Is agentic AI challenging CISOs on identity security?

The rise of agentic AI marks a fundamental shift in how digital enterprises operate. These systems don’t wait for instructions; they initiate actions, extract intelligence from CRMs, open support tickets, orchestrate workflows, execute transactions, and increasingly make decisions traditionally reserved for humans. At scale, this autonomy unlocks unprecedented efficiency but also amplifies systemic risk.

The uncomfortable truth is this: enterprises are deploying autonomous AI faster than they are building the guardrails to control it. The question is no longer about capability. It is about containment.

India’s AI Inflection Point: Where Scale Outpaces Control

India is entering a defining moment. By the end of 2025, the country’s digital economy is projected to contribute an additional $450–500 billion to GDP, much of it fuelled by intelligent automation. Private and public sectors are simultaneously accelerating AI adoption: enterprises are embedding AI in front-office and back-office operations, while the government is pushing ahead with the IndiaAI Mission, building data platforms, compute capabilities, and early thinking around ethical AI.

But adoption without accountability is a strategic blind spot. India’s enterprises operate in one of the world’s fastest-moving, most interconnected digital ecosystems. With thousands of vendors, shared platforms, cross-cloud architectures, and a complex API economy, one misconfigured AI agent is not just a bug; it’s a blast radius. Governance, identity, and oversight need to evolve at the same pace as innovation. Today, they don’t.

When Autonomy Scales Faster Than Governance

McKinsey’s latest Global AI report shows that nearly 60% of enterprises are deploying AI systems that act independently, but fewer than 20% have strong governance frameworks. That gap is not academic; it is existential.

Agentic AI can now:
•    Access sensitive systems
•    Move laterally across applications
•    Trigger workflows
•    Conduct transactions
•    Interact with humans and machines

Yet many of these “non-human workers” are introduced into environments without the same security checks applied to new human employees.

In India, the challenge is magnified:
•    High-speed digital transformation
•    Deeply interconnected vendor ecosystems
•    Fragmented legacy systems and hyper-scale cloud deployments

The result? Identity ambiguity. Enterprises can no longer answer a basic question: Who or what is acting inside my organisation?

India’s Agentic Moment: Governance Becomes the New Innovation

India’s large enterprises are not ignoring the problem; they are waking up to it. NASSCOM’s AI Adoption Index 2.0 reveals that 87% of major Indian enterprises have embedded AI into core operations. Regulatory bodies are also signalling intent: MeitY on traceability, RBI on responsible AI for financial services.
But the shift I see on the ground is more fundamental: Enterprise leaders are finally shifting from “Can we build it?” to “Should we trust it?”

We are seeing:
•    AI ethics committees inside corporates
•    Governance and audit pilots
•    Cross-functional risk and compliance frameworks
•    Industry–academia collaborations for explainability norms
•    Automated monitoring and agent risk scoring

India’s digital economy won’t be defined by AI adoption alone, but by the credibility and trust it can sustain at scale.

Identity: The Non-Negotiable Foundation of Responsible Autonomy
True accountability begins with identity. If AI agents are making human-grade decisions, they must be bound by human-grade controls.

This means:
•    Issuing secure digital identities to every AI agent
•    Applying least privilege access
•    Creating full audit trails of every action
•    Enforcing policy-based oversight
•    Linking AI activities to the same trust fabric used for humans and machines

A recent industry study indicates that enterprises with strong identity-centric controls see up to 30% lower AI-related risk exposure without slowing their innovation velocity.

India’s own Digital Public Infrastructure (DPI) experience is proof that identity + transparency = trust. The logic that built Aadhaar, UPI, and other national-scale platforms must now be extended to AI systems that operate inside enterprises. Agentic AI without identity controls is not autonomy. It is anarchy.

The Real Shift: From Adoption to Assurance

For years, AI adoption was the success metric. Today, that metric is obsolete. The new benchmark is AI assurance ability to prove that every autonomous decision is intentional, ethical, traceable, reversible, and compliant. India is inching toward a future where governance frameworks will become baseline requirements like data protection standards today.

Early movers are already strengthening their competitive advantage. In the coming years, assured AI will be the defining feature separating trusted enterprises from vulnerable ones.

Trust by Design: The Enterprise Imperative
The AI race will not be won by capability; it will be won by credibility. The winners will be those who embed trust by design:
• Control → Every agent has enforceable boundaries
• Identity → Every action is attributable
• Transparency → Every decision is explainable

Proactive governance will replace reactive security. Enterprises that design for safety today will define global benchmarks tomorrow.

The CIO–CISO Mandate: Control What You Cannot See

Agentic AI is blurring the line between human and machine decision-making. That shift is irreversible. What remains within enterprise control is how identity, privilege, and trust frameworks evolve to govern this new workforce of autonomous agents.

The question is no longer whether AI can act like a human; it is whether your enterprise can control and trust it when it does. This is India’s agentic moment. And the choices made now will determine whether autonomy becomes an accelerant of innovation or a catalyst for systemic risk.

Rohan Vaidya

---

Rohan Vaidya is the regional director of sales, India at CyberArk.