For decades, enterprise security meant building higher walls. Today, those walls no longer exist. Cloud adoption, remote work, and the explosive rise of agentic AI have dissolved the traditional perimeter — leaving identity as the last line of defence standing between organisations and catastrophic breach. Yet across Indian boardrooms, identity and access management remains stubbornly misclassified as an IT expense rather than a strategic risk priority. Stephanie Barnett, Vice President of Presales for Asia-Pacific Japan at Okta, has watched this blind spot widen in real time. From shadow AI agents quietly harvesting OAuth tokens to non-human identities outnumbering employees 144-to-one, she makes the case that governing identity is no longer optional — it is the defining security challenge of our era.
Vice President, Presales, Asia-Pacific Japan
Okta
CISO Forum: India’s IAM Blind Spot — What is the most dangerous gap in how Indian enterprises govern their identity estate, and how should CISOs reframe IAM as a board-level risk mandate?
Stephanie Barnett: The most dangerous gap in Indian enterprise identity governance lies in leadership, not technology. Failures in identity governance consistently trace back to how organisations structure accountability, rather than which tools they buy. IAM has been owned by IT, funded as infrastructure, and reviewed annually.
The consequences are concrete. Indian enterprises face excessive IAM permissions and cloud misconfigurations as their top breach vectors, and financial losses from cyber fraud crossed ₹36,450 crore. Meanwhile, Okta’s Auth0 Customer Identity Trends Report 2025 shows Indian users have the highest identity fraud anxiety globally: 81% concerned, with 54% extremely worried. The risk is felt at every level except where it matters most: the board. Moving IAM from the IT stack to the enterprise risk register is the foundational shift Indian CISOs need to drive.
CISO Forum: DPDP & In-Country Residency for BFSI — How does Okta’s January 2026 India tenant concretely change the security architecture conversation for a BFSI CISO, beyond compliance checkbox?
Stephanie Barnett: For a BFSI CISO, the January 2026 India tenant is an architectural decision. Now, the identity control plane, across authentication logs, access decisions, and session data, sits within Indian borders by design. That is a material shift. Most BFSI organisations today are running identity infrastructure on global cloud regions, which creates a structural problem: CERT-In requires incident reporting within six hours of detection, and RBI frameworks also expect very tight reporting timelines. That kind of SLA leaves very little room for delay, especially if your identity telemetry is not immediately accessible.
The DPDP Act, with enforcement expected by May 2027, reinforces this, but the more immediate driver for BFSI CISOs is the operational resilience argument. An in-country tenant also means Enhanced Disaster Recovery stays within the region, so authentication infrastructure remains live during regional outages. For banks and insurers extending AI agents into customer workflows, keeping that entire identity perimeter, human and machine, within a governed, in-country boundary is the only way to scale AI without creating regulatory exposure.
CISO Forum: Governing Shadow AI Agents — For a CISO whose employees are already using unsanctioned AI tools, what is the practical first step toward discovering and governing shadow AI agents — and how does this differ from governing shadow SaaS?
Stephanie Barnett: The practical first step for a CISO is discovery. Shadow AI agents are fundamentally different from shadow SaaS. A shadow SaaS application sits passively; it stores data in an unauthorised location. A shadow AI agent can autonomously access systems, exfiltrate data, and execute decisions in real time. Roughly 72% of enterprise GenAI usage came through personal accounts that employees used without IT approval, making shadow AI one of the biggest blind spots in enterprise risk management that year.
At Okta, this discovery mechanism is OAuth. Every shadow agent an employee enables grants itself access to enterprise applications via OAuth tokens that are digital keys that most identity systems never audit. The first step for any CISO is surfacing those OAuth consent grants across the application estate, identifying which agents are connecting to what data, and registering them as governed identities with named human owners.
CISO Forum: Non-Human Identity Governance for GCCs — How does ISPM provide visibility into NHI risk that traditional IAM tools are blind to — and what does a mature NHI programme look like for a large Indian IT services firm?
Traditional IAM was designed for human users with known roles and provisioning workflows. Non-human identities- service accounts, API keys, OAuth tokens, cloud workloads, and AI agents operate at machine speed, proliferate without governance controls and rarely get deprovisioned. For a large Indian GCC or IT services firm, this is not theoretical. Enterprises today run roughly 144 non-human identities for every human user, and most identity tooling was never built to see them.
The governance approach that works starts with visibility, mapping every non-human actor in the environment, what it connects to, what credentials it uses and who owns it. From there, a mature NHI programme enforces least-privilege access, rotates credentials on defined cycles, and assigns a named human owner to every non-human identity so there is clear accountability when something behaves anomalously. The principle is the same as any good IAM programme: you cannot govern what you cannot see, and you cannot contain a breach in an identity that was never in the system to begin with.
CISO Forum: Identity’s Role in Ransomware Resilience — How does Okta’s Zero Trust + Privileged Access + Identity Threat Protection stack change the resilience calculus for an enterprise anticipating a credential-based ransomware attack?
Stephanie Barnett: India’s ransomware problem has a clear root cause. Recently, IBM’s Cost of a Data Breach 2025 report confirms that stolen credentials take an average of 292 days to detect and contain, the longest of any attack vector. For Indian BFSI organisations that are heavily targeted through credential harvesting and deepfake-enabled fraud in 2025, that detection gap is where ransomware takes hold.
