Yuval Wollman of UST explains why autonomous AI, non-human identities and post-quantum threats demand zero-trust security, AI governance and new cyber resilience strategies for modern enterprises.

As enterprises accelerate AI adoption, cybersecurity is undergoing its most profound transformation in decades. Autonomous AI agents, non-human identities, post-quantum cryptography, and increasingly sophisticated state-sponsored cyber threats are rapidly reshaping the enterprise security landscape, exposing weaknesses that conventional security architectures were never designed to address. At the same time, organisations are grappling with cloud complexity, growing identity risks, regulatory fragmentation, and an acute shortage of cybersecurity talent.
In this interview with CIO&Leader, Yuval Wollman, Managing Director, UST, discusses why enterprise boards must rethink cyber governance in the age of autonomous AI, how identity security must evolve beyond human verification, why non-human identity management and zero-trust architectures are becoming foundational, what Indian enterprises should prioritise as they modernise their security posture, and why organisations cannot afford to delay their transition to post-quantum cryptography.
CIO&Leader: What is the biggest macroeconomic or geopolitical blind spot that commercial enterprise boards are completely overlooking right now when they map out their cyber risk?
Yuval Wollman: The biggest blind spot for enterprise boards is failing to govern the unique attack surface created by autonomous AI agents, even as business units rapidly adopt them to drive productivity. While boards focus on traditional software vulnerabilities, autonomous agents introduce unprecedented risks — such as prompt injection, uncontrolled data exfiltration, and independent decision-making capabilities — that bypass standard cybersecurity frameworks and leave corporate networks deeply exposed to both rogue actors and corporate espionage.
The biggest blind spot for enterprise boards is failing to govern the unique attack surface created by autonomous AI agents.
CIO&Leader: When the human element can be fully simulated by an algorithm at scale, how must an organization’s identity-first verification models adapt to maintain digital trust?
Yuval Wollman : As state-sponsored adversaries increasingly weaponize localized AI models to execute asymmetric cyber warfare and industrial espionage, identity-first verification must evolve from behavioral baselines to immutable, hardware-bound cryptographic proof. The emergence of fragmented regional internet regulations and state-backed algorithmic factories allows hostile nations to mass-produce digital clones specifically optimized to bypass Western biometric and conversational authentication models. To maintain digital trust against these politically motivated threats, organizations must shift to a zero-trust architecture that relies on decentralized identity registries and real-time physical device attestation, validating the secure origin of the infrastructure rather than the easily simulated human persona.
CIO&Leader: The blast radius immediately encompasses every connected cloud asset, API token, and service account operating under that credential. How do we design an internal security fabric that assumes an identity is already compromised and dynamically throttles its lateral movement?
Yuval Wollman : To neutralize a compromised credential’s blast radius at machine speed, organizations are adopting new solutions like Non-Human Identity Management (NHIM) and Identity Threat Detection and Response (ITDR). Instead of relying on static role-based access, these tools enforce a dynamic authorization mesh that treats every API call and service account interaction as an isolated, time-bound transaction. By continuously analyzing machine telemetry for behavioral drift, these platforms bypass manual intervention to instantly trigger cryptographic kill-switches, invalidate active cloud tokens, and strictly micro-segment network traffic. This self-throttling grid automatically isolates compromised connections, transforming security from a vulnerable perimeter into an autonomous containment fabric.
CIO&Leader: India is experiencing a massive wave of cybersecurity investments, yet the ecosystem continues to hit severe talent shortages and operational friction when transitioning to the cloud. What structural advice would you give to Indian enterprises?
Yuval Wollman : To overcome severe talent scarcity and cloud friction, Indian enterprises must pivot from building custom in-house solutions to partnering with global managed service and expert vendors who can immediately inject mature cloud-native capabilities. Instead of competing for scarce local engineering talent to build infrastructure from scratch, organizations should deploy sovereign cloud architectures managed by specialized global vendors who bake automated compliance, zero-trust guardrails, and infrastructure-as-code directly into the pipeline. By combining these managed platforms with global Identity Threat Detection and Response (ITDR) vendors, enterprises effectively offload the operational burden of continuous monitoring and threat hunting to global centers of excellence. This strategic shift transforms security from a localized, talent-constrained bottleneck into a scalable, vendor-supported operating model that delivers immediate resilience.
CIO&Leader: The industry is beginning to sound the alarm on the transition to post-quantum cryptography. For an organization managing highly sensitive, multi-decade data, why is waiting for absolute quantum maturity a fatal mistake, and what should their architectural staging look like today?
Yuval Wollman: Waiting for absolute quantum maturity is a fatal mistake because adversaries are actively executing “Harvest Now, Decrypt Later” (HNDL) attacks, intercepting and storing encrypted multi-decade data today to decrypt it the moment cryptanalytically relevant quantum computers emerge. To counter this, governments are introducing sovereign, state-level cryptographic mandates, and national quantum-safe migration timelines, making compliance a prerequisite for securing critical infrastructure and public sector contracts.
Waiting for absolute quantum maturity is a fatal mistake because adversaries are actively executing ‘Harvest Now, Decrypt Later’ (HNDL) attacks
Organizations must implement a state-aligned, three-stage architectural rollout: first, deploy automated discovery tools to inventory all legacy cryptographic assets; second, adopt hybrid deployment models that wrap classical encryption with state-approved post-quantum algorithms (like ML-KEM or localized variants); and third, isolate high-value data within micro-segmented enclaves secured by certified, quantum-resistant hardware security modules (HSMs).