Most firms overestimate AI governance as privacy risks surge
Kiteworks has released its AI Data Security and Compliance Risk Survey, highlighting gaps between AI adoption and governance maturity in the Asia-Pacific (APAC) region and globally.
The survey, based on responses from 461 cybersecurity, IT, risk management, and compliance professionals, reveals that only 17% of organisations have implemented technical controls that block access to public AI tools alongside data loss prevention (DLP) scanning. Despite this, 26% of respondents state that over 30% of the data employees input into public AI tools is private, and 27% confirm this figure specifically for the APAC region.
These findings appear against a backdrop of rising incidents; Stanford's 2025 AI Index Report recorded a 56.4% year-on-year increase in AI privacy incidents, totalling 233 last year. According to the Kiteworks survey, only 40% of organisations restrict AI tool usage via training and audits, 20% rely solely on warnings without monitoring, and 13% lack any specific policies, leaving many exposed to data privacy risks.
A disconnect between adoption and controls "Our research reveals a fundamental disconnect between AI adoption and security implementation," said Tim Freestone, Chief Strategy Officer at Kiteworks. "When only 17% have technical blocking controls with DLP scanning, we're witnessing systemic governance failure. The fact that Google reports 44% of zero-day attacks target data exchange systems undermines the very systems organisations rely on for protection."
The survey indicates a persistent overconfidence among organisations regarding their AI governance maturity. While 40% of respondents say they have fully implemented an AI governance framework, Gartner's data shows only 12% of organisations possess dedicated AI governance structures, with 55% lacking any frameworks.
Deloitte's research further highlights this gap, showing just 9% achieve 'Ready' level governance maturity despite 23% considering themselves 'highly prepared'. This discrepancy is compounded by industry data indicating that 86% lack visibility into AI data flows.
EY's recent study suggests that technology companies continue to deploy AI at a rapid pace, with 48% already using AI agents and 92% planning increased investment—a 10% rise since March 2024—with 'tremendous pressure' to justify returns, thereby elevating incentives to adopt AI quickly but at the expense of security. "The gap between self-reported capabilities and measured maturity represents a dangerous form of organisational blindness," explained Freestone. "When organisations claiming governance discover their tracking reveals significantly more risks than anticipated according to Deloitte, and when 91% have only basic or in-progress AI governance capabilities, this overconfidence multiplies risk exposure precisely when threats are escalating."
Legal sector and policy awareness
According to survey data, the legal sector exhibits heightened concern about data leakage, with 31% of legal professionals identifying it as a top risk. However, implementation lags are evident, with 15% lacking policies or controls for public AI use and 19% relying on unmonitored warnings. Only 23% of organisations overall have comprehensive privacy controls and regular audits before deploying AI systems.
Within legal firms, 15% had no formal privacy controls but prioritised rapid AI uptake – an improvement over the 23% average across sectors, but still significant in a sector where risk mitigation is fundamental. Thomson Reuters figures support this, reporting that just 41% of law firms have AI-related policies, despite 95% foreseeing AI as central within five years.
Security controls and data exposure in APAC
APAC organisations closely mirror global patterns, with 40% relying on employee training and audits, 17% utilising technical controls with DLP scanning, and 20% issuing warnings with no enforcement. Meanwhile, 11% provide only guidelines, and 12% have no policy in place. This means that 83% lack automated controls, despite the APAC region's position at the forefront of the global AI market.
The exposure of private data follows global trends: 27% report that more than 30% of AI-ingested data is private, 24% report a 6–15% exposure rate, and 15% are unaware of their exposure levels. A slight improvement in visibility is indicated, which may reflect regional technical expertise.
For AI governance, 40% of APAC respondents claim thorough implementation, 41% say partial implementation, while 9% have no plans, and 3% are planning to implement controls.
Regulatory complexity and cross-border risks
APAC's position involves navigating a complex landscape of national regulations, including China's Personal Information Protection Law, Singapore's PDPA, Japan's APPI, Australia's Privacy Act reforms, India's draft Digital Personal Data Protection Act, and South Korea's PIPA. The survey highlights that a 60% visibility gap in AI data flows in the region is particularly challenging, given the region's diversity, which limits the ability to comply with data localisation, cross-border data transfer rules, and consent requirements.
Weak controls in APAC expose organisations to difficulties in monitoring compliance with China's data localisation regulations, managing Singapore-Australia digital agreements, and knowing how AI tools route data through restricted jurisdictions.
