India’s enterprise security landscape is at a crossroads. AI is accelerating across workflows faster than governance frameworks can keep pace with; API sprawl is opening new attack vectors at machine speed; and the talent gap is widening just as the threat surface expands. For Indian CISOs, the challenge does no longer just know what to protect; it’s actually building the architecture to enforce it. In this candid conversation, Dhananjay Ganjoo, Managing Director – India & SAARC at F5, cuts through the noise on AI Guardrails, Zero Trust maturity gaps, DPDP compliance as an architecture decision, and why platformisation is now a board-level conversation. His argument is clear: in 2026, cyber resilience is not a supplement to cybersecurity; it is cybersecurity.
Managing Director – India & SAARC
F5
CISO Forum: AI Security Governance — from policy to enforcement. Our survey shows that only 10% of Indian enterprises have adopted AI-native controls, and 18% have no formal AI security assessment process. As generative AI accelerates across employee workflows, how should CISOs move AI governance from policy documents to operational enforcement — and where does F5 AI Guardrails fit in that journey?
Dhananjay Ganjoo: As generative AI becomes embedded in everyday employee workflows, CISOs need to move beyond policy creation and focus on operational enforcement. Governance is effective only when organizations can see where AI is used, what data is accessed, and how models and agents interact with enterprise systems. From there, organizations should establish clear governance controls around data access, model behavior, and acceptable AI usage, while continuously monitoring for emerging risks.
AI security cannot rely on periodic assessments alone. It requires runtime protection capable of identifying and responding to threats such as prompt injection, jailbreak attempts, sensitive data exposure, and unauthorized AI actions in real time.
This is where F5 AI Guardrails plays an important role. It acts as a runtime security and governance layer that inspects prompts, responses, and agent actions across AI environments. Applying consistent policies across models and deployment environments helps organizations translate governance frameworks into enforceable controls. Ultimately, the goal is to enable innovation while ensuring AI adoption remains secure, compliant, and auditable.
CISO Forum: The API attack surface — shadow APIs to agentic AIAPI misconfigurations rank among the top five most severe threats in our survey. With AI agents now transacting via APIs without human oversight, what new risks do AI-to-AI interactions introduce that traditional WAF approaches cannot address — and how is F5 delivering full API lifecycle visibility?
Dhananjay Ganjoo: APIs have become the backbone of digital business, and AI is significantly increasing both their usage and complexity. As AI agents begin interacting autonomously with applications, data sources, and other agents, organizations face new risks around shadow APIs, excessive permissions, sensitive data exposure, and unintended actions occurring at machine speed.
Traditional WAFs remain an important part of application security, but they were not designed to provide complete visibility into API behavior, relationships, and usage patterns across increasingly distributed environments. Security teams need to understand not only which APIs exist but also how they are used, who accesses them, and what data is exchanged.
At F5, we address this through F5 Distributed Cloud API Security, which combines continuous API discovery, behavioral analysis, authentication enforcement, sensitive data protection, and in-line threat mitigation. This gives organizations visibility and control across the entire API lifecycle, helping them identify unknown APIs, detect anomalous activity, and apply consistent security policies as AI adoption continues to grow.
CISO Forum: Securing AI applications — a fundamentally different architecture?F5 positions WAAP in front of the AI application and AI Guardrails between the application and the LLM. For a CISO deploying both traditional web apps and AI copilots on the same infrastructure, how do they maintain a consistent security posture across both without doubling the stack?
Dhananjay Ganjoo: The good news for CISOs is that securing AI applications does not require building an entirely separate security architecture. AI applications are still applications, and many of the same controls around APIs, bots, DDoS protection, access management, and application security continue to apply. The difference is that AI introduces new risks, such as prompt injection, jailbreaks, model manipulation, and sensitive data leakage that traditional security controls were not designed to address.
The most effective approach is layered. WAAP remains the first line of defense against both traditional and AI applications, providing consistent protection against application and API threats. AI Guardrails then operates between the application and the LLM, enforcing controls specific to AI interactions, including inspection of prompts, responses, and agent actions.
Through the F5 Application Delivery and Security Platform, organizations can apply consistent policies, visibility, and governance across both environments from a single control plane, without creating additional security silos or operational complexity.
