the published frameworks have caught up. What the room added was not the framework. It was the cross-sector view. Leaders from banking, healthcare, manufacturing, infrastructure, and digital services were working through the integrity question side by side. Each sector arrived at a different version of the answer, and the value of the conversation was being able to see those differences against each other in real time.
The retreat's opening had set the frame: the decisions enterprise leaders are making in 2026 are trade-offs by nature. Trust is among the more expensive of those trade-offs, and the room's contribution was sharpening the question of what kind of trust is being paid for, by which sector, and against which alternative.
Three integrity questions, not one
The room separated three questions that look adjacent but require different controls and different owners.
The first is decision rights. Who decides what data is correct. In some sectors this is an entry-standardisation problem: deciding which version of customer or product data is the version of record. In healthcare, it is a clinical adjudication problem: deciding which clinical reading is correct when sources disagree. In manufacturing and infrastructure, it is a sensor versus ground truth problem: deciding whether to trust the sensor reading or the physical inspection. The answers are sector-specific. The need for someone to be accountable for the answer is universal.
The second is provenance. How does an enterprise trust the data that drives an agent. The view expressed in the room was that an enterprise should not assume internal data is trustworthy by default. Trust is established through the way the data is processed, ideally with a third party providing attestation that the processing meets defined standards. Provenance, in this framing, becomes something the enterprise contracts for and can evidence, rather than something it asserts to itself.
The third is extraction without compromise. The principle here is that insight extracted at the cost of the trust that produced the data is a single use of trust capital that cannot be repeated. In a healthcare context, this manifests in the requirement for differential privacy and patient consent loops, because patient trust is the precondition for the data existing in the first place. The principle generalises across sectors. Any enterprise that uses customer or employee data to produce insight depends on the trust of those customers or employees being preserved as a condition of the data continuing to be available.
These three questions require three different controls. Standardisation, attestation, and privacy engineering are not the same investment. An enterprise that needs all three has to fund all three.
The steward function gap
A clear RACI across Legal, Audit, Compliance, and InfoSec was treated as a precondition by several leaders. It is necessary. It is also insufficient. Integrity, as a function, sits awkwardly across all four, and the room kept returning to the same gap.
Few enterprises have yet hired anyone specifically accountable for data integrity at the enterprise level. The situation, as it was put in the room, is one of stewards in name rather than stewards in budget: the role exists in the org chart or in policy documents but is not resourced as a real function with people, time, and authority.
The hypothesised consequence is that when integrity is not owned at the enterprise level, agents tend to inherit the integrity practices of whichever team last touched the data they use. This produces an integrity posture that varies team by team, which makes it difficult to give a consistent answer when a regulator, a customer, or an internal audit asks how data quality is managed across the enterprise.
Why sector divergence matters
The integrity needs differ enough by sector to capture them in their own terms.
Healthcare needs differential privacy and patient consent loops. Banking needs third-party provenance certification and audit trails that hold against regulators on more than one continent. Manufacturing needs sensor data quality moderation and, in some cases, physical-world ground truth before any model output is trusted. Infrastructure groups need operational technology and information technology data converging in real time, with quality requirements on both.
These are not variants of one framework. They are several frameworks, and an enterprise operating across more than one sector needs more than one. The cross-sector exchange was useful in two directions. For a CIO running a single-sector business, hearing the adjacent sectors' answers gave peripheral vision. The pressures inside one sector are clearer when set against the others. For a conglomerate CIO accountable for several arms at once, hearing each sector's answer in the same conversation is the operating reality of the group.
A related thread surfaced in the room: in enterprises with significant legacy systems, the legacy system itself is often the integrity bottleneck. Modernising legacy systems is a multi-year programme. Operating without modernising forces the enterprise to address integrity issues at the agent layer instead, which is more expensive because every agent has to compensate for limitations of the underlying system.
Principle or rules
A regulatory dispute ran through the second half of the conversation. One view argued for principle-based regulation: adaptable, capable of moving with the technology, but costly to operate because it requires the enterprise to build internal interpretation capability that translates principle into operational practice. The other argued for rules-based regulation: prescriptive, defensible against audit, but costly in speed because the rulebook lags the technology and the enterprise that operates only inside the rulebook moves slower than the underlying capability allows.
Both positions were articulated with conviction. ASEAN enterprises are likely to land in different places on this question, and conglomerates with diverse business lines may need to land in more than one place at once, inside their own governance, not only outside it. The choice is operational, not philosophical.
What This Means for ASEAN Enterprises
The starting point for governance is the structure of the enterprise, not a generic framework. A single-sector business needs one integrity protocol that holds across the business. A multi-sector group needs several, held coherently together. A framework chosen without reference to the structure tends to fail in at least one of the business lines that has to live with it.
An integrity steward, separate from InfoSec, is the function that converts integrity from policy text into operational practice. The steward's accountability covers what data is correct, where it came from, and what insight can be extracted without compromising trust. A policy without an owner is documentation; named accountability is the difference.
Third-party data provenance certification is best treated as a strategic procurement requirement rather than as a compliance checkbox. Trust established through attestation is one of the few integrity capabilities that transfers cleanly across sectors and across business lines.
Regulatory posture, principle-based or rules-based, is best decided deliberately, with the interpretation function resourced to translate the choice into operational practice. The cost of the choice is paid internally, not only externally, and conglomerates may have to fund interpretation capability for more than one regime at the same time.
Cross-sector forums are part of the integrity infrastructure, not adjacent to it. The integrity answers in healthcare, banking, manufacturing, and infrastructure are not interchangeable, but they sharpen each other when set against each other. Forums that bring senior leaders across sectors together are how the answers get pressure-tested before they are committed in procurement, in hiring, and in regulatory submission.
The retreat did not deliver an integrity framework, and that was not the purpose. It surfaced that the integrity question is hardest to answer where Southeast Asian enterprise actually lives: across sectors, across business lines, and across legacy systems that pre-date the agentic era. The frameworks the room had read were not wrong. They were sector-neutral, and the lived problem is sector-specific. The work that closes that gap is the work of hearing each other's answers and sharpening one's own.
A companion piece, Where autonomy belongs, looks at how Southeast Asian enterprises are deciding when and where to deploy AI agents at all. Where this piece asks how integrity should be governed, the companion asks who decides what an agent is allowed to do, and what an agent is actually worth once it is running.
