Sharda Tickoo explains why unified identity governance, continuous verification, AI identity controls, and ITDR are critical to securing modern organizations.

Identity has emerged as the new frontline of enterprise cybersecurity. As organizations accelerate AI adoption, cloud transformation, and automation, traditional identity management models are struggling to keep pace with the explosion of non-human identities, autonomous AI agents, and increasingly sophisticated identity-based attacks. The challenge is no longer limited to securing user credentials but to governing an interconnected ecosystem of human, machine, and AI identities operating at machine speed.
In this interview, Sharda Tickoo, Country Manager for India & SAARC at Trend Micro, argues that identity must be treated as a unified enterprise risk rather than a collection of disconnected systems. She explains why organizations need continuous identity governance, behavioral monitoring, and Identity Threat Detection and Response (ITDR) to combat evolving threats. She also highlights how AI agents, Employee Digital Twins, and post-password identity verification are redefining the future of enterprise security.
CIO&Leader: Identity is currently enterprise security’s least unified yet most exploited layer. Why are so many organizations still treating physical access, digital accounts, and machine credentials as distinct problems, and what is structurally preventing them from consolidating these into a single pane of glass?
Sharda Tickoo: The fragmentation exists because identity infrastructure was never designed as a unified system. Physical access control systems, on-premises user directories, cloud IAM platforms, and machine credentials evolved independently across decades, each with proprietary data formats, distinct governance models, and isolated audit trails. When a badge reader cannot talk to Active Directory, which cannot talk to AWS, which cannot talk to your Kubernetes cluster, you do not have an identity layer. You instead have a collection of isolated kingdoms.
Consolidating demands rethinking fundamentals. Traditional IAM systems were built for humans with predictable access patterns. They lack the discovery, visibility, and continuous governance frameworks needed for service accounts and autonomous machine identities operating at scale 24/7. Beyond technical debt, there is a deeper organizational barrier. Cloud identities sit with the Cloud Engineering team. Active Directory sits with IT Operations. API keys are scattered across developer teams. No single leader owns the entire identity risk surface so accountability fragments. When a credential is compromised, no one can trace the full blast radius across disparate systems.
Until organisations restructure around identity as a unified risk vector with consolidated discovery, unified governance policies, and real-time monitoring across all identity types, they remain exposed to lateral movement threats that span physical, digital, and automated domains.
CIO&Leader: Industry data indicates that while roughly 60% of data breaches involve a human element, the definition of a ‘human risk’ has changed. When a single human employee’s credentials can be used to inherit authority over dozens of linked API tokens and automated cloud workflows, how should a modern CISO redefine the concept of an enterprise ‘blast radius’?
Sharda Tickoo: The blast radius is no longer a person but an identity’s inherited chain of access like the network of systems, services, and workflows that trust and depend on that identity. One compromised human credential no longer simply means that one user’s data is exposed. It means every service account, API token, cloud role, database connection, and automated workflow that trusts that identity becomes an exploitation vector. A developer’s credentials compromised through phishing gives the attackers a leeway to unlock inherited authority across the entire CI/CD pipeline, access to container orchestration systems, Git repositories, cloud storage, and production data repositories connected to the developer’s workflows.
Traditional risk models measured blast radius in people. A modern CISO must measure it in identity dependencies and inherited permissions. An insider threat or external attacker can trigger a cascade of automated actions across dozens of systems in minutes, far beyond what a single person could manually accomplish. This expanded blast radius needs containment.
CIO&Leader: Non-human identities and autonomous AI workers are scaling far faster than traditional user accounts. Because these machine entities operate 24/7 and naturally bypass controls like MFA, what core governance frameworks must be rewritten so that an AI agent is treated with the same compliance and lifecycle rigor as a human employee?
Sharda Tickoo: Existing identity governance was built around humans. It was predictable login patterns, enforced password rotations, MFA challenges, periodic access reviews, and termination workflows. None of this translates to an autonomous AI agent operating continuously across APIs, data repositories, and cloud systems at inhuman speed and scale. Governance frameworks must be completely rewritten around this reality.
First, automated discovery and inventory should be implemented. Organisations must discover and continuously catalogue non-human identities like service accounts, API keys, managed identities, autonomous agents, bot accounts, with the same rigour they inventory human users. Today, most organisations do not even know what service accounts exist in their environment.
Second, lifecycle management. When a service is decommissioned or an AI agent is retired, the associated credentials must be automatically revoked and access disabled.
Third, continuous behavioural monitoring. Rather than periodic access reviews, machine identities demand real-time behaviour baselines and anomaly detection. An AI agent accessing an unexpected data repository or making an unusually large number of API calls should trigger immediate alerts.
An AI agent should inherit exactly the permissions it needs at that specific moment. Without these governance rewrites, autonomous AI becomes a security black hole.
Fourth, dynamic least-privilege enforcement. An AI agent should inherit exactly the permissions it needs at that specific moment. Without these governance rewrites, autonomous AI becomes a security black hole.