CISO Forum: Zero Trust — where does implementation actually break down? 31% of our respondents are prioritizing identity-first Zero Trust, yet maturity in lifecycle automation, entitlement hygiene, and continuous access evaluation remains weak. In your experience working with Indian enterprises across hybrid environments, where does Zero Trust fail in practice — and what does F5’s ADSP approach differently?
Dhananjay Ganjoo: In our experience, Zero Trust often breaks down when organizations focus solely on identity verification at login. Identity is critical, but it is only one part of the equation. In hybrid environments, challenges emerge when legacy applications, APIs, encrypted traffic, and multi-cloud workloads operate under fragmented policies. Over time, access privileges accumulate, visibility declines, and organizations struggle to determine whether access should be continued.
What is needed is a shift from network-centric trust to application-centric trust. Every user, device, API, and application request should be continuously verified based on identity, context, and risk.
This is where F5’s Application Delivery and Security Platform takes a different approach. Through identity-aware access, API security, application-layer protection, and centralized policy enforcement, F5 enables continuous validation closer to the application itself. This helps organizations reduce lateral movement, eliminate blind spots in encrypted traffic, and apply consistent Zero Trust policies across on-premises, cloud, and hybrid environments without adding operational complexity.
CISO Forum: DPDP compliance as an architecture decision. 60% of CISOs rate DPDP enforcement as having high or extremely high impact on their 2026 planning. Data minimization, consent management, and breach notification are now operational, not just legal requirements. How is F5 helping Indian enterprises embed DPDP readiness into their application delivery and API security architecture?
Dhananjay Ganjoo: DPDP is accelerating a shift in how organizations think about security and compliance. It can no longer be treated as a legal or policy exercise alone. Requirements such as data minimization, consent management, and breach reporting must now be embedded in the application and API architecture.
In practice, this requires organizations to understand where personal data resides, how it moves across applications and APIs, and whether it is being exposed in ways that create compliance risk. As API ecosystems continue to expand, maintaining that visibility becomes increasingly challenging.
F5 helps organizations address this through the F5 Application Delivery and Security Platform. Our WAAP and API Security capabilities provide continuous API discovery, sensitive data detection, behavioral monitoring, and in-line protection. This enables organizations to identify shadow APIs, reduce the exposure of personal data, enforce consistent security policies, and strengthen auditability. The result is a more secure application environment that supports DPDP readiness while maintaining business agility.
CISO Forum: Ransomware resilience — closing the recovery gap. Ransomware with multi-layered extortion is the most severe threat for 79% of our respondents, yet recovery readiness significantly lags detection maturity. What role should application delivery and security infrastructure play in minimizing recovery time — and how should CISOs think about traffic failover and business continuity as security architecture decisions?
Dhananjay Ganjoo: Organizations have invested significantly in ransomware detection, but resilience is ultimately measured by how quickly critical services can be restored. CISOs should increasingly view business continuity, traffic management, and failover architecture as core security decisions rather than purely infrastructure considerations.
A resilient architecture should be designed to contain the impact of an attack, maintain application availability, and enable rapid recovery. This includes isolating affected environments, automating traffic failover, and ensuring applications can continue operating from alternate sites or cloud regions when primary systems are disrupted.
At F5, we help organizations build this resilience into the application layer. Through intelligent traffic management, application delivery, and security capabilities, organizations can automatically redirect traffic to healthy environments, maintain service availability, and reduce recovery times. The objective is not only to prevent attacks, but also to limit their blast radius and ensure business operations continue during disruption. In today’s threat landscape, cyber resilience is becoming just as important as cybersecurity itself.
CISO Forum: Platformisation — the board-level business case. Tool proliferation is the third most severe internal challenge in our survey. F5’s ADSP consolidates WAAP, API security, bot defense, DDoS, Zero Trust, and AI Guardrails into one platform. What is the board-level business case for consolidation — and what risks around concentration and vendor dependency should CISOs honestly account for?
Dhananjay Ganjoo: From a board perspective, the strongest case for platformization is reducing complexity while improving security outcomes. Most organizations today manage multiple point products across application security, API protection, bot defense, DDoS mitigation, access control, and now AI security. This often leads to fragmented visibility, inconsistent policies, operational overhead, and increased pressure on already stretched security teams.
