Trust at scale: How Southeast Asia is securing digital identities in the age of AI

The region’s rapid digital transformation is accelerating across sectors, but with this progress comes a new set of risks that many companies are still ill-equipped to handle. As governments champion initiatives such as Singapore’s Smart Nation programme and Malaysia’s MyDigital blueprint, enterprises are becoming increasingly reliant on cloud-native infrastructure, AI applications, and digital-first customer touchpoints. However, this digitisation has also made the region a prime target for identity-based cyber threats, particularly those powered by AI.

According to a report by IBM Security, the Asia Pacific region now accounts for over 31 percent of all cyberattacks globally, with financial services and manufacturing being the most frequently targeted sectors. In Southeast Asia specifically, the rise of AI-generated deepfakes, synthetic identity fraud, and autonomous bots is challenging conventional security systems and overwhelming legacy identity infrastructures. Companies are no longer just protecting accounts—they are defending trust.

---

---

The shift has led to growing interest in modern identity and access management (IAM) systems, especially those offering decentralised, passwordless, or biometric authentication models. Singapore’s Singpass, which now includes facial recognition for government and financial services, exemplifies this evolution. Meanwhile, the Philippines and Malaysia are deploying national digital ID programmes to build secure, user-centric digital ecosystems that aim to integrate fintech, healthcare, and e-government services.

For mid-sized companies, the adoption of advanced identity proofing tools remains inconsistent. Budget constraints, legacy systems, and fragmented regulatory frameworks have slowed down uptake, even though small businesses often face disproportionately severe consequences in the wake of a breach. That said, cloud-native platforms and policy-driven orchestration tools are emerging as viable solutions, enabling adaptive security models that respond in real time to risks like credential stuffing or deepfake impersonations.

As enterprises prepare for a future where AI attacks are faster and more convincing, digital identity will become the frontline defence. The real challenge for Southeast Asia’s tech ecosystem is not just building security infrastructure, but building trust at scale; something only verifiable identity systems can enable. To learn more, we spoke to Jasie Fon, Regional Vice President of Asia at Ping Identity, about the issue and what needs to be done.

Southeast Asia has seen a sharp rise in digital adoption, but that has also made it a prime target for AI-driven cybercrime. How are enterprises in this region currently positioned when it comes to identity infrastructure?

SEA countries are taking a well-planned approach towards wider digital adoption. As countries ramp up their digital transformation journey powered by AI, fraud risks are also escalating. The emergence of AI agents demands organisations to redraft their identity and access management (IAM) architecture to protect against non-human identities, and brings a heightened level of concern as the sheer scale and absence of downtime that come with the nature of agents make it increasingly difficult to manage. 

As many countries in the region are implementing national ID programs, secure digital identity capabilities are on the rise and have evolved from passwords to biometrics, a more intricate security marker. Singapore’s SingPass, launched in 2003, has progressively enhanced its digital features over the years and is currently a complex interplay of financial identity and access management. Countries like the Philippines (Philippines Digital National Identity Project) and Malaysia (MyDigital D Superapp) are also actively implementing and updating their digital ID systems with a varied approach. Biometric-enabled digital IDs are also increasingly used in digital wallets to authorise transactions in the aviation sector to help strengthen security while improving travel efficiency and experience. 

How realistic is it for mid-sized companies in Southeast Asia to adopt advanced AI-powered identity proofing tools, considering cost, regulatory gaps, and digital maturity levels?

A well-implemented Identity proofing system is a necessity in today’s complex digital world. And because bad actors understand the resource limitations of small or mid-sized companies, it’s even more of a necessity, as an incident can be more crippling with fewer resources that ensure resilience. While cost and manpower are realistic challenges, reliance on legacy systems and constant updates in new technology and regulatory frameworks also contribute to the slow and staggered adoption in the region. Supply chain risks can also cause a ripple effect with a significant impact on their partners. Nonetheless, with the right partnerships, it is still realistic for any size business to adopt identity proofing tools that cater to their specific maturity and risk appetite. 

What are some of the biggest misconceptions companies have when it comes to implementing decentralised identity systems or passwordless authentication in Southeast Asia’s highly varied tech environments?

SEA is a technologically diverse region, and digital maturity varies across countries, so it’s important to underline that going passwordless is not all or nothing, but rather a journey worth starting if you stand to keep up with the evolving threat landscape and customer demands. We often hear that passwordless is too complex or too expensive. Complexity is a misconception because although it comes with compliance restraints, it still shows up in legacy systems where users juggle countless passwords, have frequent reset requests and burden the help desk and adding frustration and friction. And while passwordless requires upfront investment, it adds such significant help desk efficiencies and customer experience improvements that it’s well worth it. And in a world where you can only trust what can be verified, decentralised identity through verifiable credentials is the solution. 

What role do policy-driven orchestration platforms play in enabling real-time decision-making and adaptive security responses in this new threat landscape, including deepfakes?

Policy-based access controls offer organisations a variety of advantages over more traditional access control methods, including flexibility, scalability, enhanced security, consistency and auditability. Because they are more adaptable and flexible, they offer more fine-grained control in an increasingly dynamic threat environment. Adaptive security responses using Continuous Adaptive Trust ensure users are repeatedly evaluated and reevaluated, avoiding fraudulent impersonations like deepfakes. 

From your perspective, which sectors in Southeast Asia are currently leading the charge in adopting identity-centric cybersecurity strategies, and what can others learn from their example?

Remote work and rapid cloud adoption have made identity an integral part of modern cybersecurity strategies in large enterprises. Financial, Retail, and healthcare have already implemented identity-based verification at different levels. These organisations are seeking identity solutions that are scalable and are looking for global solutions providers who can actively support these developments in the region. We foresee a lot of growth and customer interest in investing in new fraud and threat detection products.

Looking ahead, what key capabilities should Southeast Asian enterprises prioritise in 2025 and beyond to future-proof their digital identity strategies against emerging AI-powered threats and regulatory tightening?

The advancing threat landscape has proven that identity is under attack, and that trust can only come from what can be verified. Implementing identity verification techniques like liveness detection, selfie-matching, voice matching, and credential verification through biometrics enables individuals to securely and conveniently verify their identity during registration/onboarding, during account resets and password changes, or to perform higher-risk transactions. These capabilities offer an unbreakable chain of trust that will be essential to safeguard against bad actors.