Most firms overestimate AI governance as privacy risks surge

Kiteworks has released its AI Data Security and Compliance Risk Survey, highlighting gaps between AI adoption and governance maturity in the Asia-Pacific (APAC) region and globally.
The survey, based on responses from 461 cybersecurity, IT, risk management, and compliance professionals, reveals that only 17% of organisations have implemented technical controls that block access to public AI tools alongside data loss prevention (DLP) scanning. Despite this, 26% of respondents state that over 30% of the data employees input into public AI tools is private, and 27% confirm this figure specifically for the APAC region.
These findings appear against a backdrop of rising incidents; Stanford's 2025 AI Index Report recorded a 56.4% year-on-year increase in AI privacy incidents, totalling 233 last year. According to the Kiteworks survey, only 40% of organisations restrict AI tool usage via training and audits, 20% rely solely on warnings without monitoring, and 13% lack any specific policies, leaving many exposed to data privacy risks.
A disconnect between adoption and controls "Our research reveals a fundamental disconnect between AI adoption and security implementation," said Tim Freestone, Chief Strategy Officer at Kiteworks. "When only 17% have technical blocking controls with DLP scanning, we're witnessing systemic governance failure. The fact that Google reports 44% of zero-day attacks target data exchange systems undermines the very systems organisations rely on for protection."
The survey indicates a persistent overconfidence among organisations regarding their AI governance maturity. While 40% of respondents say they have fully implemented an AI governance framework, Gartner's data shows only 12% of organisations possess dedicated AI governance structures, with 55% lacking any frameworks.
Deloitte's research further highlights this gap, showing just 9% achieve 'Ready' level governance maturity despite 23% considering themselves 'highly prepared'. This discrepancy is compounded by industry data indicating that 86% lack visibility into AI data flows.
EY's recent study suggests that technology companies continue to deploy AI at a rapid pace, with 48% already using AI agents and 92% planning increased investment—a 10% rise since March 2024—with 'tremendous pressure' to justify returns, thereby elevating incentives to adopt AI quickly but at the expense of security. "The gap between self-reported capabilities and measured maturity represents a dangerous form of organisational blindness," explained Freestone. "When organisations claiming governance discover their tracking reveals significantly more risks than anticipated according to Deloitte, and when 91% have only basic or in-progress AI governance capabilities, this overconfidence multiplies risk exposure precisely when threats are escalating."
Legal sector and policy awareness
According to survey data, the legal sector exhibits heightened concern about data leakage, with 31% of legal professionals identifying it as a top risk. However, implementation lags are evident, with 15% lacking policies or controls for public AI use and 19% relying on unmonitored warnings. Only 23% of organisations overall have comprehensive privacy controls and regular audits before deploying AI systems.
Within legal firms, 15% had no formal privacy controls but prioritised rapid AI uptake – an improvement over the 23% average across sectors, but still significant in a sector where risk mitigation is fundamental. Thomson Reuters figures support this, reporting that just 41% of law firms have AI-related policies, despite 95% foreseeing AI as central within five years.
Security controls and data exposure in APAC
APAC organisations closely mirror global patterns, with 40% relying on employee training and audits, 17% utilising technical controls with DLP scanning, and 20% issuing warnings with no enforcement. Meanwhile, 11% provide only guidelines, and 12% have no policy in place. This means that 83% lack automated controls, despite the APAC region's position at the forefront of the global AI market.
The exposure of private data follows global trends: 27% report that more than 30% of AI-ingested data is private, 24% report a 6–15% exposure rate, and 15% are unaware of their exposure levels. A slight improvement in visibility is indicated, which may reflect regional technical expertise.
For AI governance, 40% of APAC respondents claim thorough implementation, 41% say partial implementation, while 9% have no plans, and 3% are planning to implement controls.
Regulatory complexity and cross-border risks
APAC's position involves navigating a complex landscape of national regulations, including China's Personal Information Protection Law, Singapore's PDPA, Japan's APPI, Australia's Privacy Act reforms, India's draft Digital Personal Data Protection Act, and South Korea's PIPA. The survey highlights that a 60% visibility gap in AI data flows in the region is particularly challenging, given the region's diversity, which limits the ability to comply with data localisation, cross-border data transfer rules, and consent requirements.
Weak controls in APAC expose organisations to difficulties in monitoring compliance with China's data localisation regulations, managing Singapore-Australia digital agreements, and knowing how AI tools route data through restricted jurisdictions.
Organisational strategies and gaps
Regarding privacy investment, 34% of organisations employ balanced approaches that involve data minimisation and the selective use of privacy-enhancing technologies. Some 23% have comprehensive controls and audits, while 10% maintain basic policies but focus on AI innovation, and another 10% address privacy only when required by law. Meanwhile, 23% have no formal privacy controls while prioritising rapid AI adoption.
Kiteworks recommends that businesses recognise the overestimation of their governance maturity, deploy automated and verifiable controls for compliance, and prepare for increasing regulatory scrutiny by quantifying and addressing any exposure gaps. "The data reveals organisations significantly overestimate their AI governance maturity," concluded Freestone. "With incidents surging, zero-day attacks targeting the security infrastructure itself, and the vast majority lacking real visibility or control, the window for implementing meaningful protections is rapidly closing."

