In 2025, identity has become the new (security) perimeter, making identity security attacks a primary threat vector for organisations throughout the region. Threat actors are targeting user credentials and privileged access pathways, moving beyond traditional network-based assaults to exploit identities as the weakest link.
IDC's 2025 IAM landscape identifies AI agents, non-human identities (such as IoT), and the expansion of identity types (workforce, consumer, and B2B) as major forces reshaping security.
As Nigel Tan, director of sales engineering, Asia Pacific at Delinea, points out, threat actors are aggressively targeting user credentials and privilege access pathways, making identity security a primary concern for organisations across the region.
This shift is forcing a strategic rethink, with a pronounced focus on securing Privileged Access Management (PAM) as a critical control point. The rapid maturation of artificial intelligence (AI) is now fundamentally altering both the threat landscape and the defence strategies for Identity and Access Management (IAM).
Expanding attack surface: Non-human identities and privilege creep
A significant challenge that compounds IAM complexity is the proliferation of non-human identities. Tan highlights a startling statistic from Delinea's research: "There were up to, on average, 46 non-human identities for every human identity in an organisation."
These machine identities, which include service accounts, robotic process automation (RPA) bots, and API keys, are often poorly managed, with stale credentials presenting a massive attack vector.
This aligns with broader industry trends.
Gartner predicts that by 2026, 70% of identity-first security strategies will fail to control the surge in non-human identities, leading to a significant increase in privileged access-related breaches. This underscores the urgent need for organisations to extend their IAM disciplines to the non-human realm.
Furthermore, the perennial issue of "privilege creep"—where employees accumulate access rights over time that they no longer need—remains a critical vulnerability. Manual governance cycles are ill-equipped to handle this scale, creating a governance gap that AI is poised to fill.
AI redefining IAM
According to Tan, AI's role in IAM is twofold: securing the new wave of AI agents themselves and leveraging AI to bolster existing identity security. Delinea's own research indicates a strong appetite for this shift.
"A lot of executives are looking at this new disruptive technology called artificial intelligence... When it comes specifically to identity, there are two main parts: how AI changes their security landscape... [and] how they can use this to help with their identity security,” observes Tan.
Market forecasts support this. IDC states that by 2027, driven by the explosion of AI/ML workloads, 40% of G2000 organisations will run identity and access management (IAM) processes across domains to reduce operational costs and improve risk mitigation. AI is moving from a niche capability to a core component of modern IAM architectures.
Three emerging AI-driven IAM use cases in Asia-Pacific
Tan identifies three key areas where AI is making an impact in the APAC region:
- Managing access for Agentic AI: As autonomous AI agents are deployed to handle business workloads, they require access to sensitive systems and data. A primary concern is ensuring these agents are not "overprivileged." CISOs are now grappling with how to apply the principle of least privilege to non-human AI entities to prevent potential data breaches.
- AI-powered access governance: The traditional quarterly access review process is a hefty administrative burden. AI can analyse previous access history and usage patterns to right-size employee access automatically. This shifts governance from a periodic, manual process to a continuous, intelligent one.
- Real-time threat detection and intelligent authorisation: AI is augmenting threat detection by accelerating the analysis of login attempts and user behaviour. Tan refers to this as "intelligent authorisation," where access decisions are based on a myriad of contextual factors—such as user behaviour, time, and location—rather than static rules like geographic blocking.
The cybersecurity risks of an AI-powered IAM
While AI offers immense benefits, its adoption is not without risk. Tan highlights that as systems learn, organisations must work to eliminate false positives to build trust in the AI's output. Furthermore, the attackers are also weaponising AI.
A global survey by Delinea paper reveals that 47% of global firms reported that AI-generated phishing/deepfakes were their top concern, and 44% reported that AI-driven credential theft is one of their biggest concerns.
The rise of deepfakes for identity fraud poses a clear and present danger, as evidenced by a near-miss case in Singapore where attackers used a deepfaked video of a CEO to attempt a fraudulent transfer.
Surveys from security vendors warn that generative AI will indeed lower the barrier for entry for cybercrime, stating that "AI-powered deepfakes will feature in over 90% of successful digital trust-breaking attacks by 2026." This underscores the need for multi-factor authentication and user education, as emphasised by Tan.
The regulatory horizon for AI in IAM
Efforts are already underway in APAC to regulate AI. Tan points to Singapore's PDPC Model AI Governance Framework and Hong Kong's Ethical AI Framework as examples. "These regulations would be overarching," he says, focusing on transparency and accountability in AI decision-making.
This will directly impact how AI is used in IAM, requiring that access decisions are explainable and that robust audit trails are maintained, falling squarely within the wheelhouse of PAM.
The future of AI in Asia
Tan believes AI adoption will continue to grow in the region, with a strong focus on governance, threat detection, and a new frontier: auditing. "AI to help with being able to audit, to help with audit, because audit generates much information, many logs," he notes.
The ability of AI to summarise hours of session recordings into a concise executive summary, highlighting key points and potential red flags, will save significant time and resources for security teams, making compliance and oversight more efficient.
This is a trend recognised by industry leaders. Gartner highlights that "by 2025, 40% of identity and access management (IAM) buyers will consider advanced, AI-powered analytics a critical capability in their purchasing decisions," indicating that AI will soon become a standard expectation, not a luxury.
Click on the PodChats player to listen in detail to Tan's conversation with FutureCISO on how AI alters identity management strategies.
- Before we begin, could you please provide a 30-second elevator pitch about Delinea?
- How is AI Redefining Identity and Access Management?
- Please identify emerging AI-driven IAM use cases in Southeast Asia and Hong Kong.
- How do you see Agentic AI potentially changing Privileged Access Management (PAM)?
- We may have covered this in earlier questions: What are the cybersecurity risks of AI-enhanced IAM? Please cite the 2025 incidents on the same topic.
- Efforts are underway to develop regional regulations governing the use of AI. Can we expect something similar around AI in IAM?
- Can AI Enhance IAM for Hybrid Workforces?
- You mentioned earlier about identity access rights that have become dormant. What role would GenAI/Agentic AI play in identity lifecycle management?
- Deepfake cases are growing in Asia. How should CISOs prepare for AI-enabled identity fraud?
- What skills will security teams need for AI-driven IAM? How about end users?
- What is the future of AI in IAM for Southeast Asia and Hong Kong?
