In 2026, the biggest cybersecurity threat to businesses is not always a hacker exploiting a technical vulnerability. It is an organisation that has lost track of who (or what) has access in the first place.

As companies accelerate cloud migration, automate workflows and deploy AI agents across operations, non-human identities (NHIs) such as APIs, service accounts, machine workloads and autonomous agents are now outnumbering employees in many digital environments. That shift is quietly rewriting the rules of cybersecurity practices.

“In environments dominated by non-human access, identity security shifts from managing user accounts to governing access based on purpose, behaviour and lifecycle,” said Darren Guccione, CEO and co-founder of Keeper Security, in an email interview with e27.

Instead of focusing solely on employee credentials, businesses now have to secure a growing population of machine identities that authenticate continuously, operate silently, and often remain active long after they are needed.

Traditional identity and access management (IAM) systems were designed for humans: people who log in, reset passwords and eventually leave the organisation. But NHIs behave differently, and many are created automatically.

According to Guccione, most organisations lose visibility at the point of creation. He explained that NHIs are frequently spun up through CI/CD pipelines, cloud orchestration platforms, SaaS integrations, and AI agents — often without passing through central IAM frameworks.

This means security teams may not even know how many service accounts or API keys exist, who owns them, or what level of privilege they hold. That blind spot becomes a direct entry point for attackers.

Also Read: SBI bets on Singapore to build Asia’s digital asset corridor

The hidden risk: NHIs do not get offboarded

Another major weakness in cybersecurity practices is that machine identities rarely go through proper lifecycle management.

“Unlike employees, NHIs are not typically offboarded,” Guccione said. Tokens, service accounts and API keys often persist even after a project ends, infrastructure changes or a tool is retired. This creates, he says, “a growing population of orphaned but still-privileged identities,” particularly in APAC enterprises undergoing rapid cloud migration.

From a cyber risk perspective, these orphaned identities are dangerous because attackers do not need to break in. They simply need to find the credentials that were never revoked. This means, in 2026, the most damaging breaches may not trigger obvious red flags. Guccione noted that the stealthiest NHI-related threats are those that “abuse legitimate access rather than exploiting vulnerabilities.”

One example is attackers hijacking CI/CD service accounts to tamper with build pipelines or inject malicious dependencies. Since these actions resemble routine development activity, they often bypass security alerts. Another tactic involves over-privileged cloud service accounts being used for slow, deliberate lateral movement.

“Attackers deliberately minimise observable indicators,” Guccione said, adding that they often access metadata services, storage or control planes gradually over weeks or months.

Because authentication succeeds legitimately, many cybersecurity tools fail to detect the intrusion. And long-lived API keys remain a major problem, particularly in SaaS-heavy environments common across APAC. Once compromised, they act as “durable backdoors.”

Also Read: In Southeast Asia, cybersecurity is booming but funding is not

Best cybersecurity practices to adopt in 2026

To protect against these evolving risks, organisations must modernise cybersecurity practices with a strong identity-first foundation. Guccione outlined three capabilities that matter most.

First is continuous discovery and classification of NHIs across cloud, DevOps, and SaaS environments. This should be supported by enterprise-grade identity governance and Privileged Access Management (PAM) to ensure a complete inventory of service accounts, machine credentials, and API keys, with clear ownership.

Second is behavioural monitoring. “Traditional access reviews show who has access, rather than how that access is explicitly used,” he said. Businesses need identity-centric analytics that establish a baseline of normal machine activity, enabling detection of unusual access paths, abnormal data transfers, or suspicious privilege escalation.

Third is automated enforcement. Modern secrets management and privileged access platforms automatically rotate credentials, reduce privileges, or revoke access once risk thresholds are crossed. In cloud-native environments, this can include isolating workloads or invalidating credentials in real time.

In short: detection and response must move at machine speed.

Across APAC, Guccione sees a major divide between regulated industries and fast-scaling sectors. However, he stressed that the gap is not awareness; it is execution.

Finance, telecoms, and critical infrastructure players generally have governance frameworks in place, but these are often “human-centric and slow to adapt” to cloud-native and AI-driven environments.

Also Read: In Southeast Asia, cybersecurity is booming but funding is not

Meanwhile, fast-scaling industries such as SaaS, e-commerce, and logistics excel in automation but often lack formal identity governance. Speed-to-market pressures lead to excessive privileges, shared credentials, and weak lifecycle controls.