A platform approach helps address these challenges by providing a common policy framework, centralized visibility, and a more streamlined operating model. It can reduce the cost and complexity of managing multiple tools while improving response times and enabling more consistent protection across hybrid and multi-cloud environments.
At the same time, CISOs should carefully evaluate concentration risk. Consolidation should not come at the expense of resilience, flexibility, or interoperability. The objective is not simply to reduce the number of vendors, but to simplify operations while maintaining choice and business continuity. The right platform should help organizations reduce complexity without creating new dependencies or limiting their ability to adapt as requirements evolve.
CISO Forum: The talent-automation equation. The talent shortage has overtaken budget as the top internal barrier, with 50% rating it as high or extremely severe. F5’s AI-powered risk scoring and automated blocking reduce analyst dependence — but automation without governance creates its own blind spots. How should CISOs calibrate the balance, and what skills does the 2026 security team actually need?
Dhananjay Ganjoo: The talent challenge is unlikely to be solved through hiring alone. As environments become more distributed and AI adoption accelerates, automation becomes an important way to help security teams scale. However, automation should be viewed as a force multiplier, not a replacement for human judgment. The most effective approach is to automate repetitive, high-volume tasks such as threat detection, risk scoring, policy enforcement, and initial response, while ensuring that governance, oversight, and critical decision-making remain in human hands.
As AI adoption accelerates, the skills profile of security teams is also evolving. Beyond traditional security operations, teams will need stronger capabilities in AI governance, API security, risk management, and understanding how AI models, agents, and automated workflows interact across the enterprise. Equally important is maintaining visibility and control over these environments.
At F5, the goal is to combine AI-driven automation with consistent governance and observability, enabling security teams to focus on higher-value activities while maintaining confidence in their security posture.
CISO Forum: Sector pressures — BFSI and manufacturing. Our respondents are dominated by BFSI (28%) and manufacturing (26%), each facing distinct pressures — layered regulatory mandates from RBI, IRDAI, and SEBI in banking; OT/IT convergence in manufacturing. What are the most acute application security challenges F5 is encountering in each vertical, and how is the approach tailored?
Dhananjay Ganjoo: BFSI and manufacturing face very different application security problems, even though both operate across hybrid and multi-cloud environments. In financial services, the biggest pressure points are API sprawl, fraud, account takeover, and compliance.
In manufacturing, the priority shifts to IT/OT convergence and the protection of critical operational systems. As F5 notes, when IT and OT systems converge, the attack surface expands, and security must be foundational. The focus here is less on transaction fraud and more on operational continuity, the protection of OT and ICS environments, and the security of connected manufacturing infrastructure.
That is why the approach cannot be one-size-fits-all. In BFSI, the emphasis is on WAAP, API security, bot defense, and compliance-driven visibility. In manufacturing, the emphasis is on secure connectivity, segmentation, and resilience across converged environments. F5 ADSP is designed to apply consistent policy and visibility, while adapting to the different risk profiles of each sector.
CISO Forum: Post-quantum cryptography — when does the clock actually start? 42% of our respondents describe their post-quantum readiness as immature or ad hoc, and it receives the lowest investment ranking among capabilities. Yet the harvest-now-decrypt-later threat means the clock has already started. With F5 having incorporated NIST-standardized PQC into ADSP, what is your practical message to Indian CISOs on where to begin?
Dhananjay Ganjoo: One of the biggest misconceptions around post-quantum cryptography is that organizations can wait until quantum computing becomes a reality. The challenge is that sensitive data transmitted and stored today may need to remain protected for many years, making post-quantum readiness a current security consideration rather than a future one.
For most organizations, the conversation should begin with crypto-agility. The objective is not to replace existing cryptography overnight, but to ensure applications, APIs, and critical business systems can adapt as cryptographic standards evolve. This requires understanding where cryptography is embedded across the environment and developing a phased migration strategy.
At F5, we are helping organizations take that practical approach through ADSP by supporting hybrid encryption models that combine established cryptographic methods with post-quantum algorithms. This allows organizations to begin strengthening protection today, while maintaining compatibility with existing environments and preparing for a controlled transition to a quantum-ready future.
