As artificial intelligence reshapes the enterprise from the inside out, the rules of security are being rewritten — and India finds itself at the center of that transformation. With machine identities now vastly outnumbering human ones, and AI agents operating autonomously across critical systems, the traditional boundaries of cybersecurity have quietly collapsed.
Anand (Jude) Kannabiran, Vice President at Delinea for the APJ-Asia region, has a front-row seat to this shift. Overseeing one of the world’s most dynamic and complex technology markets, he has watched Indian enterprises grapple with an identity security gap that is widening faster than most organizations can respond to.
In this candid conversation, Kannabiran cuts through the noise on passwordless authentication, the GCC boom, AI governance, and why visibility and discovery are no longer optional but the single most urgent priority for every CISO operating in India today.
Vice President
Delinea (APJ-ASIA)
CISO Forum: Machine identities now vastly outnumber human ones in most enterprises — how is that imbalance quietly reshaping the attack surface?
Anand (Jude) Kannabiran: Okay, and we’ll address this from an Indian perspective. Machine identities and non-human identities — or NHIs, as and expansion of that term — are outnumbering human identities significantly. Security models haven’t kept pace with this situation and this is compounded by the rapid expansion of AI agents, which often exceed expectations by 10-20 times. Organizations are definitely struggling. There is widespread over-privilege and poor governance because these were factors that they were not ready to address.
However, because of what is happening now in that area — especially in India — there has been an added focus on identity becoming the security control plane. India traditionally was a network security control plane-oriented country for the longest time, but we are now seeing a huge shift towards the identity control plane.
The bottom line is that NHIs are now India’s largest and least controlled attack surface, and the gap is widening. While organizations acknowledge this, implementing identity security control-plane solutions will take time. Over the next 12, 18, and 24 months, we expect not just governments but government-linked organizations and large corporations to double down on their security policies and adapt to this motion going forward.
CISO Forum: As AI agents begin acting autonomously inside enterprise environments, how do you govern an identity that isn’t human but is making consequential decisions?
Anand (Jude) Kannabiran: Companies should rethink privileged access. In the world of AI agents and automation, there is a fundamental shift moving from human-centric identity control to one that incorporates AI agents, bots, and APIs. In India’s heavily automated IT landscape — as one of the world’s largest IT providers and a software development hub for the rest of the world — we see a shift again towards identity-centric control.
The next priority is enforcing just-in-time and federated access. Organizations can’t just focus on authentication alone. Most are now moving to the authorization stage and need to raise their level of security by deploying JIT access, moving away from standing privileged access, and transitioning to on-demand, time-bound access. This is already beginning to happen. Critical, high-velocity environments like banking and financial platforms built on UPI are leading in this area.
The second point is to treat service accounts, workloads, and AI agents as first-class privileged identities — and that needs to happen today. In the past, this was a new phenomenon, not just in India but globally. No one anticipated AI would boom at this rate, so there is a significant challenge in how organizations are going to implement this. They need to enforce credential rotation, vaulting, and least privilege — at scale. Whatever they believed they had more time to address, they need to accelerate now.
There are a couple of additional areas to consider. Organizations need to apply real-time, context-aware access decisions — something that, globally, most organizations and countries were not prioritizing. This means looking at behavioral, risk, and transactional context. The transaction context about AI is especially critical because it helps you make sense of what an AI agent is actually trying to do.
Last but not least, organizations need to embed identity into automation and AI workflows. As business units push security divisions to implement AI automation across the organization, security teams need to keep pace — and that requires a fundamental shift in how they think about security holistically.
The bottom line: in AI-driven enterprises, privileged access must evolve into real-time, identity-led control systems that govern both human and non-human identities.
CISO Forum: What is the “access-speed gap,” and why is it becoming one of the most dangerous vulnerabilities in modern enterprise security?
Anand (Jude) Kannabiran: The access-speed gap — in other words, how quickly users can get access to the information they require, and how that impacts vulnerability. It comes back to organizations not treating access as a silo-based approach. Organizations need to now look at access from a platform perspective. What I mean is that they need to look at access holistically — not just from a network perspective, an application perspective, or an AI system gaining access — but rather, how do we build an access plan from a platform perspective so that we can manage this holistically? The need for speed in access will always be a driver, and even more so today, driven by AI.
In the past, organizations had to deal with two things: human identities, which are very workflow- and business-driven and give you a bit more time; and service accounts and machine identities, which you plan for, implement, and then monitor. But with the sprawl of AI agent adoption within organizations, the number of access points today is different from the number tomorrow. Can you really control that number? You can’t — because of the different touchpoints within an organization. Agentic AI needs access to perform its intended functions. The way to deal with this is to look at security access holistically via a centralized platform and implement it from that perspective. That is how you address the access-speed gap from both a time frame and a security posture perspective.
CISO Forum: Passwordless authentication has been sold as the future of identity security — where does it fall short against today’s threat landscape?
Anand (Jude) Kannabiran: It has been both a boon and a bane for the IT security industry for quite some time. Passwordless access is what most organizations would like to achieve, but there are real challenges in getting there.
