Commvault maps Asia-Pacific shift to trusted AI autonomy
Commvault expects a shift in Asia-Pacific enterprise technology strategies over the next two years as organisations move from experimental artificial intelligence projects towards what it describes as "trusted autonomy", underpinned by resilience, sovereignty and verifiable recovery.
Martin Creighan, Vice President for Asia-Pacific at Commvault, outlined seven trends that he believes will shape how businesses in the region approach AI, security and data protection by 2026.
The company argues that resilience and sovereignty are no longer only technical considerations. It says they will sit at the core of leadership, trust and long-term competitiveness as AI systems gain more autonomy.
Agentic AI shift
Creighan said AI had moved beyond pilot projects into what analyst firm IDC refers to as an "Agentic Future", where humans and AI systems act with autonomy and intention. He pointed to conversational AI as the most visible change, with deployments in customer engagement, internal operations and cyber response.
He warned that such systems rely on the integrity of the underlying data. If that data is compromised, he said, bias and misinformation can follow. He predicted that AI integrity would become a central pillar of resilience by 2026, with organisations focusing on the ability to trace, verify and restore the truth in machine learning models after an incident.
Commvault expects conversational AI to start running resilience operations as well. It forecasts that staff will request protection tasks, policy checks and recovery validation across software-as-a-service, multi-cloud and hybrid environments through natural language rather than dashboards and scripts.
"In 2026, resilience will evolve from reactive protection to self-healing intelligence, and conversational AI will be the everyday interface that makes that intelligence accessible, trusted, and continuous," said Creighan.
Sovereignty as design
Creighan linked this AI evolution with rising regulatory focus on data sovereignty in Asia-Pacific. He cited frameworks in Singapore and Australia as examples of governments that are pushing data locality and privacy rules. Research from Forrester suggests that by 2026, half of enterprises will prioritise in-region infrastructure and policy-based data controls.
He said sovereignty was increasingly a matter of control and choice in a multi-cloud and multi-region environment. Enterprises want to decide whether data sits on-premise, in private cloud, through local hyperscaler regions or in global cloud locations, while keeping a clear view of applicable laws and recovery options without crossing borders.
Creighan said architectures were becoming sovereignty-aware by default. Encryption, access policies and compliance rules are shifting with the data across borders and providers. He argued that when sovereignty is built into design, regulatory compliance can become a source of competitive differentiation rather than a constraint.
"In 2026, this combination of sovereignty + freedom of choice will allow organisations to innovate confidently within trusted boundaries," said Creighan.
Identity as perimeter
As digital ecosystems expand, Commvault forecasts that identity will replace traditional infrastructure boundaries as the main perimeter of security. Each human or machine credential becomes a potential point of compromise in this view.
Creighan cited IDC predictions that by 2026 cyber-resilient organisations will merge identity, data and recovery policies into a single security fabric. He said this would shift recovery from a technical task to an issue of trust, as continuity is incomplete if identities remain corrupted after an attack.
He expects companies to focus on restoring verified user integrity as part of operational assurance. This is likely to become more important as AI systems communicate and transact directly with each other, with autonomous agents initiating actions and decisions.
"In this AI-centric world, a trusted identity becomes the first checkpoint of safety," said Creighan.
Data rooms and AI
Commvault predicts that many AI initiatives will stall not because of a lack of data but because enterprises cannot safely access and prepare existing data. Creighan said organisations would start to view historical backup data as a strategic intelligence asset rather than only insurance, provided they could activate it responsibly.
He expects an expansion of "sovereign, resilience-aware data rooms". These secure environments connect governed backup data with AI platforms and data lakes, and avoid ad-hoc extract, transform and load workflows. Controlled, self-service access and built-in classification, lineage and compliance checks are likely features.
"Data rooms will turn protected data into clean, compliant, AI-ready fuel," said Creighan. He said organisations that adopt this approach will gain faster and safer AI deployment and a competitive edge.
Quantum and cryptography
While AI dominates boardroom attention, Commvault also highlights quantum computing as a longer-term threat to current cryptography. Creighan referenced warnings that future quantum decryption could expose data that is considered secure today under algorithms such as RSA and ECC.
He said some enterprises had begun crypto-inventory audits, deployment of quantum-safe algorithms and redesign of backup and recovery systems with what he described as cryptographic agility. Quantum readiness, in his view, is less about timing predictions and more about ensuring that sovereignty, encryption and recovery approaches remain robust when quantum attacks materialise.
New resilience metrics
Creighan said current cyber resilience benchmarks such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) do not address the risk of reinfection. He argued that simply restoring data without assessing the state of backups might achieve established metrics but not guarantee a clean recovery.
He warned that if the original vulnerability is still present, organisations risk a cycle of repeat incidents and breaches, with resulting customer mistrust. He said companies need to analyse backups to ensure they are clean and trustworthy before restoration. That process can take weeks and consume significant resources.
Commvault is promoting a new metric called "Mean Time to Clean Recovery" (MTCR). It defines the average time required to restore the full stack of pre-defined critical business applications, foundational systems, infrastructure and associated clean, validated data after a cyber event.
"For senior executives, business leaders and boards, this understanding can provide an opportunity to reshape how cyber recovery is understood, managed and planned for," said Creighan. "Notably, it can challenge leaders to push their IT teams to move beyond 'restore speed' and start thinking in terms of data trust, system integrity, and clean recovery timelines."
Trusted autonomy
Creighan said governance, sovereignty and resilience were converging into a single demand from boards: evidence of trust. He said recovery metrics, audit trails and cleanroom validations were becoming central to accountability, especially in highly regulated sectors in Asia-Pacific.
IDC forecasts that by 2030, half of the region's digital value will come from organisations that scale AI responsibly. Creighan said that responsibility rests on three pillars: resilience across AI and data pipelines, sovereignty over data flows and quantum readiness for future threats.
"Together, these form the architecture of trusted autonomy - systems that can decide, recover, and collaborate without losing control of their integrity," said Creighan. He added that enterprises which embed sovereignty and resilience into design and prepare for quantum disruption will operate across borders without compromise and turn compliance into credibility.
"Because in the decade ahead, resilience will be more than protection - it will be the defining language of intelligent leadership," said Creighan.