For fast-moving companies, Guccione said “good enough” cybersecurity practices start with basic hygiene: centralised secrets management, eliminating hard-coded credentials, and assigning ownership to all machine identities.

For regulated sectors, “good enough” must go beyond compliance reporting into continuous monitoring that can detect misuse, not just satisfy audits.

A 2026 cybersecurity playbook for business leaders

For APAC executives building their cybersecurity roadmap, Guccione recommended five key priorities, starting with assuming the role of autonomous attackers. He warned leaders to design controls for continuous, adaptive, and machine-driven threats.

Second, businesses must inventory all identities — humans, workloads, APIs, and AI agents — because unmanaged identities pose unmanaged risk.

Third, least privilege must be enforced by default, especially for non-human access, and should be both purpose-bound and time-bound.

Fourth, leaders must monitor behaviour, not just access.

Finally, organisations must automate containment because manual response will not scale.

Lastly, as cybersecurity practices become a board-level concern, metrics matter. Guccione advised directors to track indicators of risk reduction rather than surface-level activity.

These include the ratio of managed to unmanaged NHIs, the percentage of machine identities using short-lived credentials, time-to-revoke compromised access and the number of high-privilege identities without clear ownership.

In 2026, identity security is no longer an IT checkbox. It is the foundation of digital trust — and a strategic layer that determines whether automation accelerates business growth or accelerates business risk.

—

The lead image of this article was generated by AI.

The post Rethinking cybersecurity practices as Non-Human Identities (NHIs) surge appeared first on e27.

Southeast Asia’s digital economy is expanding at breakneck speed. From instant payments and superapps to cross-border e-commerce and digital identity, the region has leapfrogged legacy systems and embraced mobile-first innovation. Yet as digital adoption deepens, so too does exposure. Cyber threats are no longer a distant enterprise concern; they are embedded in everyday growth.

Across the region, a new generation of cybersecurity startups is rising to meet this moment. They are not merely selling tools but building the trust infrastructure that underpins fintech, Web3, smart buildings, telecom networks and cloud-native startups. From AI-driven threat detection and zero-trust architecture to digital identity verification and post-quantum cryptography, these companies are shaping how Southeast Asia secures its digital future.

Also Read: From fraud fighters to zero-trust builders: SEA’s cyber stars

This list spotlights 25 cybersecurity players strengthening the region’s resilience, protecting its data, platforms and increasingly, its economic ambitions.

1. Sixscape

2. Keychain

3. GuardRails

4. Sesame Lab

5. CyRadar

6. SendForensics

7. Appknox

8. SMPT

9. Ground Labs

10. Hackuity

11. Red Alpha Cybersecurity

12. Protos Labs

13. Eleos Labs

14. Aegis Technologies

15. Cyberaas

16. Privacy Ninja

17. Block Armour

18. Primary Guard

19. Accredify

20. CredoLab

21. eSignGlobal

22. AnySecura

23. SecIron

24. V-Key

25. Privy

The post Cyber threats are rising: Here are 25 startups fighting back appeared first on e27.

Many experienced leaders step into startup boards thinking governance should look like the Fortune 500 model they know well – quarterly meetings, thick board decks, multiple committees, and structured approval processes.

But for Independent Directors, this is the fastest way to lose credibility, slow the company down, and unintentionally harm the founder’s ability to execute.

Because here’s the reality:

Startups operate on speed, uncertainty, and rapid iteration. Traditional governance operates on process, predictability, and quarterly rhythm.

When Independent Directors impose MNC-style governance on a startup, they create drag – not direction.

If you want to add real value as an Independent Director, you need a different playbook.

What an effective independent director in a startup really does

Embrace lean governance — don’t over-engineer it

Startups need just enough governance to stay disciplined — not enough to become bureaucratic.

As an ID:

• Resist the urge to introduce multiple committees.
• Keep the board small and decision-oriented.
• Encourage faster cycles, not ritualised quarterly meetings.

Your job is to protect agility, not import processes from large institutions.

Prioritise judgment over procedure

Founders don’t need an auditor. They need a sounding board.

Great IDs in startups:

• Ask sharp strategic questions
• Stress-test assumptions
• Anticipate risks that founders may not see
• Help them make high-conviction decisions faster

But they do it without slowing the company down.