Passwordless access solves authentication, not authorization. I can authenticate who gets access — who can come through the front door — but what that person can do once they are inside is where we need to focus on authorization. The next issue is that it does not address non-human identities. What we call NHIs today is completely different from what NHIs were three years ago. We are talking about bots, APIs, and AI agents — none of which use passwords. So, passwordless access becomes largely irrelevant for that category.
From a risk perspective, there is also a limited impact on AI and transaction-level security. If you are monitoring security on a context-aware, transaction-by-transaction basis, passwordless access does nothing at that level — because the risk occurs machine-to-machine, which goes beyond user authentication into user authorization. It also does not protect over-privileged accounts and lacks real-time, context-aware enforcement.
Holistically, there needs to be a relook at passwordless access. I also believe new technologies will emerge to innovate and address this gap — because that is ultimately what most CISOs want. Everyone wants passwordless access; users do too. So there will be a technology shift, from an innovation perspective, in how this is addressed in today’s environment.
CISO Forum: With India’s GCC boom and rapid cloud adoption, what specific identity security blind spots are Indian enterprises consistently underestimating?
Anand (Jude) Kannabiran: One of the key blind spots, given the big GCC boom in India, is going to become increasingly prevalent for two reasons. In the past, GCC operations in India were largely operational, with much decision-making happening outside India — at large global multinationals, whether based in Europe or the US. That has shifted. You now see global CIOs and CISOs based in India, with much more decision-making and strategy being driven from there.
Organizations need to rethink privileged access in this context.
Especially when you look at the automation drive underway — the shift from human-centric identity to identity-centric control — it is a significant shift in which systems do the work with high levels of automation. And again, as we discussed earlier, how do you enforce just-in-time access in this environment? That will be even more critical because it needs to be context-driven, on-demand, and time-bound.
The next key area is embedding identity into automation and AI workflows — that is a very clear blind spot. Privileged controls must now be integrated into DevSecOps pipelines, RPA workflows, and AI decision engines. These were gaps that did not exist 24 to 36 months ago. Organizations need to rethink how they fundamentally solve for them.
CISO Forum: How should enterprises think about privileged access when the “user” requesting access is an automated service or an AI pipeline rather than a person?
Anand (Jude) Kannabiran: One of the key ways organizations need to approach this is to start by building a strategy around it. It begins with a strategy, then an entire architecture for deploying it. There needs to be a level of caution and control over this. Why? Because the business drivers here are efficiency, automation, cost reduction, and innovation — speed to market. All of these are business and operational drivers. Organizations need to take all of these drivers and determine how they fit into an AI-driven strategy, which then needs to be translated into an AI-driven architecture for deployment. Security by design must be embedded into this process.
One of the key elements of security by design is the identity component. Bearing in mind that AI, once energized and a workflow is initiated, will operate independently. So, how do we establish all the authentication control points, and how do we validate which tasks an AI agent can perform automatically? That comes back to the identity control plane. The identity control plane must now include an AI element, and the way different applications communicate with it must fit within the identity control plane.
Two key priorities follow from this: number one, visibility; number two, discovery. You need continuous discovery so you understand the map, and that map gives you visibility. From there, you can make more informed decisions.
CISO Forum: Dynamic, context-aware access controls sound compelling in theory — what does the implementation actually look like inside a large, complex enterprise environment?
Anand (Jude) Kannabiran: When we talk about context-aware, identity-aware controls and moving into a just-in-time perspective, the first question to ask before we even get there is: do we have our basics in place?
Do we have access and session management controls in place? Do we have clarity on the authentication side—is it clearly defined? Do we have a roadmap for the transition from authentication to authorization? Are we clear on our vaulting controls, our credential rotation controls, and our continuous discovery of credentials and users within the organization? Do we have session recordings sorted out? That is what we call Privileged Access Management — Privileged Access Session Management.
Once we have that foundation in place, we can move into the JIT space — the context-aware world that includes privilege elevation and delegation as part of the end-to-end JIT process. The question then becomes: do we have that identity maturity model built into the organization, supported by a strategy at the execution level, and the technology to enable it?
Last but not least, have organizations invested in the right human resources internally? That is a critical element. Identity security professionals are very different from other security professionals, and organizations need to ensure those investments are made before embarking on the advanced stages of identity security — including adopting JIT at scale across the organization.
CISO Forum: As AI adoption accelerates across Indian enterprises, what is the single most urgent identity security priority that CISOs cannot afford to defer any longer?
Anand (Jude) Kannabiran: Visibility. Discovery and visibility are the single biggest priorities.
If you look at it today, AI is becoming a way of life across organizations. Employees, with or without permission, will try to deploy AI in some fashion. In a technology-centric country like India, especially, people are discovering they can build their own agents — how can I build an agent to make my job easier or drive greater efficiency? This is going to happen whether we like it or not. Organizations need to turn around and ask: What are the guardrails for how we deploy AI? We cannot simply say no to AI — that would be very difficult. So let us put that framework in place.
As you put that framework in place and embark on a journey where security, identity, and AI converge, one of the first key elements you must ensure is visibility. Do we know what AI agents are being deployed within the organization? Do we know what security controls have been deployed within those AI agents? That is the visibility layer.
The second layer is continuous discovery. Are we continuously monitoring for new AI agents? What are they doing? How does their activity impact our security posture? These are at least the bare minimum that organizations in India need to address as they embark on this journey.
