India’s Digital Future Demands Cyber Resilience, Not Rebalancing: Gautam Kapoor, Accenture in India

Artificial intelligence is transforming both sides of the cybersecurity equation. As organizations embrace AI to accelerate digital transformation, cybercriminals are weaponizing the same technology to launch faster, more sophisticated, and harder-to-detect attacks. A recent Accenture study highlights this growing gap: only 8% of Indian organizations are fully prepared to counter AI-augmented cyber threats, while 81% remain vulnerable, lacking a cohesive strategy and the right capabilities.

Also read: Only 8% Organizations in India Ready to Protect Against AI-Augmented Cyber Threats – Accenture Report

Meanwhile, India’s Digital Public Infrastructure (DPI), spanning Aadhaar, UPI, DigiLocker, and e-KYC, continues to expand at an unprecedented scale through public–private collaboration. Add the rapid adoption of agentic AI systems, which act autonomously and are notoriously difficult to govern, and the stakes rise even higher for safeguarding trust and resilience.

To explore how enterprises can navigate this evolving landscape, Tech Achieve Media spoke with Gautam Kapoor, Managing Director and Lead for Cybersecurity at Accenture in India. With over two decades of experience across cyber defense, digital identity, cloud security, and risk management, he has helped organizations build resilience while enabling secure digital transformation.

TAM: How do you assess the maturity of India’s cybersecurity ecosystem today, and where do you see the biggest capability gaps?

Gautam Kapoor: I believe all of us in India have invested significant effort over the past 25 years to mature the cybersecurity ecosystem. There’s been tremendous progress and substantial investment in cybersecurity over the past 20 years.

However, with the advent of AI and especially GenAI, the landscape has changed dramatically. Technology has leapt forward, and there’s now a race to build AI models and deploy AI-driven use cases aimed at replacing or augmenting human work. Organizations are adopting AI at speed to drive efficiency.

The challenge is that cybersecurity is struggling to keep pace. Not many organizations have evolved at the same rate as AI, which is reflected in survey findings you mentioned, which is only 8% of companies reported strong security for AI, while 81% remain exposed.

This highlights two critical areas:

1. Securing your own AI. If you are developing AI models, you must protect them.
2. Defending against AI-enabled threats. Adversaries are already using AI to launch more sophisticated attacks.

Both areas need urgent attention. The overall maturity will evolve over time, but right now there’s a clear gap, made worse by a shortage of skills. Many of us are still learning how to secure AI models and defend against AI-driven attacks. Another weak spot is the supply chain. Its security maturity hasn’t kept pace with technological advancements, leaving organizations vulnerable to threats that originate from third-party partners. In short, technology sophistication has advanced on both the AI side and the attack side. Cybersecurity needs to catch up rapidly to match that level. That’s the maturity gap we’re facing today.

TAM: What unique cybersecurity threats are emerging in the Indian digital economy, especially with increased public-private digital collaboration?

Gautam Kapoor: Firstly, let’s be absolutely clear: public–private partnerships benefit both sides.

For the government, these partnerships provide access to a vast talent pool of cybersecurity professionals. For private players, they open the door to large public-sector enterprises and critical assets that are not typically available in the private sector. It’s a win-win situation, and such partnerships will undoubtedly continue.

However, as we build more digital ecosystems, through initiatives like Make in India and Digital India, the overall attack surface expands. Greater digitization creates more integration points, especially as both government and private organizations increasingly adopt cloud solutions.

Key cybersecurity concerns emerging from these partnerships include:

1. Cloud and API security.

• With rapid cloud adoption, risks of misconfiguration grow if proper security measures are not implemented.
• APIs serve as the integration layer between entities. As data-sharing increases through government data lakes, for example, these APIs become attractive targets for attackers.

2. Data protection and privacy.

• Public–private projects often involve large data fiduciaries holding massive amounts of sensitive information, such as PII or citizen data.
• This heightens the risk of data breaches and leaks. While the DPDPA Act seeks to address these risks, compliance will be critical for organizations handling such data.

3. Supply chain vulnerabilities.

• Attackers may exploit third-party software, subcontractors, or service providers as entry points into organizations with large datasets.
• As these ecosystems expand, supply chain attacks are likely to increase.

Finally, many of these collaborations are happening in the AI space, adding yet another layer of complexity. AI adoption amplifies both opportunity and risk, demanding robust security measures to protect models, data, and integration points.

TAM: With the rise of agentic AI, how should security models evolve to address autonomous decision-making and data access risks?

Gautam Kapoor: The fundamentals of security haven’t changed.
We’ve followed them for decades: the principle of least privilege, and the idea of “never trust, always verify.” That philosophy has now evolved into what we call Zero Trust. These models must be adapted to new technologies like agentic AI and autonomous bots. If you think logically, an AI agent is like an intelligent human, but one that’s potentially much more technologically advanced. That means we have to manage it carefully, and Zero Trust becomes critical.

What does Zero Trust mean in this context?

• You never trust, and you always verify.
• There’s no implicit trust in what the bot or agent is doing. Every action must be verified continuously.