Organisational strategies and gaps
Regarding privacy investment, 34% of organisations employ balanced approaches that involve data minimisation and the selective use of privacy-enhancing technologies. Some 23% have comprehensive controls and audits, while 10% maintain basic policies but focus on AI innovation, and another 10% address privacy only when required by law. Meanwhile, 23% have no formal privacy controls while prioritising rapid AI adoption.
Kiteworks recommends that businesses recognise the overestimation of their governance maturity, deploy automated and verifiable controls for compliance, and prepare for increasing regulatory scrutiny by quantifying and addressing any exposure gaps. "The data reveals organisations significantly overestimate their AI governance maturity," concluded Freestone. "With incidents surging, zero-day attacks targeting the security infrastructure itself, and the vast majority lacking real visibility or control, the window for implementing meaningful protections is rapidly closing."
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
12 hours ago
- Techday NZ
UiPath modernises ERP with Deloitte using agentic automation
UiPath has overhauled its enterprise resource planning (ERP) system through a strategic collaboration with Deloitte, resulting in a significant migration to SAP S/4HANA supported by agentic automation technologies. The project, named "Customer Zero", was designed to address the operational challenges that UiPath faced amid rapid business growth and increasing global complexity. The company identified issues stemming from fragmented systems, burdensome manual billing cycles, delayed revenue recognition, and intricate multi-GAAP reporting processes, all of which were hampering speed and scalability. Automation-first methodology UiPath adopted what it describes as an automation-first approach for its SAP S/4HANA migration. Unlike standard ERP deployments, the initiative integrated UiPath's own automation platform - including robotic process automation (RPA), intelligent document processing (IDP), UiPath Apps, and AI-driven orchestration - into the ERP transformation process. This strategy enabled the streamlining of SAP data migration, enhancement of system integrations, and removal of manual bottlenecks throughout core finance operations. The automation-led methodology became a central element in establishing a more efficient and resilient ERP environment. Operational outcomes The company reported a series of operational outcomes and performance metrics following the implementation: Over 200 automations delivered by the UiPath centre of excellence across key business processes. More than 85% of vital finance workflows are now managed by unattended automations, converting manual billing, revenue recognition, and account reconciliation into automated tasks. A clean core rate of 93% was achieved, surpassing the industry benchmark of 80% and minimising technical debt for future system upgrades. 60% of test cases automated, reducing the strain on business users and speeding up deployment times. Project delivery accelerated by 10% through the use of automation in testing, validation, and integration procedures. Jerry Hoberman, U.S. SAP Offering Leader at Deloitte, commented on the importance of agentic automation in ERP transformations: Agentic capabilities are essential to deliver automation-driven ERP outcomes. Building on Deloitte and UiPath's commitment to deliver Intelligent Automation solutions for our joint clients, together, we can help organisations unlock transformative business value as they move to SAP S/4HANA and RISE. Reflecting on the collaboration, Hitesh Ramani, Chief Accounting Officer and Deputy CFO of UiPath, described the transformation's impact: Our work with Deloitte demonstrates that automation isn't just an enabler—it's a catalyst for enterprise reinvention. With SAP S/4HANA and our agentic automation platform working hand-in-hand, we've dramatically improved the efficiency, scalability, and resilience of our finance operations. Agentic ERP and future automation UiPath's next step involves preparing for what it calls "agentic ERP". The aim is to empower AI agents - supported by the UiPath Platform and the newly introduced UiPath Maestro - to manage complex enterprise workflows, orchestrate decision-making across SAP and other systems, and call on human input only when necessary. This marks a shift towards automation systems acting as partners in business decisions rather than simply tools for task automation. Through agentic ERP, UiPath anticipates autonomous handling of routine decisions and exceptions, streamlined coordination between artificial intelligence, robots, and human stakeholders, and a foundation for continuous process innovation and adaptability. Mihai Faur, CIO of UiPath, described this evolution as significant for the wider market: Agentic ERP is not just a vision - it's the logical next step in the evolution of enterprise systems. Our Customer Zero journey demonstrates how organisations can future-proof their operations by embedding intelligent, agentic automation into every fabric of their ERP landscape. The Customer Zero project is positioned as a model for organisations looking to move beyond conventional ERP modernisation tactics. By placing agentic automation at the centre of the transformation programme, UiPath and Deloitte highlight a pathway to faster, more intelligent, and less disruptive ERP modernisation.
