The promise of agentic AI is seductive: software that doesn’t just answer questions but actually gets things done. But between the boardroom buzz and production-ready deployment lies a graveyard of stalled pilots, unresolved accountability questions, and security frameworks still catching up to the technology they’re meant to govern.
Vijay Vijayasankar, Global Agentic AI Officer at Genpact, has seen this gap up close across some of the world’s largest enterprises. Working at the intersection of AI execution and operational risk, he has spent considerable time convincing CISOs that “autonomous” doesn’t mean “uncontrolled,” and persuading business leaders that the real bottleneck isn’t the model, it’s everything around it. In this conversation, he makes the case for why agentic AI’s biggest unsolved problem isn’t intelligence. It’s governance.
Global Agentic AI Officer
Genpact
CISO Forum: Most enterprises are still debating what agentic AI means for them. From Genpact’s vantage point, working across Global 2000 clients, where does the real-world adoption curve actually stand today, and how wide is the gap between boardroom ambition and ground-level execution?
Vijay Vijayasankar: Let’s start with a macro picture, and then I can dive down to what happens on the ground.
The G&A expenses for some Fortune 1000s or Russell 2000s are in billions of dollars, and about 75% of that is just people doing repetitive work. They can all be doing higher-order functions for those companies. Then the rest is outsourced labor, software, and so on. So, largely, there is an inefficiency built into the system. Now, why is there such an inefficiency?
Technology has been here for a while. We have had BPM, RPA, and many different types of software in our history. But this is the first time that software can think. Everywhere else, it was a human thinking, then telling software that if this happens, do this; if that happens, do that other thing, and so on. Software can never think. All the workflows on the planet that we deal with today are written for that paradigm. So, humans are needed because there are only so many if-then-else conditions that you can type into a program.
We optimized it previously by reducing variance using Six Sigma-type approaches. We reduced costs by shifting work to lower-cost locations, leveraging currency arbitrage, training more people, and using technology consistently. But now we have a chance to have thinking software, which is what AI is.
The first generation of AI was largely software that could answer questions—chatbots—which was amazing and is still very useful. But it does nothing on its own.
Now we have Agentic AI, which does everything we discussed and more. It will help execute all the wonderful thinking that it could do so far. This is a big potential shift.
Let’s consider one of the major functions, such as the Office of the CFO. All CFOs want to spend 80% of their time, energy, and budget on planning their business, advising the CEO and the board, and so on. But they spend their time managing the sub-ledger and the ledger, creating board documents, and filing regulatory reports, all of which are transactional. Agentic AI will flip that equation because it can take over all that middle layer very easily. So, the CFO is left with the time, money, and energy to plan and advise the business. This is a big aha moment.
A good way that I usually explain this is:
Historically, software’s value proposition was that you could do something that you used to do better, faster, and cheaper, but you could only pick any two of those three. If it is better and cheaper, then it is not faster. If it is better and faster, it is not cheaper, and so on. Agentic AI might be the first time that I can think of where all three are somewhat possible. So, it is a step up from how we have historically done this.
Now, the point here is not that labor gets displaced. Labor gets better utilized. Human judgment is now at a premium. Agents can handle repetitive tasks or those that do not require complex thinking, but anything that requires judgment still requires a human.
However, the idea of an autonomous agent should not translate to agents running wild without supervision. We create those guardrails. Agents can only work within guardrails. Then, if they have any questions or lack the authority to do something, they ask a human what to do. The human then takes over and makes the decision.
Now, in terms of where we are finding traction, we started this with the Office of the CFO and accounts payable. Accounts payable is largely about receiving an invoice from a vendor. It comes through electronic data interchange (EDI) and various formats, such as PDF documents and emails. You have to extract the information from that invoice, make sure it matches the purchase order and goods receipt, and, if everything looks good, pay the vendor.
When you pay, you also have to make sure there is no fraud. For example, is the company trying to get paid 10 times for the same invoice? Or if every invoice is usually $10 and suddenly they send a $10,000 invoice, you should know that something is wrong.
The last thing would be a help desk. If someone owes me money, it is only fair that I ask them where my money is. Vendors ask this question all the time. Agents should be able to give them a status update, such as: we did not get your PO, that’s why we are not paying you; the goods did not show up, that’s why we are not paying you; your cheque is on the way; or the bank transfer will happen tomorrow.
