A silent security failure is unfolding inside Hong Kong’s most sophisticated enterprises. As financial institutions, healthcare providers and tech firms race to deploy autonomous AI agents, new global research reveals that only 7% of organisations are truly AI-ready—leaving the remaining 93% exposed to undetectable data breaches, rogue AI behaviour and an inability to recover from machine-speed mistakes.
The Data and AI Trust Gap report from Veeam Software, unveiled at VeeamON London, warns that the security implications of low AI-ready maturity are not theoretical. For Hong Kong, where cross-border data flows with mainland China and stringent Privacy Commissioner rules collide, an ungoverned AI is a security incident waiting to happen.
Data security is slowing AI use across 95% of organisations
Globally, 95% of executives admit that data challenges have already impeded their AI progress. But the deeper security story is this: low AI-ready maturity means organisations cannot see what their AI systems are doing, cannot govern who—or what—accesses sensitive data, and cannot recover cleanly when an agentic AI goes rogue.
Among firms running AI today, only 22% could quickly identify which data an AI system used. Just 25% could trace what actions it took. And only 28% are confident they can detect AI systems operating outside approved parameters. In security terms, that is not a maturity gap; it is a blind spot across the entire attack surface.
APAC’s high adoption masks a fragile security posture
Across Asia-Pacific, the security picture is even more concerning. APAC’s adoption of agentic AI stands at 87%, nearly matching the global average of 88%. Yet full AI readiness—defined by robust data governance, security controls and recoverability—remains below 10%.
Worse, 98% of APAC organisations report that data challenges are slowing their AI, exceeding the already high global figure of 95%. This suggests that security and governance failures are not just persistent but more acute in APAC’s most advanced markets.
When autonomous AI agents operate without visibility, every API call, every database query and every cross-border data transfer becomes a potential exfiltration channel.
‘Shadow AI’ is a mainstream security risk
The report exposes a deeply unsettling reality: unauthorised AI use is now mainstream. Ninety-five per cent of global organisations report shadow AI—employees or teams deploying AI tools without approval—and 93% view it as a significant risk. Yet only 25% offer approved alternatives.
Most firms are trying to suppress demand rather than govern it, and 44% of executives say increased cyber risk is the top consequence.
For Hong Kong’s CISOs, this means AI agents are already operating outside security perimeters, ingesting sensitive customer data, financial records and regulated personal information—without audit trails, without access controls and without any ability to reverse the damage.
AI failures will look like a breach
Traditional security assumes that failures announce themselves as outages. With autonomous AI, failure is silent and data-level. A rogue agent can alter financial models, exfiltrate personal data or manipulate supply chain decisions—all at machine speed, outpacing human detection.
Only 40% of leaders are very confident they can isolate and precisely reverse an agentic AI failure. That means 60% cannot.
In Hong Kong, where the HKMA’s generative AI guidance demands accountability and the Greater Bay Area cross-border data pilot requires meticulous trust, this lack of recoverability is not a technical shortfall. It is a regulatory and security breach waiting to be discovered.
Ownership of AI Security Cannot Be Shared Away
The research shows that where ownership is clearly defined, security outcomes improve dramatically. Organisations where CISOs explicitly own AI agent risk are 24% more likely to detect rogue AI behaviour.
Conversely, those relying on shared ownership are 47% less likely to detect it. As Veeam’s CEO Anand Eswaran noted: “The question transitions from whether you can use AI, to whether you can ensure all your data is secure, governed, compliant and resilient.”
For Hong Kong and APAC, low AI-ready maturity is not an adoption problem. It is a security liability that regulators have already begun to penalise.