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Techday NZ

15 hours ago

• Techday NZ

Most firms overestimate AI governance as privacy risks surge

Kiteworks has released its AI Data Security and Compliance Risk Survey, highlighting gaps between AI adoption and governance maturity in the Asia-Pacific (APAC) region and globally. The survey, based on responses from 461 cybersecurity, IT, risk management, and compliance professionals, reveals that only 17% of organisations have implemented technical controls that block access to public AI tools alongside data loss prevention (DLP) scanning. Despite this, 26% of respondents state that over 30% of the data employees input into public AI tools is private, and 27% confirm this figure specifically for the APAC region. These findings appear against a backdrop of rising incidents; Stanford's 2025 AI Index Report recorded a 56.4% year-on-year increase in AI privacy incidents, totalling 233 last year. According to the Kiteworks survey, only 40% of organisations restrict AI tool usage via training and audits, 20% rely solely on warnings without monitoring, and 13% lack any specific policies, leaving many exposed to data privacy risks. A disconnect between adoption and controls "Our research reveals a fundamental disconnect between AI adoption and security implementation," said Tim Freestone, Chief Strategy Officer at Kiteworks. "When only 17% have technical blocking controls with DLP scanning, we're witnessing systemic governance failure. The fact that Google reports 44% of zero-day attacks target data exchange systems undermines the very systems organisations rely on for protection." The survey indicates a persistent overconfidence among organisations regarding their AI governance maturity. While 40% of respondents say they have fully implemented an AI governance framework, Gartner's data shows only 12% of organisations possess dedicated AI governance structures, with 55% lacking any frameworks. Deloitte's research further highlights this gap, showing just 9% achieve 'Ready' level governance maturity despite 23% considering themselves 'highly prepared'. This discrepancy is compounded by industry data indicating that 86% lack visibility into AI data flows. EY's recent study suggests that technology companies continue to deploy AI at a rapid pace, with 48% already using AI agents and 92% planning increased investment—a 10% rise since March 2024—with 'tremendous pressure' to justify returns, thereby elevating incentives to adopt AI quickly but at the expense of security. "The gap between self-reported capabilities and measured maturity represents a dangerous form of organisational blindness," explained Freestone. "When organisations claiming governance discover their tracking reveals significantly more risks than anticipated according to Deloitte, and when 91% have only basic or in-progress AI governance capabilities, this overconfidence multiplies risk exposure precisely when threats are escalating." Legal sector and policy awareness According to survey data, the legal sector exhibits heightened concern about data leakage, with 31% of legal professionals identifying it as a top risk. However, implementation lags are evident, with 15% lacking policies or controls for public AI use and 19% relying on unmonitored warnings. Only 23% of organisations overall have comprehensive privacy controls and regular audits before deploying AI systems. Within legal firms, 15% had no formal privacy controls but prioritised rapid AI uptake – an improvement over the 23% average across sectors, but still significant in a sector where risk mitigation is fundamental. Thomson Reuters figures support this, reporting that just 41% of law firms have AI-related policies, despite 95% foreseeing AI as central within five years. Security controls and data exposure in APAC APAC organisations closely mirror global patterns, with 40% relying on employee training and audits, 17% utilising technical controls with DLP scanning, and 20% issuing warnings with no enforcement. Meanwhile, 11% provide only guidelines, and 12% have no policy in place. This means that 83% lack automated controls, despite the APAC region's position at the forefront of the global AI market. The exposure of private data follows global trends: 27% report that more than 30% of AI-ingested data is private, 24% report a 6–15% exposure rate, and 15% are unaware of their exposure levels. A slight improvement in visibility is indicated, which may reflect regional technical expertise. For AI governance, 40% of APAC respondents claim thorough implementation, 41% say partial implementation, while 9% have no plans, and 3% are planning to implement controls. Regulatory complexity and cross-border risks APAC's position involves navigating a complex landscape of national regulations, including China's Personal Information Protection Law, Singapore's PDPA, Japan's APPI, Australia's Privacy Act reforms, India's draft Digital Personal Data Protection Act, and South Korea's PIPA. The survey highlights that a 60% visibility gap in AI data flows in the region is particularly challenging, given the region's diversity, which limits the ability to comply with data localisation, cross-border data transfer rules, and consent requirements. Weak controls in APAC expose organisations to difficulties in monitoring compliance with China's data localisation regulations, managing Singapore-Australia digital agreements, and knowing how AI tools route data through restricted jurisdictions. Organisational strategies and gaps Regarding privacy investment, 34% of organisations employ balanced approaches that involve data minimisation and the selective use of privacy-enhancing technologies. Some 23% have comprehensive controls and audits, while 10% maintain basic policies but focus on AI innovation, and another 10% address privacy only when required by law. Meanwhile, 23% have no formal privacy controls while prioritising rapid AI adoption. Kiteworks recommends that businesses recognise the overestimation of their governance maturity, deploy automated and verifiable controls for compliance, and prepare for increasing regulatory scrutiny by quantifying and addressing any exposure gaps. "The data reveals organisations significantly overestimate their AI governance maturity," concluded Freestone. "With incidents surging, zero-day attacks targeting the security infrastructure itself, and the vast majority lacking real visibility or control, the window for implementing meaningful protections is rapidly closing."