This is the scope of the work that we do. Depending on the client scenario, we can get massive productivity gains from that. Agents can do anywhere from 50% to 80% of the work themselves, with humans simply providing oversight.
After that, we moved into Record-to-Report. That includes ledger-level transactions, closing the books, reconciliation, intercompany transactions, and the like.
This was followed by Invoice-to-Cash, which is the flip side of Accounts Payable (AP). Somebody owes you money. You sold to a customer, and the customer owes you money. How do you collect that? That is the Accounts Receivable part.
Together, this covers the vast majority of the Office of the CFO. There are a few things, like tax and treasury, that we are still working on, but this is where we are seeing the most traction.
Then we have some vertical solutions as well—for example, transaction monitoring for banks. Every bank has the same problem. Fraud is a very real possibility. There are lots of bad actors on the planet. There is also a US law called the BSA (Bank Secrecy Act), which requires every bank and creditor to review transactions to ensure there is no intentional fraud, such as money laundering.
This transaction-monitoring agent helps with the first level of analysis, which would otherwise take a human a long time to search for, organize, and codify. Agents can now do much of that work.
Similarly, for insurance underwriting, particularly pre-bind work, we have agents that handle these tasks. So, we have both horizontal and vertical solutions.
Other horizontal solutions include supply chain functions such as sourcing and purchasing. We offer a full gamut of solutions, but they all share the same idea: human judgment is unavoidable. Moving forward, agents should handle the grunt work, while humans should handle higher-order work.
This is the balance we are trying to strike.
CISO Forum: Traditional RPA and automation were largely deterministic and auditable. Agentic AI makes autonomous decisions. How does that fundamental shift change the CISO’s threat model?
Vijay Vijayasankar: As I mentioned before, the core point to remember is that “autonomous” should not be translated as “without supervision”. All the controls a process needs should remain in place, whether a human, an RPA, or an agent performs it. This principle should never be sacrificed.
Humans define the guardrails within which the agents work. It is no different from hiring a new employee and giving them access to a system. You would give them very clear instructions on what can and cannot be done.
Now, with agents, because they are probabilistic in nature, deterministic means if-then-else. That’s all it means. It’s just a fancy way of saying if-then-else. Probabilistic systems need tighter controls. Human beings are generally trusted with minimal controls because we exercise good judgment. Most people use good judgment. That should not be assumed for AI because AI does not have human-like judgment. So, you need to have extra controls put in place.
We largely operate on the principle that agents should be given only the absolute minimum access needed to do their jobs. Historically, as an industry, we have been lax with humans. We may talk about Zero Trust models now, but humans have traditionally had more access than required for their jobs.
In the handful of cases where things go wrong, it is largely because of that. With agents, we do not do that at all. We narrow access down to the absolute minimum needed for them to perform their role, and nothing more. We do not let agents make decisions outside their scope because we do not want them to step outside the box we have drawn for them.
So, humans play a big part in that. The CISO’s threat model remains the same. The surface area changes because there will obviously be a lot more agents doing things. That makes it even more important that we do not compromise on controls. If anything, we need more controls and should continue working toward this complete Zero Trust idea.
CISO Forum: When an AI agent takes an action inside a financial or operational workflow, who is accountable if it goes wrong—the vendor, the enterprise, or the model? How is Genpact resolving that for clients?
Vijay Vijayasankar: It is something that the industry is struggling with at the moment.
All the controls that we have built into our solutions are configurable. We sit down with the client and establish ownership rights up front. The same applies to our vendors. We use models created by other providers, such as OpenAI, ChatGPT, Claude, Gemini, and others. We use whichever model is appropriate for the task. We have a very strong understanding of what the model vendor is responsible for versus what Genpact is responsible for.
Similarly, with clients, we very clearly establish ownership. For example, if a transaction needs to be posted, we can configure a rule that says that if it exceeds $25,000, we do not want the agent to post it. Instead, it should be routed to a human for verification and approval.
So, it becomes a trade-off between efficiency and controls. We let customers decide what they are comfortable with. At the same time, we have a consulting team that helps customers make the right decisions.
