As enterprises race toward cloud-first operations and AI-driven workflows, the traditional network perimeter has dissolved. In its place, identity has emerged as the ultimate security control point—governing not only human users but also bots, service accounts, and autonomous AI agents. In an exclusive conversation with CIO&Leader, Abhishek Gupta, Group Vice President for India at SailPoint, reveals why 72% of Asia-Pacific organizations remain dangerously unprepared for identity-driven threats, how India’s new DPDP Act is forcing a reckoning, and why adaptive identity security—capable of real-time, context-aware access decisions—is now the cornerstone of operational zero trust and enterprise resilience.
GVP
SailPoint India
CIO&Leader: Why has identity replaced the traditional network perimeter as the primary control point in modern enterprises?
Abhishek Gupta: The traditional network perimeter assumed a clear boundary between trusted internal users and external threats. That model no longer holds. Today, users, applications, and data are distributed across cloud, SaaS, and hybrid environments, often accessed remotely. Therefore, Identity has become the most consistent control point because every interaction, human or machine, starts with authorization. Rather than securing where access comes from, enterprises now focus on who or what is accessing resources, what level of access is appropriate, and under what conditions. Also, many regulations, such as India’s DPDP Act, require organizations to implement strong access controls to protect sensitive data. Identity security can help with meeting these compliance requirements by providing a centralized way to manage user access and track user activity. In today’s distributed, cloud-centric world, identity security provides the contextual, dynamic enforcement needed to secure modern enterprises more effectively and flexibly.
CIO&Leader: How are non-human identities- bots, service accounts, and AI agents—changing the identity security risk landscape?
Abhishek Gupta: Non-human identities are changing the identity security landscape, as they often have broad access privileges and organizations often lack visibility into their activities, increasing the risk of unauthorized access and data breaches, and making them attractive targets for attackers.
Machine identities are the fastest-growing and most vulnerable attack surface, and close to 70% of organizations confirm they have more machine identities than human identities, yet more than half (57%) reveal that inappropriate access has been granted to a machine identity. Managing and securing non-human identities can be complex due to their unique characteristics and lifecycles, but they need to be governed with the same rigour as human identities. With advanced, autonomous identity security solutions, organizations can have full visibility into all identities, access permissions, and behavior, and ownership of machine accounts at enterprise scale, while ensuring regular reviews and recertification of non-human identity privileges to minimize risk.
CIO&Leader: Where do legacy IAM models fall short in cloud-first, hybrid, and API-driven environments?
Abhishek Gupta: In cloud-first and API-driven architectures, access is dynamic, ephemeral, and often machine-led. In this environment, identity security becomes the core control plane, where every digital identity, device, and application must be continuously verified. This “identity-first” model is essential to implementing Zero Trust, now an operational standard for preventing unauthorized lateral movement during a breach. Traditional identity security struggles with scale, visibility, and control, as well as real-time context and continuous access evaluation. It typically focuses on human identities and relies on manual provisioning, periodic reviews, and role structures that quickly become outdated, leading to security gaps.
Modern environments demand identity security that can govern all identity types, including human, non-employees, non-human, and AI agents; and adapt to rapid change, integrate deeply with cloud platforms, and govern access continuously rather than episodically. Without this shift, enterprises face growing identity risks and compliance gaps.
CIO&Leader: What role does identity governance play in making zero-trust architectures operational, not just conceptual?
Abhishek Gupta: Zero trust is fundamentally an identity-driven model. Identity governance provides the guardrails that make zero trust actionable by providing the necessary visibility, control, and automation to enforce the principle of least privilege, with access justified and time-bound. It brings structure to who has access, why they have it, and whether it’s still needed as roles and environments change. Identity governance also automates manual tasks such as user provisioning and access request processing, and enables continuous verification through access reviews, policy enforcement, and audit ability, reducing the burden on IT staff and improving the efficiency of identity management processes. For example, through SailPoint’s partnership with HCLTech, organizations can implement zero-trust-aligned identity controls to govern access in real time.
CIO&Leader: How can identity security reduce insider risk without slowing down digital and developer velocity?
Abhishek Gupta: Reducing insider risk means designing access that’s intelligent and automated. Modern identity security focuses on just-in-time access, policy-based provisioning, and automated certifications rather than manual approvals. For developers and digital teams, this translates to faster access when needed, without long-term over-privileging. By aligning access with role, context, and duration, enterprises can limit exposure while preserving speed. The goal is to make secure access the default, not an obstacle, so that productivity and security reinforce each other rather than compete.
CIO&Leader: In the Indian context, what are the biggest challenges enterprises face in aligning identity security with privacy and regulatory requirements?
Abhishek Gupta: Indian enterprises are navigating a complex regulatory landscape alongside rapid digital growth. One key challenge is balancing scale and compliance, managing millions of identities across diverse systems while meeting privacy, audit, and data protection expectations. This is especially poignant in the wake of the finalization of the rules under the DPDP Act. Many organizations still operate with legacy infrastructure and fragmented identity data, making consistent policy enforcement difficult. Awareness around managing non-human identities and access governance maturity varies widely, too. According to SailPoint’s Horizons of Identity Security Report, 72% of organizations in APAC are still in the early stages of their identity security journey and are not reaping the benefits of identity security, which delivers the highest ROI of any security investment. Enterprises that treat identity as a strategic enabler report typical ROI multiples of up to 10x, reducing risk, driving revenue, and enabling AI safely.
CIO&Leader: As AI adoption accelerates, how will identity security need to evolve to manage autonomous systems and machine-driven access at scale?
Abhishek Gupta: Although AI adoption is accelerating, identity governance is lagging, creating risks of data exposure and compliance breaches. By 2028, Gartner predicts that 33% of enterprise software applications will include agentic AI, with at least 15% of day-to-day work decisions being made autonomously through AI agents, yet only 44% of enterprises globally currently have any governance policies in place for AI agents.
At SailPoint, we believe the only way forward is through a new way of thinking about security—what we call an adaptive identity model. Adaptive identity is about securing enterprises efficiently and effectively in a dynamic world. It is an evolution of identity security designed for the realities of AI, where identity management continuously learns, decides, and acts across every human, machine, and AI interaction. It unifies identity, data, and security to continuously evaluate and govern every identity, embedding governance directly into the flow of work. Adaptive identity will be a cornerstone of business security as organizations shift from static, compliance-focused models to real-time, risk-based access.
Unlike traditional static controls, adaptive identity uses real-time authorization to evaluate access requests based on dynamic signals like location, device health, and behaviour. If a user’s credentials are stolen, the system can instantly revoke or escalate privileges based on these anomalies. Adaptive Identity helps organizations lead with confidence, innovation, and trust by governing AI agents, reducing standing privilege, and providing visibility into relationships between human and non-human identities. It is the way forward that will define the next era of enterprise security: security that moves as fast as the enterprise it protects.