1News

2 days ago

• 1News

Chinese travellers get easier transit through NZ with visa change

Chinese nationals will no longer need to obtain transit visas when passing through New Zealand airports from November, the Government has announced. Immigration Minister Erica Stanford announced today that Chinese passport holders would instead be able to use the New Zealand Electronic Travel Authority. A new air route from China to South America via Auckland has also been teased. Today's announcement appears to have been timed with PM Christopher Luxon's visit to China, alongside a visa waiver trial for certain Chinese travellers revealed last week. "Instead of spending $235 and waiting four days, individuals can pay as little as $17 and can be processed in 24 hours," Stanford said. ADVERTISEMENT "International connections are a crucial part of our plan to drive economic growth. We rely on robust and affordable air connectivity to bring people to our beautiful country, and to get our high-quality products out to the world. Erica Stanford (Source: 1News) "Alongside the announcement of a new route from China to South America via Auckland, we expect this will significantly boost the number of passengers that choose to transit through New Zealand." Tourism Minister Louise Upston said the policy change would help make Auckland Airport a hub for new airline connections. "Every additional passenger transiting New Zealand on their way to South America or back to China will help to lower the cost of a plane ticket, which makes it cheaper for other waves of tourists to come and see what our country has to offer," she said. "More capacity from airlines will make it easier to visit New Zealand and adds cargo capacity, driving economic growth and supporting the Government's goal to double the value of tourism exports by 2034." The Electronic Travel Authority will be valid for up to two years, allowing multiple entries without reapplication, according to the Government. ADVERTISEMENT Auckland Mayor Wayne Brown, who has previously lobbied for the change, welcomed the announcement. Auckland Mayor Wayne Brown. (Source: 1News) "At the time, the minister declined my request on dubious grounds. But my continued advocacy has paid off, and I'm pleased to see that wiser heads in government have prevailed," he said. "The transit visa is a significant hurdle preventing the southern link between Southeast Asia and South America. Today's announcement will enable airlines like China Eastern to provide a service linking these two huge economies via Auckland." On Sunday, the Government announced New Zealand would trial visa waivers for Chinese visitors, with certain visas, arriving from Australia. The "visa waiver status" changes would apply to Chinese passport holders with a valid Australian visitor, work, student or family visa, and for stays of up to three months. Stanford said it would help boost the country's attractiveness as a tourism destination. "More than 240,000 Chinese visitor visas were granted in 2024, and we want those numbers to grow," she said on Sunday. "This will make it easier, cheaper and faster for them to cross the Tasman and visit our shores. "The trial will last for 12 months and will be supplemented by further improvements to our immigration processes, making it easier for people applying for a visa."

1News

2 days ago

• 1News

NZ to launch visa waiver trial for Chinese visitors from Australia

New Zealand will trial visa waivers for Chinese visitors arriving from Australia starting this November, the Government has announced. The "visa waiver status" changes would only apply to Chinese passport holders with a valid Australian visitor, work, student or family visa, and for stays of up to three months. Immigration Minister Erica Stanford said the Government was helping to boost the country's attractiveness as a destination for Chinese tourists. "More than 240,000 Chinese visitor visas were granted in 2024, and we want those numbers to grow," she said in a media release. "This will make it easier, cheaper and faster for them to cross the Tasman and visit our shores. "The trial will last for 12 months and will be supplemented by further improvements to our immigration processes, making it easier for people applying for a visa." ADVERTISEMENT Immigration New Zealand was establishing a dedicated contact centre number and support in China for Chinese "Approved Destination Status" travel agents. New Simplified Chinese web content would also be published on the agency's website. Those applying for a visitor visa would also no longer need to have their document translations certified, which Stanford said would remove additional translation fees for all applicants, not just those from China. These changes were in conjunction with the five-year multiple entry visitor visa and current average processing time of five working days for a Chinese visitor visa application, Stanford said. Upston said China was one of New Zealand's most important tourism markets and that more visitors meant a larger spend across the hospitality and tourism sectors. "In the year ended March 2025, visitors from China contributed $1.24 billion to New Zealand's economy, but there's still more work to do to grow these numbers and drive further economic growth throughout the country," she said. The Government's announcement follows calls for an easing of visa requirements for Chinese visitors, including from Auckland Mayor Wayne Brown, and the granting of visa-free access for New Zealanders to visit China last year.