Also Read: The future of visual content in the startup ecosystem

Make yourself available — not just scheduled

Traditional boards meet four times a year. Startup boards often need input four times a month.

As an ID, responsiveness matters more than formality:

• Be available for rapid check-ins
• Support pivot discussions
• Help navigate investor tensions
• Step in quickly during crisis moments (cash, churn, product incidents)

Your speed becomes part of the company’s speed.

Focus on what truly needs board oversight

Startup boards should concentrate on:

• Cash burn and runway
• Fundraising
• Pivots and product-market fit
• Major hires and culture
• Strategic partnerships
• Regulatory exposures

Not on:

• Detailed operational approvals
• Committee-level reviews
• Heavy compliance cycles

Strong IDs keep founders focused on the strategic levers, not administrative distractions.

Also Read: The cold logic of the angel: Stop funding dreams, start funding plumbing

Support the founder, but don’t worship the founder

The best Independent Directors strike a balance between:

• Empowering the founder’s vision
• Providing challenge where needed
• Calling out blind spots
• Protecting the organisation from single-person dependency

You are there to provide judgment, stability, and stewardship — not to rubber-stamp decisions or enforce corporate-style control.

Bring startup empathy, not corporate ego

Many IDs come from large organisations where structure, hierarchy, and process are the norm.

But in startups:

• Decisions are messy
• Roles overlap
• People wear five hats
• Data is incomplete
• Speed often outruns structure

The ID who adds the most value is the one who adapts – not the one who insists the company adapt to them.

The bottom line for independent directors

If you want to be an effective, respected Independent Director in a startup, don’t be the person who tries to turn a fast-moving, resource-constrained company into a mini MNC.

Instead:

• Protect agility
• Provide strategic clarity
• Be available
• Focus on the fundamentals
• Enable — not obstruct — execution

Startup governance is a different sport. The rules, pace, and expectations are nothing like the Fortune 500.

Independent Directors who understand this become invaluable. Those who don’t quickly find themselves out of place.

This article was first published on The Boardroom Edge.

—

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic.

Enjoyed this read? Don’t miss out on the next insight. Join our WhatsApp channel for real-time drops.

Header image credit: Canva

The post The fastest way to fail as an independent director in a startup? Apply MNC governance to a high-velocity company appeared first on e27.

For too long, boards in Asia have treated workforce matters as operational issues or HR concerns, rather than strategic risks. The pandemic, the digital revolution, and rapid geopolitical and supply chain shifts have made one fact unmistakably clear: talent is enterprise risk. Boards that fail to govern human capital effectively may face operational disruptions, strategic misalignment, and reputational damage, the same way they would fail if financial controls or cybersecurity were neglected.

As an independent director, I see talent strategy emerging as a core board responsibility. Boards must evolve from oversight of high-level HR policies to active guardianship of workforce resilience, skills, and culture.

The talent risk imperative in Asia

Asia’s talent landscape is changing faster than most boards realise:

• Skills shortages in AI, data science, cybersecurity, ESG, and regulatory compliance are acute across Singapore, Hong Kong, India, and emerging ASEAN markets.
• Generational shifts are reshaping workforce expectations; younger employees prioritise purpose, flexibility, and social responsibility.
• Automation and AI adoption threaten to displace traditional roles while creating new, often highly specialised positions.
• Employee attrition and engagement have a direct financial impact; disengaged or overworked teams lead to lower productivity, higher replacement costs, and weakened innovation.

Yet, many boards still rely on episodic reports or annual HR presentations to assess talent risks, leaving leadership blind to future workforce gaps.

Why boards must treat talent like financial risk

Human capital is increasingly measurable, quantifiable, and linked directly to enterprise value.

Consider:

• Companies with high engagement levels outperform peers by up to 22 per cent in profitability.
• Talent shortages can delay digital initiatives, jeopardise compliance, and slow market expansion.
• Poor succession planning at the C-suite level often translates into stock price volatility and reputational exposure.

Boards are expected to exercise the same rigour over workforce strategy as they do over budgets, M&A decisions, or cybersecurity oversight. People are not just operational assets; they are strategic levers.

