Why CISOs in Southeast Asia Need Zero Trust as Their AI Control Plane – AI Agents, Data Frontiers and Supply Chains

At Zenith Live 2026 held on 16-17 June in Vienna, Zscaler honed in on the fact that Southeast Asian CIOs and CISOs are already hearing, that is, AI agents are rapidly turning into digital workers within their organizations, while regulators are tightening data residency laws and supply-chain attacks are approaching core business operations.

Zscaler’s solution is to extend its Zero Trust Exchange platform and SASE platform beyond users and workloads to AI agents, unmanaged devices, multi-cloud workloads, and B2B partners, effectively positioning zero trust as the control plane for secure AI adoption in highly connected, highly regulated markets like Southeast Asia.

In my opinion, three steps stand out for Southeast Asian organizations in the AI ​​layer:
1. An AI Vendor With an agent registry that controls how AI agents talk to data, applications, and other agents, inspects information and responses and enforces less-privileged access in real-time. In my opinion, this is important for sectors facing strict data management regulations in many jurisdictions.
2. Endpoint AI Security that exposes malicious on-premise AI tools, browser extensions, and plugins that proliferate on endpoints across distributed workforce and general contractor ecosystems in Southeast Asia.
3. AI access graph and AI Protect that maps AI assets, model usage, and data flows across SaaS, public cloud, and on-prem, supported by red-teaming integration, rapid scaling, and monitoring tools for over 250 GenAI applications.

Equally important in the Southeast Asian region is how Zscaler handles cross-border royalty communications. The company’s Zero Trust B2B Exchange replaces site-to-site VPNs and MPLS links with policy-controlled application access, so partners, outsiders, and regional subsidiaries can all reside on the same network. This is similar to how data and workflows move between markets. In parallel, its cloud is designed for a robust environment for logs and operations, with regional data centers and no external “kill switches”, a design clearly influenced by the European GDPR and local demands that now echo in Southeast Asian data regimes.

Bottom line, customer stories from AkzoNobel and Siemens Healthineers show what this looks like when implemented carefully – “dark” branches that cannot be discovered online, B2B connections based on zero-trust, and a clear strategy to guide the adoption of AI instead of preventing it.

For CISOs in Southeast Asia, here is a practical message:
1. Build a a live inventory of AI applications and data flowss overstepping the bounds before regulators and auditors force the issue.
2. Hide your infrastructure behind zero trusttherefore neither partners nor AI agents can turn a single unpreparedness into a regional incident.
3. Treat zero trust as your own A working model of AInot a side project, because every new AI agent you install is now part of your workforce, your compliance posture, and your attack surface.

My Top 3 Recommendations for Southeast Asian CISOs in the AI ​​Era
1. Reframe the Threat Model with Agents, Not Just Users
a. Revise threat models and control frameworks to clearly include AI agents as an identity: what they can access, what actions they can take, and how they are monitored.
b. Segregate agents by criticality and blast radius in the same way you privilege people’s accounts and critical applications.

2. Cut Out Lateral Movement Before You Rush All Danger
a. Consider that you will never put everything together, focus first on de-availability and consistent movement across branches, industries, and multi-cloud operations.
b. Use zero partitioning so that a vulnerable agent, endpoint, or partner connection can only see and affect what the policy explicitly allows.

3. Use AI Guardrails and Proof Controllers
a. Use AI-aware controls: AI Broker, monitoring lines for GenAI applications, data line with access graphs, and endpoint visibility in AI tools.
b. Make sure you can produce evidence such as logs, policies, genealogies, showing how AI access is controlled to boundaries, partners, and controlled data sets.