How can governments in Asia evolve regulatory frameworks and sandbox models to keep pace with AI-driven risks?

Romanus: Governments across Asia are under pressure to ensure that regulatory frameworks and sandbox models keep pace with the speed and scale of AI-driven risks. The challenge begins with a fundamental mismatch: While digital transformation is accelerating rapidly, much of the underlying infrastructure was not designed to support this level of dynamism or complexity.

This is not unique to Asia; it is a global issue. However, it is particularly pronounced in fast-growing digital economies where adoption often outpaces governance.

To address this, regulatory approaches need to move away from static, compliance-driven models and towards more adaptive, iterative frameworks. In many cases, existing infrastructure and controls are no longer sufficient to defend against modern attack patterns. Threat actors are continuously evolving their tactics, techniques, and procedures and increasingly leveraging AI to automate, scale, and personalize attacks. As a result, governments must ensure that regulatory expectations encourage continuous improvement of security postures rather than periodic check-ins.

This is where sandbox environments become especially valuable. Properly designed sandboxes enable organizations to test new technologies, including AI systems, in controlled settings without exposing production environments to unnecessary risks.

However, many current sandbox models are too limited in scope or lack the sophistication needed to simulate real-world threats. To remain effective, these environments must be upgraded to reflect current attack methods, including AI-driven threat scenarios. This means enabling organizations to test technologies not just for functionality but for resilience under adversarial conditions.

Regulators can play a key role by embedding these expectations into policy. For example, encouraging or even mandating adversarial testing within sandbox environments can help organizations better understand how their systems behave under attack before they are deployed at scale. Additionally, frameworks should support faster feedback loops, enabling insights gained from sandbox testing to inform iterative regulatory updates.

Ultimately, evolving regulatory frameworks in the age of AI is not just about setting rules but about enabling a continuous cycle of testing, learning, and adaptation. By encouraging or requiring organizations to develop stronger sandbox capabilities and to align them with emerging threat landscapes, governments can help organizations innovate more safely while maintaining a strong defense against increasingly sophisticated cyber risks.

How should cross border digital connectivity be strengthened without compromising identity and data security, interoperability and trust?

Romanus: Strengthening cross-border digital connectivity without compromising identity security, data security, and trust starts with recognizing that no single organization or country can operate in isolation. Cyberthreats do not respect borders, and neither can responses. One of the most effective ways to bridge this gap is through structured, trusted sharing of threat intelligence across jurisdictions.

Today, many organizations already collaborate by sharing critical threat intelligence based on mutual agreements, helping stop attacks before they escalate. This kind of cooperation reduces the duplication of effort and ensures that once a threat actor’s tactics are identified in one environment, others can prepare for and defend against them. Without such coordination, organizations risk working in silos, responding to the same threats independently and far less efficiently.

At a broader level, international law enforcement bodies such as INTERPOL and Europol play a crucial role in facilitating cross-border information exchanges to disrupt criminal activity. Their models offer a useful parallel for cybersecurity. By enabling timely, secure sharing of intelligence across countries, they help build a more unified defense against threats that would otherwise exploit jurisdictional gaps.

In cybersecurity specifically, this intelligence sharing often involves reporting indicators of compromise such as malicious files, applications, or behaviors associated with known attack campaigns. Feeding this information into national or regional platforms enables other organizations to detect and respond to threats earlier, strengthening collective resilience. However, for this to work effectively, it must be underpinned by strong governance frameworks that ensure data is shared responsibly, with clear safeguards around privacy, identity protection, and data sovereignty.

Trust is the foundation here. Governments and organizations must establish common standards for how data is classified, shared, and protected. Interoperability also becomes critical because systems and platforms across borders need to be able to speak the same language so that intelligence can be acted upon quickly and accurately.

Ultimately, strengthening cross-border digital connectivity is not about choosing between openness and security. It is about enabling secure collaboration at scale. By institutionalizing trusted intelligence sharing mechanisms and aligning on standards, countries can enhance connectivity while safeguarding identities, protecting sensitive data, and maintaining public trust.

What does a secure-by-design approach look like for governments navigating AI data sovereignty and cyber security?

Romanus: A secure-by-design approach for governments navigating AI, data sovereignty, and cybersecurity starts with a fundamental mindset shift: Access should not be assumed or inherited; it should be continuously verified and tightly controlled. This is where the principle of Zero Trust becomes central.

Traditionally, government systems often relied on broad, role-based access models where network administrators or privileged users were granted extensive, persistent permissions. While this made operations efficient, it also introduced significant risks. If those credentials were compromised, attackers could gain deep, often unchecked access to critical systems and sensitive data.

A secure-by-design model moves away from this by embedding the principle of least privilege into every layer of the system. Instead of standing access, governments are increasingly adopting just-in-time access models. This means elevated permissions are granted only when needed, only for a specific task, and only for a limited period of time, after which they are automatically revoked. This drastically reduces the window of opportunity for misuse or compromise.

Importantly, this approach is not limited to human users. Applications and services, particularly those powered by AI, can also be assigned time-bound, context-aware permissions. Rather than granting permanent access to datasets or systems, governments should dynamically allocate permissions based on the task at hand. This is especially critical in the context of data sovereignty, where governments must ensure that sensitive data is accessed, processed, and stored in accordance with national regulations.

Visibility is another cornerstone of a secure-by-design approach. Governments need continuous insight into who or what is accessing their systems, under what conditions, and for what purpose. With this level of visibility, it becomes possible to enforce granular policies, detect anomalies early, and respond quickly to potential threats.

Ultimately, a secure-by-design approach is about building security into the architecture from the outset rather than layering it on after the fact.

By combining strong visibility with principles like Zero Trust and just-in-time access, governments can create resilient systems that not only protect sensitive data and identities but also support the safe, responsible deployment of AI at scale.