As enterprises adopt AI, cloud-native architectures, and automation at scale, identity is no longer just a backend security function. It is becoming the control layer that determines how systems trust, authorise, and observe both humans and machines. This shift is being driven by two major changes. First, enterprise systems have become highly distributed across cloud platforms, APIs, and services. Second, AI-assisted development and automation are accelerating how quickly systems are built and deployed. Together, these changes are redefining how trust and control must be implemented in modern environments. When AI-generated outputs interact with infrastructure, APIs, and automated workflows, the challenge is no longer only whether systems work, but whether they can be trusted, controlled, and audited reliably. Rishav Bhandari has worked across enterprise authentication, cloud delivery, and large-scale automation systems. His experience spans enterprise-scale IAM systems, cloud engineering, and DevOps delivery. From his perspective, identity is no longer just about login and access. It is becoming the foundation for trust, control, and accountability in modern enterprise systems. The organisations that succeed will not be the ones that adopt AI the fastest, but the ones that build stronger control layers around it.
Please tell us about yourself and your professional journey.
I have spent over eight years at Infosys working on enterprise systems across different domains. I started with identity and access management at Vodafone, handling millions of user authentications at scale. From there, I moved into cloud delivery and digital transformation and, more recently, into automation and AI-assisted development practices. What I have realised is that identity, cloud security, and AI governance are all converging. You cannot talk about cloud security without talking about identity. You cannot talk about AI governance without understanding both. That convergence is what makes this moment interesting for enterprise technology.
You have worked across identity, cloud delivery, and automation. How has that combination shaped your thinking about enterprise architecture?
It forced me to see these three things as the same conversation. Early in my career, I thought of identity as infrastructure you set up and maintain. Cloud was just about where your servers lived. Automation was about doing things faster. What I realised is they are all about trust and control. How do you trust that a user is who they claim to be? How do you trust that a cloud resource is legitimate? How do you trust that an automated action is authorised? Those are identity questions dressed differently. When you see it that way, your architecture changes fundamentally.
Why has identity become a central control layer rather than just a backend security function?
Two things happened. First, systems became distributed. When everything was in one data centre, network security was your boundary. Now with cloud, APIs, and services across networks you do not control, the network boundary does not work. Identity becomes your primary boundary. Second, the scope of identity expanded dramatically. It is no longer just users. It is services talking to each other, APIs, scheduled jobs, infrastructure-as-code, and AI systems. All need authentication and authorisation. Because of that expansion, identity moved from a backend concern to an architectural one that shapes how you design and operate systems.
How is identity changing as organisations adopt AI and automation at scale?
Machine identity is becoming as important as human identity. Services, Lambda functions, and AI systems all need identities. The challenge is scale. You might have hundreds of employees but thousands of services and agents. Managing identity at that scale requires a completely different approach. Revocation is also different. When a human leaves, you revoke access. When a service goes wrong, you need to revoke access in seconds, not days. And accountability is complicated. With AI systems, you need to understand whether the system did what it should or if someone misconfigured or abused it. That requires better audit trails and governance.
What are the biggest risks when connecting AI, cloud services, and access controls without strong governance?
The biggest risk is blind spots. Someone deploys an AI system to make decisions, but nobody understands the security implications. The system gets broad permissions because narrowing them seemed complicated. Then something goes wrong. I have seen automation systems with access to production databases that could cause catastrophic damage if compromised. Compliance failures are another risk. If you cannot audit what an AI system did or trace decisions, you are not compliant. There is also vendor lock-in and false confidence, where you think you are secure, but your systems were not designed for AI at scale.
What does Zero Trust mean in practice with AI systems and automated workflows?
Zero Trust means trusting nothing by default, regardless of where it comes from. For humans, it means verifying identity every time. For machines, it means short-lived credentials that expire quickly, so compromise is time-limited. For AI systems, it means being deliberate about permissions. Specific access to specific resources for specific actions, with the ability to revoke if the system does something unexpected. Zero Trust also means observability. You cannot enforce it if you cannot see what is happening. The challenge with AI is defining what unexpected behaviour looks like.
Where do enterprises usually get identity, cloud security, and governance wrong?
They prioritise speed over control. They grant broad permissions to move fast. They deploy AI with access to everything because narrowing seemed complicated. They treat identity as an afterthought, designing cloud architecture without thinking about it, then trying to bolt it on. Another mistake is assuming the cloud provider handles security. Providers give you tools, but you must use them correctly. Organisations also do not invest in observability until problems occur. They understand log retention, secrets management, and audit trails only after something fails. The human side matters too. Governance is not just technical. It is about processes and workflows.
How should organisations balance security, operational speed, and user experience?
The key insight is that friction comes from bad design, not security. A well-designed secure system makes doing the right thing the path of least resistance. If audit logs are painful, teams avoid them. If permissions take days, teams request broad access. If revocation is complicated, teams skip it. Invest in automation. Automate provisioning, permission requests, and audit logging. Involve teams early in designing your strategy. Understand their constraints and needs. Be transparent about why you are asking for certain controls. Teams are more willing to comply when they understand the why.
What practical steps can leaders take today to improve control across AI-enabled cloud environments?
First, inventory what you have. Know what AI systems exist, what access they have, and what they do. Start with zero trust pragmatically. Do not implement perfect zero trust everywhere at once. Start with critical systems. Invest in observability through logging, metrics, and alerting. Implement strong audit trails so you can trace what happened and why. Manage secrets securely and rotate them regularly. Involve security and compliance teams early in AI initiatives. Do not ask if something is secure after deployment. Finally, educate your teams continuously. Security and governance are not set-and-forget.
How do you see identity, cloud security, and AI governance evolving?
Identity and governance will become more automated and intelligent. Machine learning will detect anomalous behaviour and understand what normal looks like. There will be more focus on observability and understanding AI system behaviour, which right now remains a black box. Regulations around AI will increase. As AI makes important decisions, regulators will require better governance and accountability. Organisations with good governance now will be ahead. There will also be more focus on portable identity, not locked into one cloud provider. What organisations should prepare for now is recognising that identity and governance are not just security problems. They are business problems. They affect speed, reliability, and compliance. The organisations that win will build strong control layers around AI and automation, not the ones that move fastest without those controls.