Also Read: How to win the war for top talent in emerging Asia

A board framework for human capital oversight

Boards must build structured oversight into their governance process. Key elements include:

• Human capital metrics and dashboards

Boards should track:

• Talent pipeline health and succession readiness
• Employee engagement and retention metrics
• Skills gaps relative to future strategy
• Diversity, equity, and inclusion indicators
• Culture and misconduct metrics

These dashboards should be updated regularly and linked to strategic KPIs.

• CEO and executive accountability

Talent strategy should be linked to performance evaluations and executive compensation. This ensures leadership prioritises workforce resilience alongside financial performance.

• Scenario planning for workforce disruption

Boards should stress-test talent risks against:

• Rapid automation or AI adoption
• Regulatory changes
• Geopolitical shifts affecting labour mobility
• Competitive poaching or market volatility

• Culture oversight

Culture is no longer intangible. Boards should actively monitor alignment between organisational values, employee experience, and strategic priorities.

Integrating talent strategy into board conversations

Board discussions must evolve beyond HR presentations:

• Quarterly talent reviews: Not just “are we hiring enough?” but “do we have the skills we need for tomorrow?”
• Leadership pipeline checks: Which executives are ready to step up if disruption strikes?
• Skills heatmaps: Identify gaps in AI, data, cybersecurity, ESG, and emerging markets expertise.
• Retention and engagement assessment: High attrition signals potential operational and reputational risks.

A forward-looking board does not wait for crises to appear — it anticipates them.

Also Read: How to win the war for top talent in emerging Asia

Future-proofing boards and companies

The companies that thrive in the next decade will have boards that:

• View workforce as a strategic asset, not a cost centre
• Embed human capital into risk management frameworks
• Align CEO and executive incentives with talent outcomes
• Adopt metrics-driven, data-informed approaches to workforce planning
• Maintain agility to respond to automation, digital transformation, and demographic shifts

Boards that treat people as strategic risk will safeguard long-term enterprise value. Those who don’t risk stagnation, disruption, and lost competitive advantage.

The independent director’s mandate

For aspiring independent directors, expertise in talent strategy and workforce oversight is increasingly essential. Boards want directors who can:

• Ask the right questions about skills, pipeline, and culture
• Evaluate CEO and executive accountability for human capital outcomes
• Anticipate workforce trends that affect strategy, risk, and resilience
• Ensure the board actively participates in succession and capability planning

Boards that embrace this mindset will be prepared not just for financial performance, but for organisational resilience in a world where human capital is the most critical asset.

This article was first published on The Boardroom Edge.

—

The post Talent strategy and workforce oversight: Why boards must treat people risk like financial risk appeared first on e27.

In the current era of rapid technological evolution, the “Intelligent Enterprise” is no longer a visionary concept but a baseline requirement for global competitiveness. Central to this transformation is the deployment of the AI Agent—autonomous entities capable of orchestrating complex business processes across disparate systems. However, as organizations rush to integrate these capabilities, a significant strategic error is emerging: the attempt to tether agentic AI to legacy productivity frameworks via MS Office plugins. From a systems architecture perspective, a truly scalable AI Agent strategy must prioritize data gravity and process integrity over the superficial convenience of a sidebar in MS Word or MS Excel. To achieve sustainable digital transformation, leadership must look beyond the desktop and toward a unified, cloud-native intelligence layer.

The fragmented ecosystem: Navigating the versioning trap of MS Office

For decades, the developer community has recognized a fundamental truth: developing and maintaining MS Office plugins is an exercise in managing chaos. Unlike modern, unified cloud platforms, the Office 365 ecosystem remains plagued by extreme fragmentation. While MS Copilot promises a glimpse into an integrated future, the reality on the ground is a patchwork of web-based, “New Outlook,” and legacy desktop installations. This “versioning hell” creates a fragile environment for AI Agent deployment. When business logic is embedded within a plugin, it becomes hostage to the local environment of the user. For an enterprise seeking to harmonize global operations, relying on a medium where a significant portion of the user base still operates on end-of-life legacy versions is not just a technical risk—it is a breach of operational excellence.