We also have a risk and compliance group that does this for a living. They work closely with customers to ensure that responsibilities are clearly understood. There are also some things that we absolutely will not do. For example, we will not allow agents to make decisions that could have financial consequences for the client or reputational consequences for either the client or us.
Those decisions remain with humans.
Largely, this is achieved by making guardrails configurable. Clients can operate on a sliding scale. For example, until they gain confidence, they can decide that everything over $25,000 must go to a human. After six months, however, because everything is auditable and every action taken by the agent is logged, they may decide that the system is working well and increase the threshold to $50,000.
That flexibility is possible, and that is how this works in practice.
CISO Forum: Human IAM frameworks are mature. But AI agents need credentials, permissions, and access too. What does a robust identity governance framework for non-human agents look like in practice?
Vijay Vijayasankar: Security for AI is still an evolving field, for sure.
Two basic models already existed. One is to treat agents as humans; the other is to treat them as services, API calls, and so on. Neither is particularly the right paradigm for an agent because agents are a hybrid between a service and a human. So they need their own first-class representation, which the industry is still working on.
At the moment, this Zero Trust approach of giving agents the absolute minimum permissions is the way we solve it. But in terms of Identity and Access Management, which is what IAM is, IAM will evolve to include a separate class for agents, which some solutions already do. It will increasingly move toward this very Zero Trust version of managing access.
Whatever we do, we definitely do not treat an AI agent as a human. It should be treated as a separate object with only the permissions it absolutely needs—nothing more. In fact, we often start with slightly less access than they need and progressively grant more access to ensure they never step outside their guardrails.
CISO Forum: Agentic systems that can browse, call APIs, and execute tasks are exposed to prompt injection attacks at scale. How serious is this threat, and how are enterprises actually defending against it today?
Vijay Vijayasankar: This is something that needs more attention among industries that use AI.
It is a function of good architecture. Just as nuclear technology can be used to create a nuclear reactor that generates power, it can also be used to create a bomb. One is a very good use of technology; the other is a terrible one.
Technology by itself is neither good nor bad. The use case for the technology, on the other hand, needs to be carefully thought through.
Prompt injection is not the only way bad things can happen, but it is one of the easier ways. To prevent it, we need to ensure there is enough scaffolding around the model. By that, I mean additional layers of architecture around the model so that these kinds of issues are identified and mitigated upfront.
A model alone is not enough. This is one of the key differences between POC projects and production projects. In a POC, you can ask a model to do something. You can ask an agent to do something. It will work, and that’s fine because the scope is narrow and it is operating within a sandbox. Nothing bad is likely to happen.
But this is one reason AI adoption remains a challenge in many organizations. In proofs of concept, we are not building all the scaffolding required for these systems to work in production. What may look like a quick two-day process can become significantly more complex.
When people say, “I just vibe-coded my application with AI,” they are forgetting that vibe coding only proves the concept. It does not mean the application is ready for production. To put something into production requires a lot more effort, a lot more thinking, and a lot more engineering.
It likely also requires a robust platform, as this is not a one-agent problem. Enterprises will have hundreds, if not thousands, of agents at some point. So, you need a platform-based approach where all these guardrails are applied consistently and configured centrally.
At Genpact, we use our own platform, but there are plenty of commercial platforms as well. ServiceNow has a platform, and many others do too. A platform-based approach is probably the best option, as individual teams trying to figure this out on their own are not scalable. It is also very risky.
So, a platform-based approach is how I suggest the world deal with it.
CISO Forum: Agents consume and move data across systems continuously. What new data leakage and sovereignty risks does agentic AI introduce that Indian enterprise CISOs are not yet adequately prepared for?
Vijay Vijayasankar: CISOs are generally ahead of the curve on this because they don’t take anything on trust, right? So, largely, it is not that CISOs are not prepared. What happens is that CISOs say “no” too often, which can impede innovation.
So, the job of people like me, who have the mandate to introduce AI into organizations, is to find the controls that satisfy a CISO. I’ve never seen a CISO who wanted to move faster than I wanted, right? So, it’s not like they’re unaware. The problem is quite the opposite. They are quite aware, or at least the ones I have worked with. And I’ve worked with some of the largest clients on the planet.