Techday NZ
14 hours ago
- Techday NZ
Refresh smarter, spend smarter: Why flexible IT financing is on the rise
In today's fast-paced business world, owning IT assets outright is becoming increasingly outdated. Technology evolves faster than ever, budgets are under pressure, and flexibility has become a top priority for Australian businesses of all sizes. Rather than investing large amounts of capital in depreciating assets, more businesses are shifting towards more intelligent and agile models, including leasing, financing, and structured refresh programmes. It's not just enterprise giants making the move; mid-sized organisations and growing SMEs are increasingly embracing flexible financing to stay competitive, manage risk, and keep their teams equipped with the latest technology. Here's why the traditional "own and operate" approach is losing its shine — and how a modern financing strategy can help future-proof your IT environment. Why Ownership is Losing Ground Owning technology used to be seen as a long-term investment. Today, it's often a liability. Rapid innovation cycles mean devices become outdated faster than ever. According to Deloitte's 2024 Tech Trends Australia report, 70% of mid-sized businesses plan to refresh major parts of their IT infrastructure within the next two years. Meanwhile, economic uncertainty and rising interest rates are prompting Australian businesses to reassess their capital allocation strategies. NAB's Business Insights show that nearly half of SMEs now prioritise cashflow preservation over asset accumulation. In short, holding onto ageing, depreciating assets ties up capital, increases operational risk, and limits flexibility when businesses need it most. Smarter Financing Options for a Changing Market Today's IT financing models are designed for flexibility and growth. Some of the most popular approaches include: Operating leases: Pay for the use of technology over a set period, without the burden of ownership. Upgrades and returns are built into the model. Pay for the use of technology over a set period, without the burden of ownership. Upgrades and returns are built into the model. Finance leases and chattel mortgages: Structure repayments over time, allowing businesses to own assets at the end if desired — while keeping cashflow healthy during the term. Structure repayments over time, allowing businesses to own assets at the end if desired — while keeping cashflow healthy during the term. Structured refresh programmes: Predetermined upgrade cycles that ensure businesses stay current, competitive, and efficient without spikes in capital expenditure. Predetermined upgrade cycles that ensure businesses stay current, competitive, and efficient without spikes in capital expenditure. Technology Lifecycle Solutions: Comprehensive asset management services that span procurement, usage, upcycling, and responsible retirement — helping to maximise value across the full lifecycle. Leading financial service providers are offering new models that combine financing flexibility with sustainability initiatives, enabling businesses to extend, optimise, or responsibly retire IT assets through services like Asset Upcycling and Tech Buyback programmes. The Business Benefits of Moving to Finance-First Models Free up capital for growth Redirect funds from depreciating equipment to strategic investments, like customer growth, talent acquisition, or innovation projects. Stay agile and current Regular refresh cycles ensure your teams always have access to the latest, most secure technology without the costs and delays of large-scale replacements. Improve security and compliance Older hardware often lags in critical security updates. A structured refresh strategy enables businesses to maintain a strong cybersecurity posture and meet evolving compliance standards. Advance sustainability goals Circular economy models, such as asset upcycling and technology recycling, facilitate the achievement of environmental targets while often recovering residual value from retired assets. Gain predictability and control Fixed monthly costs, flexible end-of-term options, and streamlined asset management help businesses plan better and avoid budget surprises. What to Consider Before Moving to a Finance Model Choosing the right financing strategy means balancing operational needs with financial and strategic goals. Important questions include: How fast does technology evolve in your sector, and how often should you refresh? Do you require full lifecycle support, including maintenance, upgrades, and end-of-life recycling services? Is preserving cash flow and balance sheet flexibility a major driver? How important are sustainability and circular economy initiatives to your business stakeholders? Are you planning for hybrid workforces or technology expansion in the near term? An experienced IT partner can help model various scenarios and design a solution that aligns with both your business and technology objectives. How BPC Commercial Can Help At BPC Commercial, we work closely with businesses across Australia to deliver flexible, cost-effective IT financing solutions. Whether you're looking for a simple lease agreement, a structured refresh programme, or a full Technology Lifecycle Solution with sustainable asset retirement, we can tailor a strategy that supports your growth. We partner with trusted finance providers to ensure our customers get access to the most modern, efficient, and sustainable financing and asset management options available today.