Also read: Why traditional SEO is dying in Singapore — and how AISEO pioneers are winning the next Blue Ocean

The tender paradox: Why rigid requirements drive out competence

A disturbing trend has emerged in the procurement phase of AI transformation: the “Universal Support” mandate. We frequently observe layman buyers issuing tender invitations that require vendors to guarantee plugin compatibility across every iteration of MS Office and Office 365 currently in use. This requirement acts as a filter for quality, but in reverse. A competent, high-maturity vendor understands the exponential cost and technical impossibility of maintaining stable AI Agent behavior across decades-old COM or VSTO architectures and modern JavaScript APIs. Consequently, the most capable partners often withdraw from the bidding process. This leaves the enterprise to choose between less experienced vendors who overpromise in the initial contract, unknowingly setting the stage for a systemic failure in software assurance and lifecycle management.

The economic friction of plugin maintenance and software assurance

The disconnect between a buyer’s expected maintenance cost and a vendor’s actual developer overhead is the primary reason MS Office plugins are typically abandoned within 24 months. The labor-intensive nature of debugging an AI Agent that fails only in a specific build of MS Excel 2019, for instance, far outweighs the typical “Software Assurance” fee structured in a standard SLA. As Microsoft pushes frequent updates to MS Copilot and its core SaaS offerings, the underlying hooks for third-party plugins often break without warning. For the vendor, the cost of continuous refactoring becomes a margin-killing endeavor; for the enterprise, the result is a “broken” AI experience that erodes user trust and stalls the broader digital roadmap.

Also read: AI agents and ERP: Why Singapore businesses must act now

Data silos and the lack of cross-functional context

Beyond the technical fragility of plugins, using MS Office as the primary base for an AI Agent strategy fails because it prioritizes “document-centric” data over “process-centric” data. A document in MS Word or a sheet in MS Excel is often a static output of a much larger business process that lives in your ERP or CRM. When an AI Agent is confined to a plugin, it lacks the deep, transactional context required to make high-value decisions. To move from simple automation to true agency, the AI must reside where the business logic lives—at the core of the enterprise data stack—not at the peripheral edge where information is merely formatted for presentation.

Security, governance, and the shadow AI risk

Security and compliance are the cornerstones of the state-of-art enterprise management system philosophy. Deploying AI through Office 365 plugins introduces a fragmented security perimeter. Each plugin represents a potential endpoint for data exfiltration and a complex challenge for Identity and Access Management (IAM). Managing the permissions of an AI Agent across thousands of individual desktop installations is an administrative nightmare that invites “Shadow AI” into the organization. A centralized AI strategy allows for a single point of governance, ensuring that data privacy and ethical AI guardrails are applied consistently across all business functions, rather than being managed on a per-plugin, per-user basis.

Performance bottlenecks and scalability constraints

Finally, the desktop environment is fundamentally unsuited for the heavy lifting required by modern AI Agent architectures. Plugins share resources with the host application; a complex reasoning task initiated in a plugin can lead to latency, application crashes, and a degraded user experience in MS Outlook or Excel. More importantly, this architecture does not scale. An enterprise-grade AI strategy requires a decoupled, microservices-based approach where the AI’s compute requirements are independent of the user’s local hardware or the stability of a specific office suite. Scale is achieved through cloud-native orchestration, not through adding more overhead to a word processor.

Also read: Why Singapore manufacturers must embrace MES for the future

Conclusion: Strategic alignment for the future-ready enterprise

To lead in the digital economy, organizations must stop viewing the AI Agent as a “feature” of their productivity software and start viewing it as a core component of their enterprise architecture. While MS Copilot provides valuable individual productivity gains, it is not a substitute for a robust, vendor-agnostic AI strategy. By avoiding the pitfalls of MS Office plugins—the versioning traps, the procurement fallacies, and the maintenance deficits—leadership can build a foundation that is resilient, secure, and truly intelligent. The path forward lies in centralizing intelligence at the heart of business processes, ensuring that your AI strategy drives value today and scales for the innovations of tomorrow.

Why we write this article

PRbyAI aims to share updated market news using our team’s tech knowledge, helping B2B customers make informed decisions.

—

Want updates like this delivered directly? Join our WhatsApp channel and stay in the loop.

This article was shared with us by PRbyAI

We can share your story at e27 too! Engage the Southeast Asian tech ecosystem by bringing your story to the world. You can reach out to us here to get started.

Featured Image Credit: Canva Images

About PRbyAI

PRbyAI is a tech-driven Martech startup leveraging cutting-edge AISEO to help customers generate leads and tap into new markets.

The post The architect’s mandate: Building a resilient foundation for the intelligent enterprise appeared first on e27.