CIO&Leader: We are beginning to see security challenges around emerging protocols like the Model Context Protocol (MCP), where developers connect AI agents directly to core data repositories. How can security teams prevent ‘privilege creep’ where an AI agent ends up inheriting broader administrative access than the actual human who deployed it?
Sharda Tickoo: Privilege creep with MCP and similar protocols happens because developers optimise for function over security. When an AI agent needs to query a database or access a file repository, the path of least resistance is to grant broad administrative credentials rather than define minimal permissions. The developer ships faster, the agent gets deployed with full access and suddenly it has authority far beyond its intended scope. Meanwhile, the human developer who deployed it may have far more restrictive access.
Security teams must intervene at three critical points.
- First, at deployment time. Enforce automated permission audits that flag over-privileged credentials before they are provisioned, ensuring the agent receives exactly the access it needs, no more.
- Second, during runtime, continuously monitor actual access patterns and alert when an AI agent touches resources outside its learned baseline behaviour, indicating potential abuse or compromise.
- Third, through policy governance, establish MCP-specific access policies that mandate least-privilege roles for every agent, with automated enforcement and regular attestation.
Critically, this cannot be a periodic compliance review. Autonomous agents are continuously making decisions and inheriting risk in real time. Detection and response must be continuous through behavioural monitoring, not episodic quarterly audits.
CIO&Leader: When an identity is compromised in the AI era, the attack moves at machine speed across the cloud supply chain. Why are traditional, point-in-time authentication methods failing to contain these lateral movements, and how does Identity Threat Detection and Response (ITDR) change the equation?
Sharda Tickoo: Traditional authentication is a single checkpoint in time. We verify the credential at login, grant access, and then trust is assumed for the duration of the session but a compromised identity in 2026 does not stay in one place. It chains through cloud APIs, inherited workflow permissions, delegated credentials, and linked accounts, all at machine speed, completing a full lateral movement across your cloud infrastructure in minutes, long before any human security team notices unusual activity.
Point-in-time authentication cannot react to this velocity. By the time a password is reset or a session is terminated, the attacker has already moved laterally through multiple systems, exfiltrated data, and potentially established persistence. ITDR fundamentally changes the model by shifting from event-based detection to continuous behavioural analysis. It does not wait for suspicious login events. It continuously monitors identity behaviour across all connected systems – endpoints, cloud platforms, email, applications, and networks. This establishes behavioural baselines for each identity and detecting deviations in real time.
When an identity suddenly accesses systems that it has never touched from unknown geographic locations it has never used, at access volumes that exceed normal patterns, ITDR flags it immediately. More critically, it correlates these identity signals with endpoint telemetry, network logs, and cloud audit trails to reveal the entire attack chain as it unfolds. This enables automated containment before the blast radius expands across your supply chain.
CIO&Leader: As deepfakes and automated credential harvesting make traditional passwords and basic biometrics highly vulnerable, what emerging trends or technologies do you believe will define the next generation of high-assurance onboarding and physical-to-digital identity verification?
Sharda Tickoo: We are shifting from static identity verification at a single onboarding moment toward continuous, behavioural, and contextual identity validation throughout the user lifecycle. A password or fingerprint captured at enrolment is increasingly insufficient. They can be stolen, replicated, deep-faked, or replayed at scale.
Context-aware continuous authentication will be central. Rather than trusting an identity based solely on a credential, future systems will validate identity through a constellation of signals. For example, like device posture and security health, geographic location history and anomalies, time-of-access patterns relative to user baseline or behavioural biometrics. Decentralized identity models, where individuals cryptographically control proofs of identity reduce the attack surface for credential harvesting and reduce breach impact.
Biometric fusion which translates into combining multiple behavioural signals across keystroke dynamics, gait recognition, voice patterns, and interaction rhythms, makes deepfakes and credential replay far harder to execute at scale. The most important philosophical shift is treating identity verification as continuous and adaptive, not episodic. It is persistent, real-time validation that the entity using an identity remains who it claims to be, with trust scores that adapt dynamically to context and threat level. That philosophy, powered by AI-driven behavioural analytics, will define next-generation identity assurance.
The most important philosophical shift is treating identity verification as continuous and adaptive, not episodic. It is persistent, real-time validation that the entity using an identity remains who it claims to be.
Yet the frontier extends beyond users. In hyper-connected enterprises, every employee now carries a shadow self. This is an Employee Digital Twin (EDT) built from devices, accounts, applications, behavioural patterns, and work identities. What was once invisible is now a critical attack surface. EDTs aggregate skills, contextual knowledge, behavioural patterns, and persistent memory under a single identity, moving beyond simple automation to place identity itself at the centre of the threat landscape. Per our global research, A “zombie twin” – an EDT that persists after an employee departs, can be hijacked, poisoned with malicious training data, or manipulated to conduct attacks that traditional credentials never could. Unlike passwords, a compromised EDT cannot simply be reset. This represents the evolution of Business Email Compromise from credential theft to full-scale personality replication. As sectors accelerate cloud adoption and digital dependence, the battleground has fundamentally shifted to identity itself.