*editor’s note: The views expressed in the following by Stephanie Liew are her “own professional perspective and do not represent those of my current or former employer."
In 2026, Asia stands at the forefront of an AI revolution. Malaysia’s National AI Action Plan 2026–2030, backed by RM1.36 billion in Budget 2026 funding, signals bold ambition to become an AI-driven nation.
Across ASEAN, governments and enterprises are racing to deploy AI agents, automate processes, and harness vast datasets. Yet this progress rests on a fragile foundation: identity. As Stephanie Liew*, CISO for Asia Pacific, Middle East and Africa at British American Tobacco and creator of the ANCHOR framework for non-human identity governance, asserts in her recent analysis, “You cannot build an AI Nation without knowing who and what is accessing your data.”
For CISOs, CIOs and compliance heads across Asia, identity has become the new perimeter—the control plane and trust layer that determines whether AI ambitions deliver value or expose catastrophic risk.
Traditional network defences are obsolete in a borderless, hybrid, multi-cloud world. Attackers no longer breach firewalls; they compromise identities.
This narrative draws on Liew’s insights from her March 2026 CXO Outlook piece and extensive regional experience, along with verifiable industry data, to outline what matters most to Asian leaders this year.
Explosive growth of non-human identities
The scale of the challenge is stark. Machine identities—service accounts, API keys, OAuth tokens, bots and AI agents—now vastly outnumber humans.
CyberArk’s 2025 Identity Security Landscape Report, based on a survey of 2,600 security leaders across 20 countries, found machine identities outnumber humans by more than 80 to 1, with 42% holding sensitive or privileged access.
AI is the primary driver: the report names it the top creator of new identities with privileged access in 2025.
Independent scanning by Entro Labs paints an even grimmer picture. Their H1 2025 NHI & Secrets Risk Report revealed a real-world ratio of 144 to 1—a 44% increase year-on-year—with some sectors reaching 500 to 1.
The visibility gap is telling: what leaders think they see (80:1) versus what actually exists (144:1) represents the blind spots attackers exploit first.
Liew, who has built cybersecurity programmes across 57 APMEA markets, warns that every AI model or agent spawns 15–20 distinct identities. A single customer service AI agent may require credentials across multiple systems. Multiply that by hundreds of agents, and the attack surface explodes.
“Every AI system that touches your data, APIs, or connected systems needs an identity,” she notes. “If you do not govern the identity, you do not govern the AI.” Many of these identities persist long after their purpose ends—nearly half are over a year old—creating perfect backdoors.
In Malaysia, NACSA recorded 4,626 cyber incidents in 2024 (a 43% rise) and a further 2,366 in the first half of 2025. Phishing accounted for 68% of fraud cases, while ransomware against businesses surged 42%. Identity is the common thread.
ANCHOR: Accountability to combat governance drift
Liew’s response is the ANCHOR framework—Assign, Narrow, Control, Hold, Observe, Retire—designed explicitly for non-human identities and now extended to AI governance. In her CXO Outlook article, she describes it as “an accountability system” that stops governance drift before it becomes a breach.
- Assign: Every non-human identity requires a named human owner. No exceptions.
- Narrow: Enforce least privilege ruthlessly; revoke excess permissions.
- Control: Automate credential rotation and expiry.
- Hold: Include machine identities in regular access reviews.
- Observe: Monitor behaviour 24/7 for anomalies.
- Retire: Delete identities when projects end—no “just in case”.
Liew urges CISOs: “Audit your non-human identities using ANCHOR. You will be surprised by what you find.” This practical approach aligns with regulatory demands, including Malaysia’s MY-AI standards platform launched in March 2026 and Bank Negara Malaysia’s RMiT guidelines.
AI agents, Zero Trust and the ASEAN reality
Southeast Asian CISOs surveyed for 2026 trends named identity as the new perimeter, alongside continuous threat monitoring and phishing-resistant MFA. Microsoft APAC echoes this: “Identity is the new perimeter—and phishing-resistant MFA can stop the vast majority of credential-based attacks.”
