Australian and New Zealand organisations are rethinking cyber resilience and information governance as multi-cloud and multi-SaaS sprawl expands the attack surface and AI agents introduce a new category of risk, AvePoint ANZ Managing Director Max McNamara told the Gartner IT Infrastructure, Operations & Cloud Strategies Conference 2026 in Sydney.

In a session titled “Cyber Resilience, Governance, and Information Lifecycle Management”, McNamara framed the discussion around four foundational questions: where critical data lives and whether it is protected; whether it could be restored if it became unavailable; whether organisations know where the risk sits across their systems; and what guardrails are in place to prevent and recover from incidents involving AI.

“The protection plane is becoming large,” McNamara said. “It’s not just Azure, AWS, M365. What about identity? Okta, Entra ID. What about your customer data, Salesforce, CRM? What about ServiceNow? How are you managing workflow data, application data?”

One large Australian aged care provider was the first local example McNamara cited. The provider had been protecting its Microsoft ecosystem, including Azure, M365, Power Platform, identities and Entra ID, through a mix of first- and third-party tools, which McNamara said was time consuming and difficult to maintain.

“They’ve been able to consolidate that into one view,” he said. “They have the ability now to create and maintain those background jobs and that information in one place.”

With the backup foundation in place, the provider is now turning its attention to other systems of record that have historically been overlooked. ServiceNow is next on the agenda, with McNamara noting it has evolved from a traditional ITSM platform into a repository for business-critical information. “That wouldn’t have even been a conversation if this wasn’t already in control.”

Across the Tasman, a large New Zealand construction business was cited as an example of the operational gains organisations can extract once they have a unified view of their protection estate.

McNamara said the organisation estimated that insights drawn from AvePoint’s “command centre” had saved around 2,000 hours, or roughly 83 days, that had previously been spent manually building reports to understand what was protected, what had exceptions, and what did not.

“A lot of that time was spent being reactive. Now it’s proactive,” McNamara said. The reclaimed effort has been redirected into resolving exceptions, reviewing scopes and building out containerisation.

Large enterprises cut restore times by 40 per cent

McNamara said two large-scale AvePoint enterprise customers had reduced the time required to identify and restore data by around 40 per cent compared with the legacy platforms they previously relied on.

He stressed that real-world restoration in most enterprises is rarely a full-environment rebuild.

“It’s going to be much more granular, a much more surgical toolkit to help them identify the data they’re looking for, whether that’s a user, a mailbox, a file, and be able to restore that back in place or out of place, depending on the requirement.”

McNamara also described an approach to priority-based recovery, which allows organisations to define which groups, teams or user types are restored first in the event of an incident.

“If there was to be an outage or incident, you probably want your executives, your C-suite, to have access to their data and information before maybe someone six or seven levels down in the organisation.”

He added that AvePoint had recently embedded Microsoft’s first-party Backup for 365 service inside its own platform to provide rapid restore within the native experience for certain workloads.

Organisations shrink the surface area

Shifting the conversation from reactive recovery to proactive information governance, McNamara highlighted examples from a consumer goods company and an Australian healthcare provider as organisations using information lifecycle management to reduce risk before incidents occur.

He pointed back to the Optus and Medibank breaches as cautionary examples.

“If you look at the underlying issue with something like Optus, it was they held too much data. If ultimately they didn’t hold as much data, the significance of that breach would be much smaller.”

At the consumer goods company, the focus is on archiving redundant content out of production. McNamara said this both reduces Microsoft cloud storage costs and ensures the data that remains in production is relevant rather than obsolete or trivial, shrinking the surface area available to attackers.

The healthcare provider, with more onerous compliance obligations, is rolling out retention and disposition rules so that content no longer required is removed from production and from backups as well.

“That’s two examples of organisations moving from reactive cyber resilience to a more proactive position, managing the data in the environment before it gets to an incident, to reduce the surface area and reduce the control plane we’re worried about,” McNamara said.

Shadow AI: the new resilience challenge

McNamara reserved his strongest concern for what he described as a shadow AI problem emerging as enterprises deploy more agents.

When an agent is spun up, he explained, it typically requires an enterprise application to access Microsoft Graph, email and SharePoint. When the agent is later retired or deleted, the enterprise application often remains in place with its permissions intact, with no clear ownership or monitoring.

“It’s still got the permissions. It’s still set up for the use case it was set up for. We don’t know who’s accessing it. We don’t know what risk there is. And ultimately, no one’s monitoring it. So we don’t even know if it’s a problem or not.”

He argued that AI agents should be governed with the same rigour as human users. Organisations need to know what agents exist, what data those agents can reach, who is accessing them, which of that data is sensitive, and what actions are being taken with it. The same questions, he noted, apply across Google, OpenAI and Anthropic’s Claude, not just Microsoft. “It’s becoming a challenge. It’s not just limited to one vendor.”