Across Australia and New Zealand, organisations are racing to scale AI—yet the guardrails are arriving late. New research from Commvault’s State of Data Resilience – Australia and New Zealand, 6th Edition (2026) finds a widening gap between AI ambition and the governance needed to keep data trustworthy as AI agents become embedded in hybrid and multi-cloud operations.
The momentum is clear. Thirty-six per cent of respondents say they increased AI spend by more than 25% in 2026 compared with last year, while more than 30% are already trialling or deploying agentic AI across hybrid and multi cloud environments.
That acceleration is contributing to rapid data estate growth: data volumes are expanding by 30% compared to 2025. But as estates sprawl and fragmentation rises, oversight becomes harder—and risk control struggles to keep pace.
The study also suggests an uncomfortable reality: policies are strengthening faster than practice. Sixty-six per cent of respondents now have policies for AI-generated data and content, up from 29% last year.
However, adoption is moving ahead of process alignment, leaving many organisations without safeguards and due diligence that can enforce those policies when AI agents are actively operating.
The control gaps are especially stark. Fifty-eight per cent of respondents lack high confidence that AI systems remain secure when compromised or operating beyond defined guardrails.
Only one third have rigorously assessed security and governance risks before deploying AI. And just 36% have extended resilience planning to AI agents—meaning most agentic environments remain exposed at precisely the moment they become more dynamic, interconnected, and operationally critical.
Martin Creighan, vice president, APAC at Commvault, summarised the dilemma:
“AI is now central to how organisations operate but its value depends on the integrity of data behind it.”
The path forward, according to Commvault, is a lifecycle approach—starting with safely activating data for AI purposes to meet regulatory requirements, then extending through discovery, governance, protection, and recovery.
As Gareth Russell, field CTO, Security, APAC at Commvault, notes, recovery must go beyond backups: it must restore systems, configurations, and dependencies to a known good state to maintain control of AI at scale.
