Key takeaways
Absolute uptime is an outdated goal because cloud outages are now inevitable, meaning success in 2026 and beyond requires shifting focus toward minimizing the operational blast radius and managing impact during infrastructure failures.
API attacks, driven by automated bots and agentic AI systems, have surged by more than 30% year over year, which makes continuous lifecycle governance and deep visibility critical for modern enterprises.
Autonomous AI agents and service accounts now outnumber human users to create machine identity sprawl, creating one of the fastest-growing cloud security visibility gaps across the Asia-Pacific (APAC) region.
Modern infrastructure architecture demands multicloud portability and distributed cloud environments to effectively balance security resilience with regional data sovereignty and compliance rules.
The technology landscape is no longer changing incrementally — it is shifting structurally. APIs have become the backbone of digital systems, AI is redefining how applications behave in real time, and repeated cloud disruptions are forcing leaders to confront a hard truth: Availability alone is no longer enough.
In the webinar Beyond Outages: AI, API Security, and Resilience Strategies for 2026, senior technology and security leaders — Dr. Kevin Tham (CISO, RDC.AI), Jay Jenkins (Cloud Chief Technology Officer, Akamai), and Reuben Koh (Director, Security Technology and Strategy, Akamai) — converged on a shared view.
Their consensus? The organizations that will succeed in 2026 will not be those that deploy more tools, but those that rethink architecture, resilience, governance, and risk in an AI-first world.
From uptime metrics to impact-driven resilience
For years, resilience was synonymous with uptime — four nines, five nines, and systems designed to never fail. Reality has caught up; outages will happen, across every provider and every platform.
What has changed is the blast radius. Our State of the Internet (SOTI) Security research shows that application-layer attacks and disruptions in APAC have grown steadily year over year, increasing the likelihood that outages now coincide with active security threats rather than isolated technical failures.
As a result, the definition of resilience is shifting from preventing failure to managing impact. Leaders are asking tougher questions:
What fails first?
Which business functions are affected?
Which security controls disappear when infrastructure degrades?
How quickly can systems recover without introducing new risk?
When security controls live inside the same infrastructure that they protect, availability risk becomes security risk. Designing for resilience in 2026 means planning for controlled failure, not perfect uptime.
Cloud architecture is being rewritten
The last decade of cloud adoption prioritized speed. “Lift and shift” worked well for a while, until scale, cost pressure, and outages exposed its limits.
Architecture is now being reshaped by portability, distribution, and sovereignty. Gartner forecasts that by 2026, more than 75% of enterprises will deliberately run workloads across hybrid or multicloud environments because of resilience, regulatory pressure, and geopolitical considerations rather than cost alone.
AI accelerates this shift as inference workloads increasingly need to run closer to users, devices, and data sources to meet latency, performance, and data-residency requirements. What was once a centralized model is becoming inherently distributed.
Where workloads run, who controls them, and how data moves across regions are now strategic decisions that allow for increased flexibility, but also significantly increase security complexity.
APIs: The invisible risk multiplier
APIs are the nervous system of modern enterprises, powering applications, integrations, and AI workflows. Yet many organizations still lack clear visibility into how many APIs they expose, what data flows through them, or who owns them.
According to our SOTI: Apps, APIs, and DDoS 2026 report API attacks grew more than 30% year over year, with APAC identified as one of the fastest-growing regions for API abuse.
AI magnifies this risk. Agentic systems depend on APIs to take real-world actions –- moving money, accessing records, triggering workflows, and controlling services. When APIs are exposed or misused, the impact extends far beyond data leaks to unauthorized actions and operational disruption.
Looking farther past 2026, API security will be less about adding gateways and more about governance, lifecycle ownership, and continuous visibility.
Attackers are accelerating faster than defenders
AI is transforming attackers just as much as defenders. Automation and bots now dominate malicious traffic patterns, allowing adversaries to scale reconnaissance and exploitation at machine speed.
We’ve observed that automated attacks and bot-driven abuse now account for a significant share of malicious application traffic that is compressing attack timelines and shrinking defender response windows.
This evolution exposes the limits of static rules and perimeter-only defenses. Risks such as workflow manipulation, API abuse, and AI-driven reconnaissance demand security models built around visibility, behavior, and intent, not just static rules.
Identity in a world of machines and agents
As AI agents proliferate, machine identities are rapidly outnumbering human users. Service accounts, workloads, APIs, and autonomous agents now form the majority of active identities in many environments. As we move from a human-centric web to an agentic web, the volume of machine-to-machine API calls will require real-time intelligence and adaptive AI to distinguish legitimate agent behavior from malicious automation.
Forrester highlights that machine identity sprawl is now one of the fastest-growing security visibility gaps, particularly in cloud- and API-driven architectures that are common across APAC.
Securing identities in 2026 means understanding not just who has access, but why actions are taken — and whether behavior aligns with intended outcomes. Identity security is evolving from access control to behavioral assurance.
Leadership mindset: Enable, don’t block
Blocking AI use within the enterprise will be increasingly unrealistic. Adoption is already widespread, often outside formal approval channels.
The more effective strategy is enablement with governance: approved tools, clear guardrails, education, and visibility into use. You should treat AI as a productivity layer that’s integrated into existing risk frameworks, not as a parallel, unmanaged system.
Leaders should no longer be asking “Are we secure?” but “Are we resilient enough? How?” and “Can we scale our governance across AI use?”
The new security and resilience blueprint
As you prepare for the rest of 2026, several principles stand out:
Resilience must account for both availability and security.
Architecture must balance distribution, portability, and sovereignty.
API visibility and governance are foundational.
AI security must extend beyond prompts to workflows, identities, and intent.
Core fundamentals like access control, patching, multi-factor authentication (MFA), and user training will matter more than ever before.
Looking ahead
The convergence of AI, APIs, and distributed cloud is reshaping how digital enterprises operate and how they might fail. The organizations that thrive in 2026 and beyond will be those that redesign for impact, gain visibility before control, and enable innovation with well-defined governance rather than increase restrictions because of fear.
In an AI-driven world, resilience will no longer be just a compliance checkbox. It will be a strategic capability that will allow you to adapt and thrive in the new normal.
Tags