By applying Zero Trust principles, we can build a stronger security ecosystem. Here are some practical measures to enhance security for AI bots and agents:

1. Segmentation and micro-segmentation.
   Restrict the bot’s access only to the specific segment where it needs to operate. Ensure it cannot move beyond its defined boundary.
2. Context-aware access.
   Adjust access privileges based on factors like location, time, or activity. If necessary, require step-up authentication or additional authorization before granting sensitive privileges.
3. Ephemeral access.
   Grant elevated privileges only for the shortest time required. For example, if a bot needs administrative access for a specific task, give it that access briefly — then revoke it immediately once the task is complete.
4. Lifecycle management.
   Treat each bot or agent as part of your IT inventory:
   • Provision it properly.
   • Track any changes in access.
   • Deprovision it when no longer needed.
     Document everything so you always know which agents are active and what they can access.

If organizations follow these practices, they’ll significantly improve their security maturity for managing AI bots and agentic systems.

TAM: What implications do you foresee from hyper-automation and AI agents on threat detection and response frameworks?

Gautam Kapoor: There are two key elements here. First, hyper-automation itself introduces new vulnerabilities and security risks. Automating processes without embedding security is dangerous. Security must be a fundamental part of any automation initiative from day one.

Second, automation allows organizations to process massive amounts of data in less time, and that’s exactly what AI is designed to do. But as we automate more on the technology side, we must apply the same approach to cybersecurity. Security teams need to ask: How can we use agentic AI or automation in our defenses and detection capabilities? The goal is to identify attacks faster, remediate faster, and recover faster. That speed is the real challenge.

We’re already heading toward, if not already in, a scenario of AI attacker versus AI defender. Attackers are starting to use AI-driven techniques, and defenders must use the same tools to keep pace. That’s how we reach a higher level of maturity in fighting advanced threats.

Take deepfakes, for example. They’re so realistic now that it’s nearly impossible to tell if the person on the other side is genuine. Or look at the rise of sophisticated phishing attacks. These are exactly the kinds of threats that require security to evolve in tandem with automation.

In short: automation must have cybersecurity built in, and cybersecurity must embrace automation and AI models to stay ahead.

TAM: How is Accenture aligning its cybersecurity advisory and managed services to support AI-native enterprises?

Gautam Kapoor: Accenture is fully committed to leveraging GenAI for its clients.

First, we’re developing GenAI-driven assets that help clients become more efficient and integrate agentic AI into their cybersecurity, whether for threat detection, monitoring, or overall defense. We’re investing heavily in building AI agents across multiple domains:

• Security operations
• Identity management
• Data protection
• Governance, risk, and compliance (GRC)
• Vulnerability assessment and penetration testing

These agents are designed to enhance cybersecurity capabilities and improve the overall maturity of organizations.

Second, our investments are focused on both efficiency and automation. For example, we’re creating SOC and IDAM AI assistants that can sit on top of existing security or identity solutions to streamline operations. In some cases, these agents can even perform tasks independently. As a global systems integrator, much of this innovation happens worldwide, and clients in India can access all of it. In fact, many of these developments are taking place right here in India.

We’re also running workshops with clients to demonstrate what these agentic AI tools can do and how they can be applied to their specific environments.

In short, Accenture is driving what we call a “reinvention of cybersecurity” – powered by GenAI.

TAM: What are the top 3 cybersecurity imperatives you believe every enterprise must act on in the next 12–18 months?

Gautam Kapoor: Let me give you four imperatives.

First, reset the governance framework: With rapid changes in the technology landscape, especially with AI, every technology and cybersecurity professional needs to rethink governance. Traditional frameworks were built for older technologies, but they’re no longer enough. We need fit-for-purpose governance models, for example, an AI-native company should have an AI-specific cybersecurity governance framework. Governance is critical because it helps you understand the risks you’re dealing with and decide how to address them. If you don’t know the risks, you can’t implement the right controls.

Second, adopt security by design: I’ve been saying this for years: whether you call it “shift left,” “security by default,” or simply “security by design,” the principle is the same, build security in from the start. Security should be at the table when the business idea is being discussed, not tacked on at the testing stage. Too many organizations still develop everything first, then call security at the end to sign off. That approach doesn’t work. Whether you’re building AI systems, traditional technology, or e-commerce platforms, security must be part of the design itself.

Third, maintain a resilient core: A resilient organization has the defenses to repel attacks, detect incidents quickly, contain the damage, and recover fast. This means building and maintaining the right mix of capabilities, technologies, and processes to ensure business continuity even when an attack occurs.

Finally, reinvent cybersecurity with GenAI: Of course, you must secure AI models themselves but you should also use GenAI and agentic AI to strengthen your cyber defenses. AI can help automate detection, response, and remediation, making organizations faster and more effective in countering advanced threats.

TAM: As organizations accelerate their AI transformation journey, where should they rebalance their cybersecurity investments?

Gautam Kapoor: Why do we even talk about “rebalancing” cybersecurity? I’ve always had a disconnect with this question. I’m often asked, “How should we rebalance our cybersecurity investment?” even by board members. My answer is simple: you don’t need to rebalance cybersecurity, because it’s not optional.

Cybersecurity is a fundamental business need, not something you weigh against other priorities. Why put it in a separate bucket and ask how to balance it? It belongs in the same bucket as your business itself. It’s an enabler. Without cybersecurity, your entire business is at risk.

Look at what’s happening globally; there was a recent example in the UK where a company went out of business after a ransomware attack. That’s how critical this is. Now, I fully agree that no system is 100% secure. Cybersecurity is about risk management. You must understand the threats you face, decide what level of residual risk your board or CEO is willing to accept, and invest accordingly. But the idea of “rebalancing”, as if cybersecurity is optional or secondary, just doesn’t resonate with me.

Cybersecurity must remain a fundamental priority. You have to spend on it, and there’s no way around it.