As Indian enterprises accelerate cloud adoption, embrace AI, and respond to tightening regulations, identity has emerged as the most critical—and complex—security challenge. No longer limited to employees and users, today’s identity landscape spans machines, bots, service accounts, and AI agents operating across hybrid environments. In this in-depth conversation with CIO&Leader, Abhishek Gupta, GVP – India, SailPoint, explains why traditional IAM models are no longer fit for purpose. He discusses how intelligent identity governance is becoming central to zero trust, insider risk management, and DPDP compliance, and why enterprises must rethink identity not as an IT control, but as the foundation of modern cyber resilience.
GVP – India
SailPoint
CIO&Leader: What is pushing Indian enterprises to move from traditional IAM to intelligent, automated identity security?
Abhishek Gupta: Technology is evolving rapidly. Earlier, identity management was primarily limited to human identities—employees and non-employees. However, with accelerated digitalization driven by customer demands, the nature of identities across the enterprise landscape has fundamentally changed. Today, organizations must manage not only human identities but also machine identities, such as bots and service accounts. With the rise of AI, AI agents are now becoming part of enterprise systems as well. Traditional IAM solutions were not designed to handle this expanded and complex identity ecosystem. That is why enterprises are increasingly looking for more intelligent, next-generation identity security platforms.
CIO&Leader: Why is strong identity governance essential as companies scale cloud and AI operations?
Abhishek Gupta: Over the last four to five years, the technology landscape has changed significantly. Earlier, enterprises primarily operated from physical offices, with on-premises infrastructure. Employees came to the office, identities were mainly human—employees and non-employees—and the infrastructure footprint was limited. That made identity management relatively straightforward.
However, with COVID and accelerated digitalization, both types of identities and infrastructure have evolved. Applications have moved to the cloud, while many continue to run on-premise. At the same time, the volume and speed at which businesses grant access to customers, partners, and employees have increased dramatically.
The challenge for enterprises is managing this growing velocity and complexity. Organizations need identity solutions that can scale to meet future requirements, support new identity types, and integrate seamlessly across on-premises and SaaS environments. A modern identity platform must provide a single, unified view of who is accessing what and how those accesses are being used.
This visibility helps identify anomalies—access that doesn’t align with roles or intent—and strengthens overall security. That is the direction enterprises must move toward.
CIO&Leader: How is SailPoint securing AI agents and other non-human identities in modern environments?
Abhishek Gupta: If you look at SailPoint’s evolution, we were never a traditional IGA solution. From the beginning, we have been a modern, innovation-led identity platform. One clear indicator of this is our strong focus on intellectual property—we are among the few identity companies globally with a significant patent portfolio, with over 75 patents to date. This reflects our commitment to continuous innovation.
AI has been embedded across our platform since 2017, well before it became a mainstream conversation. Today, we treat AI agents as a new class of identity within the non-human category. While they are machine identities, they behave more like human identities in terms of decision-making and system interaction.
This creates unique governance challenges. AI agents require access like human users do, but they must also be strictly governed to ensure they have only the permissions they are entitled to, and no more. That level of governance is built into SailPoint. Our platform is built to manage and govern all identity types—human and non-human—at scale, securely and intelligently.
CIO&Leader: What identity challenges are you seeing most across Indian industries right now?
Abhishek Gupta: The first challenge is that many organizations still don’t fully understand what identity really means. When we started our India business around three years ago, one of the most significant issues we encountered was that customers viewed identity as just a checkbox exercise. The reality—even then—was that attackers were targeting identities. Once an identity is compromised, attackers gain access to everything associated with that identity.
At the time, this perspective was not widely understood, and it took significant effort to educate the market. Today, I’m encouraged by how the conversation has evolved. Over the last couple of days alone, we’ve seen discussions become far more identity-driven. Customers are beginning to realize that identity sits at the core of enterprise security.
That said, challenges remain. While the market is maturing and becoming more knowledgeable, many organizations are still in transition. The biggest challenge today is truly viewing identity as a critical security problem, not just an IT function.
CIO&Leader: Which use cases—insider threat prevention, zero trust, or compliance—are seeing the fastest adoption?
Abhishek Gupta: Zero trust has consistently been a top priority for CIOs and CISOs, and that continues to hold. However, looking at recent attack patterns, nearly 80% of breaches are driven by insiders rather than by external actors. As a result, zero trust remains the primary focus, closely followed by insider threat prevention. Many organizations are now actively evaluating and deploying solutions in this area to address these risks more effectively.
CIO&Leader: How will India’s evolving regulatory landscape, including DPDP, shape the future of identity security?
Abhishek Gupta: That’s a very relevant question. The DPDP Act, based on what we’ve seen so far, places strong emphasis on understanding who is accessing what data and how that data is being used. Enterprises must be able to provide clear answers if individuals ask how their data is accessed, processed, and protected.
As DPDP enforcement comes into effect, organizations will be compelled to re-examine their identity security strategies. We are already seeing this shift in market behavior. Organizations that were previously hesitant are now actively engaging with us to understand how we can help. Additionally, regulators like SEBI and RBI are becoming increasingly stringent. This regulatory focus on identity will significantly accelerate adoption and growth in the identity security space.