New Research Finds Application Sprawl Puts APAC Workforces at Credential Risk

Global research from Zoho and Tigon Advisory Corp. finds APAC's application sprawl outpacing credential governance, with SMBs carrying the greatest exposure.

Zoho Corporation released the State of Workforce Password Security 2026, a global research study covering 3,322 verified respondents across nine regions, six industries, and twelve roles. The report, conducted by Tigon Advisory Corp. on behalf of Zoho Vault, finds a growing disconnect between how organizations perceive credential risk and how they have acted on it. In APAC, 64% of surveyed businesses run more than 15 applications, with integrated credential governance emerging as the region's most critical unmet need.

Timed to coincide with World Password Day, the report arrives at what the authors describe as a critical inflection point. Across the global sample, one in three businesses reported a confirmed cyberattack in the past year, and a further 7% were unable to confirm whether they had been attacked at all. The APAC region is on par with the global figure on this metric.

"World Password Day was created to remind people that credentials are still the entry point to the modern business. What this research shows is that the entry points have multiplied: the average APAC employee now logs into more than fifteen business applications, and most organizations cannot fully account for who has access to what across them," says Chandramouli Dorai, Chief Evangelist of Cyber Solutions at Zoho. "The issue is not under-investment, but investment without architectural coherence, leaving businesses with a significant gap between intent for security and actual results." APAC is the region with the second highest application sprawl, with 64% of businesses surveyed using more than 15 applications, 5 points above the global average.

The State of Security in APAC

There is a consistent theme across APAC respondent data: high awareness, high spending intent, and persistent visibility gaps. Among APAC respondents:

• 32% experienced a confirmed cyberattack in the past year.

• 73% lack complete identity visibility across their workforce, including orphaned accounts and undocumented access, one point lower than the global average.

• 74% plan to increase security spending in 2026 — two points above the global average.

• 64% of employees use 15 or more business applications, five points above the global average and the second highest application-sprawl rate of any region globally.

• 66% have not deployed a Zero Trust strategy, with most non-adopters expecting to implement within one to three years, this is on par with global average.

The AI Belief-to-Deployment Gap

The survey also measured business sentiment on AI's role in security strategy. Confidence is high, with 91% of APAC respondents believing AI can strengthen their security posture, yet only 8% of businesses globally are ready to adopt AI-powered security today. This belief-to-deployment gap is significant. Among desired AI security features, 68% of respondents prioritized anomaly and threat detection, compared to 47% who selected risk-based access controls.

The report identifies legacy infrastructure (cited by 52% of global respondents) and migration complexity (48%) as the primary blockers. Cost ranks third at 41%, reinforcing a recurring theme across the data: the constraint on security maturity is not budget but architecture.

"The organizations that will navigate the next five years most effectively are those investing in architectural simplicity, building governance models that scale with identity growth, and adopting AI-enabled orchestration to reduce friction,", says Helen Yu, Founder and CEO of Tigon Advisory Corp. "Budget is not the primary constraint on security maturity; architecture, talent, and visibility infrastructure are. The data in this report is a call to sequence correctly: fix foundations before chasing advanced capabilities."

The Application Sprawl Problem

The report frames credential risk as a function of attack-surface growth, and nowhere is that surface expanding faster than in APAC. The region's mobile-first, multi-cloud work culture means the average employee now accesses more than 15 business applications daily across on-site, hybrid, and remote settings. Credential management, in this context, is not a remote-work problem. It is a structural one.

Yet fewer than one in four organizations globally have deployed a dedicated password manager. The gap is most acute among SMBs, which dominate APAC's commercial fabric. More than half of respondents in organizations under 250 employees report no dedicated security team, with credential security left to shared spreadsheets, manual hygiene, and informal policies, what the report calls "the SMB credential blind spot." In a region where SMB-led growth is central to several national economies, this represents a systemic and largely unaddressed vulnerability.

What the Data Recommends

The report concludes with six imperatives for 2026, prioritized by deployment urgency: deploy a centralized password manager, close the identity visibility gap, pair password management with multi-factor authentication, build a Zero Trust roadmap, treat integration as a security requirement, and pilot AI-powered credential security within the next twelve months.

"Legacy infrastructure remains the primary blocker between any effective use of AI, including deploying AI for security," says Mani Vembu, CEO of Zoho. "Our future-ready stack is built around the premise that placing identity, access, and applications on the same architectural foundation provides fewer opportunities for vulnerabilities, higher identity visibility, and conveniently, an easier method of adding AI to assist in threat detection. As AI's sophistication in exploiting security weaknesses rapidly improves, migrating to a secure, AI-ready platform is only becoming more urgent."

Methodology

The State of Workforce Password Security 2026 was conducted by Tigon Advisory Corp. and sponsored by Zoho Corporation. The study is based on 3,322 verified responses across nine regions (United States, Canada, United Kingdom, European Union, India, Middle East and Africa, Australia and New Zealand, APAC, Japan, and China), six industries, and twelve workforce roles. Data was collected in early 2026. The full report, including all regional snapshots and methodology notes, is available at https://www.zoho.com/vault/state-of-workforce-password-security-report.html