How AI agents are redefining identity risks in India’s digital ecosystem
India is transitioning from experimenting with artificial intelligence (AI) to integrating it as operational infrastructure. According to NASSCOM, the Indian AI market is projected to exceed $25 billion by 2027, driven by adoption in banking, IT services, manufacturing, and government platforms.
This growth is supported by a robust policy framework. The IndiaAI Mission, under the Ministry of Electronics and Information Technology (MeitY), has allocated over ₹10,000 crore for AI infrastructure, datasets, and startup support. AI-enabled systems are also being integrated into various ministries and public digital infrastructure.
While India is leveraging AI on a large scale, a less visible but critical issue is emerging: the risks associated with human and non-human identities controlling AI systems. Non-human identities, created by AI agents and automation, are proliferating rapidly, introducing new challenges to an already complex digital landscape.
AI Agents: A New Class of Digital Workers
Modern AI agents represent a paradigm shift in automation. Unlike traditional bots that follow scripts, AI agents can think, learn, and perform tasks independently. They typically consist of three layers:
1. Orchestration – Defines goals.
2. Tools – Interacts with enterprise systems.
3. Decision-making – Uses large language models to act based on context.
This architecture enables AI agents to operate across systems with minimal human intervention. They handle technical tasks like querying databases, calling APIs, triggering workflows, and multitasking. As a result, they are becoming digital coworkers. Industry predictions suggest environments with multiple AI agents will soon become the norm, particularly in software engineering, IT operations, and customer engagement.
The challenge with AI agents isn’t just their sheer numbers but the extensive access they accumulate over time. As companies assign more responsibilities to these agents, they gain access to cloud resources, data, CI/CD pipelines, and financial systems. Each new privilege expands the potential attack surface.
Incidents of AI agent misuse highlight how easily this access can be exploited. For example, an AI agent designed for a restricted task was manipulated into acting erratically by a malicious prompt hidden in business data. This occurred because the agent had access to tools beyond its intended purpose.
These vulnerabilities often stem from weak identity controls rather than sophisticated malware. In India, where AI agents are widely deployed in customer service, procurement, and operations, similar misconfigurations could lead to data breaches, intellectual property theft, or critical infrastructure exposure. The problem is exacerbated by the pressure to deploy AI quickly, as McKinsey predicts AI could boost India’s economy by $1 trillion by 2030, often at the expense of mature security practices.
Identity Risks Beyond Machines
While non-human identities dominate the scale of the problem, human identities remain a critical vulnerability. Developers, AI professionals, and platform builders now have unprecedented access. The rise of low-code and no-code platforms in India has further expanded the user base, enabling individuals without security training to implement powerful automation.
Attackers are also shifting tactics, targeting post-login scenarios rather than breaking authentication. Session hijacking attacks, where browser cookies or access tokens are stolen, are on the rise. For AI agents, the primary targets are API keys and access tokens—digital credentials that are often poorly monitored and rarely rotated. In India’s interconnected digital economy, a single compromised token could enable undetected, long-term access across systems.
Why Identity Is the New Security Control Plane
India’s cybersecurity efforts have traditionally focused on perimeter defense, network security, and endpoint protection. While still essential, these measures are insufficient in an AI-driven enterprise. Automated systems that make decisions and execute transactions require identity to become the primary control plane. Identity determines not only what systems can do but also how far an attack can spread.
Global studies show that persistent, always-on privileges significantly increase risk, especially in automated environments. This has led to a shift toward zero standing privileges, where access is granted only when needed and revoked immediately after use. For AI agents, this means replacing long-lived credentials with task-based, time-bound access.
Research indicates that outdated access patterns are now among the earliest signs of breaches. For Indian companies facing regulatory pressures from RBI, SEBI, and other sectoral bodies, adopting an identity-first approach not only enhances security but also simplifies compliance.
Securing India’s AI-Driven Future
AI agents are no longer a futuristic concept—they are integral to India’s digital ecosystem. Their role will be crucial in driving global competitiveness, innovation, and enterprise operations. However, as AI adoption accelerates, Indian leaders must address the associated risks.
By treating identity as a strategic asset, organizations can elevate their security practices. Both human and non-human identities must be managed with visibility, least privilege, and continuous monitoring. This approach will enable India to strike a balance between leveraging AI and safeguarding trust.
The next phase of India’s AI journey will not be guided solely by algorithms but by the strength of its identity management practices.
Rohan Vaidya
Rohan Vaidya is the regional director of sales, India at CyberArk.
Next Article