I’m yet to see a CISO who was unprepared. But what a CISO will rightfully do is push back on things they are unhappy with, because these risks exist, right?
You need to be able to prove that a Zero Trust model is in place. There is enough scaffolding around the system. You cannot eliminate hallucinations in AI, but you can mitigate them, right? You can minimize their effects. So, these controls should be explained to the CISO.
If you go and say, “Oh, I have a wonderful agent. Look at my laptop. It can do amazing things. It not only handles your purchase orders, but it will also wash your car and walk your dog,” the CISO will naturally say, “Don’t do it,” because there are no security controls in place.
Data privacy leakages and similar issues are very real risks. Even highly trained human beings leave data exposed all the time, right? Many of these leaks, security incidents, and data privacy issues occur not because of technology but because humans are often the weakest link in the process.
So, CISOs are an evolved group of thinkers. They are super aware of these risks in general.
AI requires this scaffolding to address those concerns, and this is an underappreciated part of the dialogue today. We spend a lot of time praising models, and rightly so, because models are amazing and a lot of progress has been made. So, I am taking nothing away from that.
But what happens around the model receives less public discussion than it should.
And Mythos, the new model from Anthropic that identified security vulnerabilities, has raised the antenna of CISOs around the world. Naturally, they are pushing for faster patching, faster issue resolution, and quicker responses overall.
Things they may previously have been willing to wait a month to fix now need to be fixed within days. Eventually, they may have patience for only a few hours or even minutes.
So, the entire industry needs to adopt a very different approach to dealing with threats, whether that means identifying threats faster or mitigating them faster. Agentic AI is the right technology at the right time to force that thinking.
CISO Forum: Regulators in BFSI and healthcare demand audit trails. Can agentic AI decisions be made explainable and auditable enough to satisfy Indian regulators—and how close are we to that bar?
Vijay Vijayasankar: Explainability is a very complicated problem, right? Because all of today’s AI is based on this idea of deep learning, which involves several layers of neurons through which data traverses.
Understanding exactly how the model arrived at a decision can be difficult. However, any decision the model makes can be reverse-engineered into a decision tree that explains its logic.
Thankfully, the type of AI work we do in the back office usually doesn’t require that level of sophisticated decision-making. It is often a lot of if-then-else-type decisioning.
We also provide many deterministic guardrails. The model, by itself, does not make decisions. We have a model; we maintain memory in a context graph; we use deterministic logic in programs; and so on. Depending on the model’s confidence level, additional guardrails are applied.
Everything that both the human and the agent do is logged. So, if somebody asks who took a particular decision, we can point to the record and show that the agent took this decision, then a human took over, then the agent resumed, and then another human stepped in. All of this is tracked.
This is highly, highly important.
In terms of creating an audit trail, properly implemented agentic systems will make life much easier for auditors. They do not have to verify as many things because they can manually, in a fairly automated way, see whether what the agent did was correct.
However, it takes a lot of upfront design work.
This is another area where organizations trying to custom-build AI projects often fall short. These are the kinds of things people ignore all the time. Since we build products, we have to think about these requirements in advance. We leave audit logs and traces throughout the system because we operate in highly regulated environments.
For auditors, if anything, the standards are not going to become more relaxed. They will likely become even stricter when agents are involved.
Obviously, we test thoroughly—many, many times. We are also a big user of AI within Genpact. Most of the things we sell to clients, we have already dog-fooded ourselves. We have extensively tested them in internal environments before deploying them externally.
The short answer to your question is that everything is auditable. We leave a trail of everything that both agents and humans do while working together.
CISO Forum: Most Indian enterprises are stuck in AI pilot purgatory. Based on Genpact’s experience, what is the most common security or governance gap that prevents agentic AI from scaling beyond the proof-of-concept stage?
Vijay Vijayasankar: What happens is that it’s not one problem. It’s a compounding set of problems that stops pilots from becoming production deployments. I’ll give you three or four examples.
First, very few companies have their data in order. AI basically needs good data to work. Data is a debt that enterprises carry for a long time. Technology is also a form of debt. The fact that an agent can do something is predicated on the rest of your systems being in a state where the agent can actually take action.
