As enterprises across India and the broader SAARC region accelerate their digital transformation journeys, the rise of AI is fundamentally reshaping how organisations think about cybersecurity. With AI agents, machine identities and autonomous systems increasingly becoming part of enterprise operations, identity is emerging as the new security perimeter, far beyond the administrative access management function it was often reduced to earlier. In this rapidly evolving environment, business leaders face a defining choice: lead the AI shift proactively or risk reacting to its consequences later. In an exclusive conversation with Tech Achieve Media (TAM), Nitin Varma, Senior Vice President and Managing Director – India & SAARC, Saviynt, discusses how identity is evolving in the AI era, the risks posed by non-human identities, and why organisations must rethink cybersecurity through the lens of continuous identity governance.
TAM: Organisations across the SAARC region are accelerating their digital journeys. What identity challenges are you seeing in these emerging markets compared to more mature digital economies?
Nitin Varma: Today, everyone starts with one macro statement: identity is the new perimeter.
Identity has existed for decades, but what has changed in this digital, and now AI, era is the scale, speed and nature of identities. Earlier, identity risk was largely human-centric, employees, partners and customers, and these identities were predictable and governed through structured processes. But today, we are seeing a fundamental shift.
First, there is an explosion of non-human identities. Enterprises have gone from managing thousands of users to managing millions of identities such as APIs, service accounts, bots, AI agents and autonomous systems. These identities often don’t go through the same governance process as human employees and typically operate with excessive privileges.
Second is speed. Earlier, misuse of access required human intent and time. Today, AI systems can execute actions instantly across multiple systems, 24/7, at machine speed. A compromised identity, as opposed to being a single point of risk, has become a multiplier of risk.
Third is the shift from access to autonomy. Identities today are not just logging in; they are making decisions like approving workflows, triggering transactions and accessing sensitive data. The question is no longer who has access, but what is this identity allowed to do on its own? And finally, traditional controls are breaking down. Legacy identity models were built for static roles and periodic reviews. AI introduces dynamic, context-driven access and ephemeral identities. Traditional governance simply cannot keep pace.
TAM: Today, many autonomous agents can act almost like humans. Saviynt recently launched what it calls the first identity control plane for agentic AI. How do organisations prevent these digital employees from becoming a massive unmanaged attack surface?
Nitin Varma: That is exactly the challenge the identity security industry is trying to solve today.
The first step is discovery. You cannot secure what you cannot see. Organisations must know how many AI agents exist in the enterprise, which platforms they operate on, which LLMs they use, and what tools they access.
Second is registration. Human employees are registered through HRMS or Active Directory. AI agents are increasingly acting like digital colleagues, but they are not being formally registered anywhere. That needs to change.
Third is lifecycle governance right from onboarding to retirement. AI agents need to be governed exactly like employees, but at machine speed. And finally, there must be runtime authorisation, ensuring that an agent only performs the tasks it has been authorised to perform, and nothing more. Discovery, registration and continuous governance should be the foundation.
TAM: Saviynt has often said identity must become the operating system of the AI era, and not just an administrative function. What does that mean in practice?
Nitin Varma: Organisations are realising that identity governance must evolve from traditional access management into a continuous security control plane. We are no longer dealing with predictable users. We are dealing with decision-makers that are both human and non-human.
What enterprises need is a platform that provides visibility, governance and policy enforcement across humans, machines, applications and autonomous AI agents.
At Saviynt, our philosophy is simple: AI should not sit as a feature layer on top of identity governance, Instead, it should be embedded across the entire identity lifecycle. That means AI helps discover identities, classify them by risk, continuously monitor them, and ensure compliance in real time. This shift, from reactive control to predictive control, is becoming the new foundation of enterprise cybersecurity.
TAM: How does that unified identity strategy work across multi-cloud environments like AWS, Google Cloud and other platforms?
Nitin Varma: Enterprises today do not want fragmented security tools. They want consolidation.
Saviynt operates at the intersection of four key areas: identity governance, privileged access management, application access security and security posture management. What enterprises are looking for is centralised visibility, intelligent automation and least-privilege access at scale.
This consolidated approach reduces complexity, strengthens zero-trust architecture and helps organisations mitigate identity-related risks while accelerating secure AI and cloud adoption.
And this applies across environments, whether it is AWS Bedrock, Google Vertex AI, Azure OpenAI or other platforms. The principle remains the same: discover, register and govern every identity.
TAM: Looking ahead, what is the one identity-related risk that keeps CISOs awake at night? And what should Indian organisations do today to mitigate that risk?
Nitin Varma: The single biggest concern I hear from CISOs is visibility. Many organisations still do not have a complete view of all their identities, human, machine, privileged and AI-driven, in one place. And if you cannot see it, you cannot govern it. To address this, organisations need to build a resilient cybersecurity strategy centred around identity:
- First, start with identity as the foundation. Every user, machine, application and AI agent operates through identity.
- Second, move from prevention to resilience. Breaches will happen. The focus should be on detecting faster, containing faster and recovering faster.
- Third, shift from periodic governance to continuous governance. Access reviews every three months are no longer enough. Governance must happen in real time.
- Fourth, embrace convergence over fragmentation. Consolidate tools not just for efficiency, but for strategic control over your security posture.
TAM: Before we close, what is one message you would like to leave for business leaders and CISOs?
Nitin Varma: Over the last two decades, we’ve seen multiple technology shifts across internet, mobile, cloud and now AI. Every shift has transformed industries and created new leaders. Cloud transformed infrastructure. Mobile transformed platforms. AI will transform enterprise operations.
The question leaders must ask themselves is this: Do you want to lead this shift, or react to it?
Because AI will amplify everything in your enterprise including your gaps. That is the defining challenge, and opportunity, of our time.