The resilience calculus changes when you layer three capabilities together. Okta’s Adaptive MFA interrupts the initial credential compromise attempt by evaluating device, location, and network signals in real time. Zero Trust then ensures that even if an attacker gets in, they cannot move laterally. Access is enforced contextually at every step. Okta Identity Threat Protection then runs continuous risk evaluation throughout the active session, detecting post-authentication anomalies like session hijacking, impossible travel, and privilege escalation before a payload deploys. Together, these break the credential-to-ransomware chain at every stage, even beyond login.
CISO Forum: Insider Threat Detection Across IT/OT — What insider threat patterns is Okta’s behavioural layer detecting in Indian enterprises — and how does it distinguish a malicious insider from a high-risk but well-intentioned employee?
Stephanie Barnett: The insider threat narrative in India has moved well past employee misjudgements. An increasing share of insider incidents is caused by employee negligence, not malicious intent. In Indian IT/OT environments, this is compounded by the convergence of IT and OT networks without adequate segmentation, where a careless action in IT can cascade into operational infrastructure.
The distinction between malicious and negligent insiders is critical because the response differs entirely. A malicious insider shows patterns of abnormal access, such as unjustified requests for sensitive data, resistance to oversight, and unusual bulk exports. A negligent insider shows volume anomalies, excessive shadow IT use, GenAI data uploads and misconfigurations. Okta’s Identity Threat Protection continuously monitors behavioural signals across active sessions, surfacing both patterns without treating every anomaly as an attack. The goal is accurate risk scoring, protecting against alert fatigue.
CISO Forum: Zero Trust for Agentic AI Workflows — What does Zero Trust for AI agents actually look like in practice for enterprises with agentic workflows spanning Salesforce, SAP, and Microsoft 365 — and what are the non-negotiable controls?
Stephanie Barnett: The core challenge with agentic workflows is that agents routinely cross platform boundaries, and most identity controls stop at the edge of each platform’s own ecosystem. Zero Trust for AI means that trust is evaluated continuously at every hop, not assumed because an agent was authenticated once.
There are 3 non-negotiable controls. First, every agent must carry a unique, registered identity, treated with the same governance rigour as a human employee, with a named owner and a defined scope of permissions. Second, least-privilege access must be enforced dynamically at the task level, with agents accessing only what each specific action requires. Lastly, every agent action must produce a complete, auditable trail. Recently, Okta’s April 2026 blueprint for the secure agentic enterprise revealed that the foundational questions are: where are my agents, what can they do, and who owns them. Enterprises that answer those three questions have the governance foundation for Zero Trust across any multi-platform agentic environment.
CISO Forum: Talent Gap and the Identity Skills Crisis — How is the Indian cybersecurity talent gap specifically affecting identity security programmes, and what strategies are the most resilient enterprises using to compensate?
Stephanie Barnett: India’s cybersecurity talent gap is severe. Over 1 million vacancies exist, with only around 80,000 qualified experts available. This is not a lack of IT graduates, but a skills readiness issue. Identity security is bearing the brunt. The traditional network perimeter is dead. Digital identity is now the primary attack surface. Identity and Access Management remains one of the most critically needed but undersupplied skills, with many breaches stemming directly from lax access controls. Resilient enterprises are responding on multiple fronts. They are adopting Zero Trust, investing in MFA and Privileged Access Management, and treating identity as the new control plane. On talent, 85% of employers are upskilling existing staff rather than hiring externally. At the leadership level, organisations are turning to AI-driven security and managed services to compensate because scaling human talent alone cannot keep pace with modern identity-based attacks.
CISO Forum: Third-Party & Non-Employee Identity for GCCs — How does Okta’s external identity governance address the third-party risk gap that most Indian enterprises currently manage through manual processes?
Stephanie Barnett: Third-party identity risk is consistently among the top breach vectors in Indian enterprises. High-profile breaches originate from vendor access paths, with attackers exploiting over-provisioned contractor credentials, unrevoked access after contract completion, and the absence of any lifecycle management for non-employee identities.
GCCs are particularly exposed because they manage dense contractor ecosystems spanning multiple geographies and engagement models. The manual process most organisations rely on, such as spreadsheets, email-based access requests, periodic manual reviews, creates structural gaps: access accumulates, nobody reviews it, and offboarding happens weeks after contracts end. Okta Identity Governance addresses this directly through automated access certifications, separation-of-duties controls, and structured lifecycle management for non-employee identities, replacing ad hoc processes with governed, auditable workflows that scale with the size of the contractor base.
CISO Forum: What Boards Must Change — What is the single most important shift Indian boards need to make in governing identity and AI risk — and what framing moves the conversation from “IAM is IT” to “identity is enterprise trust”?
Stephanie Barnett: If you look at how this has evolved, the shift boards need to make is captured precisely in the idea that there is no wall like that anymore. The new perimeter is identity. For decades, boards governed cybersecurity as a perimeter problem — firewalls, network controls, physical security. Cloud computing, remote work, and AI have dissolved that perimeter entirely.
The board’s role is to own the ‘what’ and the ‘why’. Specifically, what is our risk appetite, and why is identity a strategic priority? At the same time, the management needs to ask one question consistently: how confident are we that we know who, or what, has access to our most critical data?
Every AI agent deployed, every contractor onboarded, every OAuth token granted is a trust decision. Boards that govern identity with the same rigour they apply to financial controls will build enterprises that can scale AI safely. Identity, therefore, is no longer an exclusive IT problem, but a major boardroom talking point.
