New Zealand Organisations Accelerate AI Adoption Amid Growing Resilience And Governance Gaps

New Zealand organisations are rapidly embedding AI into cybersecurity, IT operations, and core business functions, but many still lack the governance, visibility, and resilience capabilities needed to manage the risks associated with increasingly autonomous AI systems.

That is according to Commvault’s latest State of Data Resilience – Australia & New Zealand report, which found that AI adoption across New Zealand is accelerating sharply throughout 2026. More than 30 percent of organisations are already trialling or deploying agentic AI across IT, cybersecurity, and business operations, while nearly all organisations surveyed expect AI investment to increase this year.

At the same time, New Zealand organisations are grappling with rapidly growing data environments, increasing regulatory expectations, and more fragmented hybrid and multi-cloud infrastructures.

The report found that data growth across New Zealand has climbed to around 30 percent year-on-year, driven by AI-generated content, richer telemetry, and broader digital transformation initiatives. Multi-cloud infrastructure now represents the dominant environment for 47 percent of organisations, compared to 39 percent last year.

While AI is increasingly viewed as essential to improving cyber resilience, many organisations remain uncertain about how effectively they can govern and control these systems once deployed.

Only 28 percent of New Zealand organisations said they had conducted a thorough audit of the security and governance implications of AI systems before deployment. Confidence in AI oversight also remains limited. Just 37 percent of respondents said they were “very confident” they could identify when AI systems had breached governance or compliance requirements, while only 39 percent felt highly confident identifying compromised AI data access guardrails.

The report suggests many businesses are prioritising AI deployment speed over operational readiness.

According to the findings, explainability and transparency of AI systems are now among the highest priorities for New Zealand organisations evaluating AI-powered cybersecurity and resilience solutions, alongside compliance with regulatory and reporting requirements.

Martin Creighan, Vice President, APAC at Commvault, said trust in AI systems will increasingly depend on the resilience and governance frameworks supporting them.

“AI is now central to how organisations operate but its value depends on the integrity of data behind it,” he said. “That data must be understood, validated, and free of sensitive information.”

The research also highlights growing concerns around non-human identities and agentic AI.

While 66 percent of New Zealand organisations have incorporated human identity management into cyber resilience strategies, only 36 percent say they have extended those strategies to non-human AI agents.

As AI agents increasingly interact autonomously across systems, applications, and datasets, many organisations are struggling to adapt existing identity and governance frameworks.

Among the top challenges identified by New Zealand respondents were integration difficulties between legacy identity systems and modern AI workflows, managing the lifecycle of machine identities and credentials, and monitoring AI activity across distributed environments.

The report found that 73 percent of New Zealand organisations believe agentic AI is already creating medium or high levels of additional complexity for identity management and resilience operations.

At the same time, ransomware and recovery pressures continue to intensify.

Around 32 percent of New Zealand organisations reported being targeted by ransomware in the past 12 months, while 30 percent admitted paying a ransom demand following an attack. However, more than one third of those organisations said the payment ultimately failed to resolve the issue, either because attackers did not release the data or because they were attacked again shortly afterwards.

The findings reinforce a broader shift away from traditional prevention-focused cybersecurity models toward operational resilience.

Commvault’s research found that business leaders increasingly expect operations to resume within days following a breach, despite the average recovery time remaining far longer in complex hybrid environments.

As a result, organisations are increasingly focusing on defining “minimum viable company” strategies — identifying the minimum systems and operations required to continue serving customers during a cyber incident.

According to the report, 63 percent of New Zealand organisations have now defined minimum viable business requirements, though fewer have fully mapped those requirements to underlying technology operations.

Gareth Russell, Field CTO, Security, APAC at Commvault, said resilience in AI-driven environments now extends far beyond traditional backup and recovery.

“Today, recovery isn’t just about restoring data, but bringing systems, configurations and dependencies back to a known good state,” he said.

The report concludes that as AI adoption accelerates across New Zealand enterprises, resilience, governance, and operational recovery capabilities will increasingly determine whether organisations can safely scale AI at enterprise level.

© Scoop Media