ANZ firms shift to cyber resilience as AI risk grows

Organisations across Australia and New Zealand are moving away from traditional cyber defence models towards resilience-focused operating strategies, as artificial intelligence reshapes enterprise risk.

Findings from the State of Data Resilience 2026 study show a marked shift in how businesses prepare for cyber incidents. Enterprises now prioritise the ability to maintain operations during an attack rather than relying solely on prevention.

The research draws on responses from more than 400 IT and security leaders across the region. It reflects a broader transition from backup and data protection frameworks to full cyber resilience models, where recovery capability sits at the centre of strategy.

Data surge

Data growth has accelerated sharply, with annual expansion reaching 31 percent across ANZ organisations. This increase reverses earlier slowing trends and is linked to AI-generated content, expanded telemetry, and digital transformation programmes.

Hybrid and multi-cloud environments now dominate enterprise infrastructure. Around 67 percent of organisations operate across multiple platforms, which introduces operational complexity and coordination challenges.

Teams face difficulty managing cross-cloud incident response. Nearly half of Australian organisations identify inconsistent skill sets across teams as a key barrier to resilience.

This environment creates a fragmented data landscape, often described as "shadow data", where information exists outside formal governance structures. Visibility into data location and classification remains incomplete in many organisations.

AI adoption

AI investment is rising rapidly across the region. Around 95 percent of organisations plan to increase spending in this area, with more than 30 percent already deploying or testing agent-based systems.

These systems extend beyond support functions into core operations. Financial institutions now use AI to make real-time decisions on transactions and fraud detection, which changes the role of technology in business processes.

"The real shift is that these agents are not just useful in determining something. They are making decisions. It is moving from assistance into decision-making," said Gareth Russell, Chief Technology Officer, Field, APAC, Commvault.

"Once upon a time, your workforce was 100% human. Now, your workforce may get to the point where you have eight to 10 agentic agents for each human. How do you harness that scale? What do you do with it? How do you make sure you have the right guardrails?" said Russell.

Organisations are integrating AI into operations at a pace comparable to the rapid adoption of collaboration tools during pandemic lockdowns. This shift increases reliance on automated systems and expands the attack surface.

Control gap

Governance structures are struggling to keep pace with AI deployment. While many organisations have introduced policies, fewer conduct detailed risk assessments before implementation.

Only about one-third of organisations assess AI risks prior to deployment. Around 36 percent have resilience strategies for AI agents, despite their growing role in operations.

This gap between governance intent and operational control creates exposure. AI-driven systems can introduce new vulnerabilities if monitoring, identity management, and access controls are incomplete.

Non-human identities represent a key blind spot. While most organisations have plans for managing human access during incidents, far fewer account for AI agents within resilience frameworks.

Recovery reality

Expectations around recovery times differ significantly from operational reality. More than 80 percent of business leaders expect systems to be restored within five days after a cyber incident.

Actual recovery times average 28 days across Australia and New Zealand. This reflects a gap between executive assumptions and technical capability.

The delay places pressure on organisations to maintain operations during extended disruption. Around 30 percent of organisations have paid ransomware demands to accelerate recovery, though outcomes remain inconsistent.

The findings indicate that paying attackers does not guarantee restoration of data or services, with many organisations reporting further extortion attempts after payment.

Minimum model

Enterprises are adopting a "minimum viable company" approach to address these risks. This model focuses on identifying critical systems and data required to sustain core operations during an incident.

"There is an enormous amount of pressure on an enterprise or government agency when a ransomware or cyber event takes place. The first thing they need to do is understand what resilience actually looks like in an AI-driven world," said Martin Creighan, Vice President, Asia Pacific, Commvault.

"To do that, they need to adopt a minimum viability approach. What we mean by minimum viability is whether the organisation has identified the critical data and critical applications it needs to continue operating," said Creighan.

This approach requires organisations to define essential services, secure access to key data, and ensure rapid recovery pathways are in place.

Operational focus

Cyber resilience now centres on three areas: identity management, data security, and recoverability. These elements form the foundation for maintaining operations during disruption.

AI introduces additional complexity across all three. Agents must be identified, monitored, and integrated into existing identity frameworks. Data must be secured across distributed environments, while recovery systems must account for automated workflows.

Enterprises are also expanding regulatory compliance efforts, driven by evolving standards across sectors such as finance and critical infrastructure.

The study shows that resilience is becoming embedded in daily operations rather than treated as a contingency measure. Organisations are focusing on maintaining service continuity as data volumes grow and AI systems take on operational roles.