Yet deployment faces real hurdles. Liew highlights legacy systems in manufacturing, government, and banking that predate FIDO2 and passkeys; user resistance during passwordless transitions; cost barriers for the 97% of Malaysian businesses that are SMEs; and fragmented identity platforms that create “Zero Trust islands”.
Fortinet’s 2023 IDC survey (still relevant in 2026) found that 86% of Malaysian organisations are investing in or planning Zero Trust, yet execution lags.
The Maybank deepfake incident in April 2024—where scammers used AI-generated video and messages to impersonate executives and nearly extract nearly US$1 million—underscores the human dimension. Even senior leaders can be deceived when AI raises the sophistication of social engineering.
Supply-chain resilience starts with third-party identities
Supply-chain attacks remain a silent killer. The 2025 incidents at Marks & Spencer (a 46-day online suspension) and Jaguar Land Rover (a six-week shutdown costing the UK economy an estimated £1.9 billion) illustrate the peril.
In Malaysia, the Cybersecurity Threat Report 2025 flags compromised SaaS, cloud services and third-party integrations as top risks. The average detection time hovers around 187 days.
Liew advocates three identity-led controls: live third-party governance platforms enforcing least privilege; just-in-time access provisioning; and continuous behavioural monitoring of vendor identities.
“You cannot control your supplier’s security posture,” she says, “but you absolutely control the identities they use to reach your systems.”
Take non-negotiables seriously
Gartner’s 2026 cybersecurity trends confirm the shift. IAM must adapt to secure and enable AI agents, with a risk-based strategy focusing investment on the highest gaps. Identity Threat Detection and Response (ITDR) is central: it provides real-time behavioural analytics, links signals across environments, and enables automated responses such as token revocation. Liew has seen ITDR reduce credential-attack detection from days to minutes.
Industry leaders emphasise that identity silos and the surge in machine identities are reshaping enterprise risk. An identity fabric—unifying on-premises, cloud, and hybrid identities under consistent policies—eliminates tool sprawl and enables Zero Trust. Forrester, which coined Zero Trust in 2009, continues to stress that identity is foundational: without it, perimeter defences fail.
Compliance under Malaysia’s Cyber Security Act 2024 and more
Malaysia’s Cyber Security Act 2024 mandates risk assessments and incident reporting within 6 hours for critical infrastructure.
Liew argues identity must move from implied to explicit: mandatory identity risk assessments in NCII reports, identity-aware incident templates, privileged access management (PAM) as baseline, third-party governance in contracts, and full non-human identity inventories using frameworks such as ANCHOR.
Singapore’s Cybersecurity Act amendments (effective October 2025) and Indonesia’s OJK AI governance rules show ASEAN maturing in parallel. Malaysia’s MyDigital ID momentum and 50% tax deduction for SME cyber training create tailwinds.
Liew sees opportunity:
“If you build an IAM programme that works across Malaysia’s maturity spectrum, you have a playbook that transfers to almost any market in ASEAN.” Stephanie Liew
A call to action for Asian leaders
Identity is no longer a back-office IT concern. It is the strategic enabler of AI governance, Zero Trust, supply chain resilience, and regulatory compliance. CISOs and CIOs must act in three phases: fix governance basics (inventory, ownership, reviews); deploy ITDR for real-time detection; then build an identity fabric for unified control.
Start today: run an ANCHOR audit on non-human identities, map your attack surface, and prioritise phishing-resistant MFA for privileged accounts. Government incentives—Malaysia’s Digital Accelerator Grant, MSME Digital Grant Madani and tax deductions—remove many cost barriers for SMEs.
As Liew concludes in both her interview and March 2026 article, the organisations that treat identity as a strategic priority will thrive in Asia’s AI-driven future. Those who treat it as a checkbox will become the next headline.
For CISOs, CIOs and compliance heads across the region, 2026 is the year to anchor identities—and secure the perimeter that matters most.