Most systems are not designed that way. And it’s nobody’s fault because who saw Agentic AI coming, right? It’s a fairly new paradigm. So, there is a lot of technical debt and a lot of data debt. Even if those are relatively solvable problems, with enough time and money, you can address them.
Then there is the idea of process debt.
A lot of information is not documented anywhere. Processes evolve. Things that we call standard operating procedures, blueprints, and so on are very rarely kept up to date. A lot of information is stuck in people’s heads, along with many last-mile nuances that go uncaptured.
No system captures them. No document captures them. It’s often just the operator, the person typing in the invoice, who knows what to do. They know that if they see something specific on an invoice, then a particular action needs to be taken.
So, there is this process dimension.
Then the last one is the talent dimension. Even if somebody knows how to work effectively in accounts payable, Record-to-Report, or other functions, working with an agent requires a much higher level of thinking. The agent is already doing most of the routine work. What remains are the exceptions and decisions that require a higher level of judgment than people are typically used to exercising today.
So, that talent component is also important.
These four things together are why pilots get stuck. Companies have to work on all four. If Agentic AI is going to scale, all four need to be addressed.
CISO Forum: How do you stress-test and red-team an agentic AI system before deploying it in a business-critical workflow? Is there an emerging methodology that enterprises should adopt?
Vijay Vijayasankar: At Genpact, we obviously have strong engineering capabilities behind the way we do things. Most of the agentic work we do is productized. Accounts Payable is not a consulting project, right? It is a product we sell to clients, so it is very well guarded.
Everything goes through both automated and manual testing. We conduct different types of testing to ensure the technology is robust. Then we perform red-team-style, human, and adversarial testing.
We also use these solutions internally with our own CFO, CHRO, and other leaders. So, before a client even sees anything, it has already gone through a lot of scrutiny. A significant amount of quality assurance takes place beforehand.
We also use technology-based mechanisms to monitor what happens after deployment, such as continuously running evaluations on these models to prevent them from drifting over time. We build protections into the system, monitor performance closely, and continuously release improvements.
Our platform is a SaaS product, which means we can regularly offer upgrades and enhancements so the product keeps improving over time.
That is highly important in AI because the field is evolving rapidly. There is always some innovation that we discover. We experiment with it, harden it, and once it is production-ready, we push that upgrade to clients.
CISO Forum: As AI moves from tool to teammate, does the CISO role need to change fundamentally? Should CISOs now have direct oversight of AI governance—or does that create a dangerous concentration of responsibility?
Vijay Vijayasankar: No governance function can sit with any one role. Even in today’s world, if you take AI out of the equation, it is not realistic.
These decisions are inherently multidimensional. No single individual or role can own all of it. Governance typically requires a cross-functional team. That is an unavoidable reality, and there is no practical way around it at the moment.
That said, everyone will carry a higher level of responsibility in this process.
CISOs certainly will. It is already one of the hardest jobs on the planet because every new technology introduces additional ways for bad actors to cause harm. AI has already demonstrated that vulnerabilities can be identified more easily. Quantum computing has the potential to break encryption. Every major innovation expands the number of ways security attacks can occur.
So, CISOs have a very challenging role. Their governance responsibilities will absolutely increase. There is no question about that.
At the same time, it is also important to recognize that the only way to fight AI-powered threats is with AI-powered defenses. Humans alone cannot operate at the scale required. Technology has to be used to counter technology. The misuse of technology can only be countered by its responsible use.
Historically, CISOs have been highly technical and technology-savvy professionals. But the larger challenge is not limited to CISOs.
The cross-functional nature of the job, which already exists today, will move into a much higher gear. Business leaders need to become far more aware of both the risks and the opportunities. Every business decision involves a risk-reward trade-off.
So, businesses need to become much more sophisticated. CIOs, CISOs, CDOs, and Chief AI Officers all need to become more informed and more capable in this area.
Overall awareness across organizations needs to improve significantly.
One thing I am a little unhappy about in our industry is that all the positive discussion around AI—what it can do, how it can transform businesses, and so on—is not sufficiently balanced by conversations around alignment, governance, and security.
Those topics deserve much more attention from the industry than they currently receive.