Techday NZ
7 days ago
- Techday NZ
Most firms overestimate AI governance as privacy risks surge
Kiteworks has released its AI Data Security and Compliance Risk Survey, highlighting gaps between AI adoption and governance maturity in the Asia-Pacific (APAC) region and globally. The survey, based on responses from 461 cybersecurity, IT, risk management, and compliance professionals, reveals that only 17% of organisations have implemented technical controls that block access to public AI tools alongside data loss prevention (DLP) scanning. Despite this, 26% of respondents state that over 30% of the data employees input into public AI tools is private, and 27% confirm this figure specifically for the APAC region. These findings appear against a backdrop of rising incidents; Stanford's 2025 AI Index Report recorded a 56.4% year-on-year increase in AI privacy incidents, totalling 233 last year. According to the Kiteworks survey, only 40% of organisations restrict AI tool usage via training and audits, 20% rely solely on warnings without monitoring, and 13% lack any specific policies, leaving many exposed to data privacy risks. A disconnect between adoption and controls "Our research reveals a fundamental disconnect between AI adoption and security implementation," said Tim Freestone, Chief Strategy Officer at Kiteworks. "When only 17% have technical blocking controls with DLP scanning, we're witnessing systemic governance failure. The fact that Google reports 44% of zero-day attacks target data exchange systems undermines the very systems organisations rely on for protection." The survey indicates a persistent overconfidence among organisations regarding their AI governance maturity. While 40% of respondents say they have fully implemented an AI governance framework, Gartner's data shows only 12% of organisations possess dedicated AI governance structures, with 55% lacking any frameworks. Deloitte's research further highlights this gap, showing just 9% achieve 'Ready' level governance maturity despite 23% considering themselves 'highly prepared'. This discrepancy is compounded by industry data indicating that 86% lack visibility into AI data flows. EY's recent study suggests that technology companies continue to deploy AI at a rapid pace, with 48% already using AI agents and 92% planning increased investment—a 10% rise since March 2024—with 'tremendous pressure' to justify returns, thereby elevating incentives to adopt AI quickly but at the expense of security. "The gap between self-reported capabilities and measured maturity represents a dangerous form of organisational blindness," explained Freestone. "When organisations claiming governance discover their tracking reveals significantly more risks than anticipated according to Deloitte, and when 91% have only basic or in-progress AI governance capabilities, this overconfidence multiplies risk exposure precisely when threats are escalating." Legal sector and policy awareness According to survey data, the legal sector exhibits heightened concern about data leakage, with 31% of legal professionals identifying it as a top risk. However, implementation lags are evident, with 15% lacking policies or controls for public AI use and 19% relying on unmonitored warnings. Only 23% of organisations overall have comprehensive privacy controls and regular audits before deploying AI systems. Within legal firms, 15% had no formal privacy controls but prioritised rapid AI uptake – an improvement over the 23% average across sectors, but still significant in a sector where risk mitigation is fundamental. Thomson Reuters figures support this, reporting that just 41% of law firms have AI-related policies, despite 95% foreseeing AI as central within five years. Security controls and data exposure in APAC APAC organisations closely mirror global patterns, with 40% relying on employee training and audits, 17% utilising technical controls with DLP scanning, and 20% issuing warnings with no enforcement. Meanwhile, 11% provide only guidelines, and 12% have no policy in place. This means that 83% lack automated controls, despite the APAC region's position at the forefront of the global AI market. The exposure of private data follows global trends: 27% report that more than 30% of AI-ingested data is private, 24% report a 6–15% exposure rate, and 15% are unaware of their exposure levels. A slight improvement in visibility is indicated, which may reflect regional technical expertise. For AI governance, 40% of APAC respondents claim thorough implementation, 41% say partial implementation, while 9% have no plans, and 3% are planning to implement controls. Regulatory complexity and cross-border risks APAC's position involves navigating a complex landscape of national regulations, including China's Personal Information Protection Law, Singapore's PDPA, Japan's APPI, Australia's Privacy Act reforms, India's draft Digital Personal Data Protection Act, and South Korea's PIPA. The survey highlights that a 60% visibility gap in AI data flows in the region is particularly challenging, given the region's diversity, which limits the ability to comply with data localisation, cross-border data transfer rules, and consent requirements. Weak controls in APAC expose organisations to difficulties in monitoring compliance with China's data localisation regulations, managing Singapore-Australia digital agreements, and knowing how AI tools route data through restricted jurisdictions. Organisational strategies and gaps Regarding privacy investment, 34% of organisations employ balanced approaches that involve data minimisation and the selective use of privacy-enhancing technologies. Some 23% have comprehensive controls and audits, while 10% maintain basic policies but focus on AI innovation, and another 10% address privacy only when required by law. Meanwhile, 23% have no formal privacy controls while prioritising rapid AI adoption. Kiteworks recommends that businesses recognise the overestimation of their governance maturity, deploy automated and verifiable controls for compliance, and prepare for increasing regulatory scrutiny by quantifying and addressing any exposure gaps. "The data reveals organisations significantly overestimate their AI governance maturity," concluded Freestone. "With incidents surging, zero-day attacks targeting the security infrastructure itself, and the vast majority lacking real visibility or control, the window for implementing meaningful protections is rapidly closing."
