Identity is the new must have security perimeter for Indian enterprises

As Indian enterprises brace for AI-driven transformation, identity security is emerging as a decisive factor in both cyber resilience and business scalability. Abhishek Gupta, Managing Director at SailPoint India, spoke in detail about how identity governance, AI-led risk assessment, and predictive intelligence are reshaping enterprise security strategies in India.

What are the key focus areas and objectives for SailPoint as we look toward 2026, particularly for the Indian market?

From a company standpoint, we are currently in our FY26, as our financial year runs from February to January. While specific plans for the next financial year are yet to be formally announced, there are some very clear and consistent charters for us as a growth company.

First, we are focused on growing our overall business while ensuring we deliver the right level of service and support to our customers. Second, innovation remains central to SailPoint’s DNA. We hold more than 75 patents in identity security and are currently the only company in the world with patents in this specific market, which is something we are very proud of.

Innovation will continue to drive our roadmap. We have launched new products, and we are continuously modernising identity governance by incorporating advanced technologies. SailPoint introduced its SaaS platform as early as 2013, and we embedded AI and machine learning into the platform in 2017.

Today, the AI engine running across our platform is about eight years old. In AI, the maturity of data and algorithms is critical, and that longevity matters. From a growth standpoint, like most SaaS companies, we target more than 30 percent year-on-year growth, although precise figures will be reflected in our annual disclosures.

Despite increased discussions around AI and security, Indian enterprises still lag in cybersecurity maturity. How should organisations transition from legacy systems to more intelligent and secure frameworks?

One of the fundamental challenges I observed when I entered this industry is that identity is often not viewed as a core security problem. However, if you look at it fundamentally, identity is always the primary target for attackers.

Over the last five years, IT environments have changed dramatically. Earlier, identity was largely human-centric, with employees working from offices and infrastructure being primarily on-premise. SaaS existed, but not at the scale we see today.

Now, identity is no longer just human. We have machine identities, bots, APIs, and increasingly, agentic AI. The identity landscape has evolved significantly, and so has IT infrastructure—from on-premise to SaaS, PaaS, and IaaS environments.

Managing this scale, volume, and velocity of access, while keeping pace with business demands, is a major challenge. What enterprises need is a single pane of glass that provides complete visibility—who the identity is, what access they have, and what they are doing with that access at any given time.

If you know who is present, who they are interacting with, and why, it becomes far easier to identify anomalous or malicious behaviour. Without that visibility, enterprises remain reactive rather than proactive in securing their environments.

How can AI and machine learning be leveraged to build a more autonomous and intelligent identity security architecture?

AI and machine learning help us move from static risk assessment to dynamic risk assessment. Traditionally, risk was evaluated based on fixed rules. AI allows us to continuously evaluate risk in real time, based on context and behaviour.

In SailPoint’s case, each identity is assigned a dynamic risk score. This score changes based on how the identity behaves, what it accesses, and whether that behaviour deviates from established patterns. Enterprises can define thresholds, and when those thresholds are crossed, alerts are triggered or proactive actions are taken.

AI also provides contextual intelligence. It helps determine what type of identity is accessing a system, what role that identity holds, what entitlements it should have, whether peers in similar roles have similar access, and whether the access request aligns with business justification. All of this is possible only because of AI and machine learning.

How does Identity Governance and Administration (IGA) help enterprises scale and innovate while still delivering measurable ROI?

This is a very important question, especially for Indian enterprises that are highly ROI-conscious. At its core, IGA ensures that the right people get the right access at the right time.

Take the example of a large IT services company. When an employee joins, they are typically billable from day one. If that employee does not receive access to required systems on time, those lost hours translate directly into lost revenue.

In organisations with 100,000 or 200,000 employees, even a small percentage of delayed access can result in significant financial impact. The same applies when employees move between projects. Delays in access provisioning again result in revenue loss.

On the risk side, when employees leave, dormant accounts often remain active due to process gaps. These orphaned accounts are a major security risk. Without proper identity governance, such vulnerabilities persist unnoticed.

IGA also improves the bottom line by providing visibility into software usage. Enterprises can identify underutilised licenses, reallocate them, and reduce unnecessary spending. In summary, IGA helps organisations increase revenue, mitigate risk, and optimise costs.

How can organisations detect sophisticated identity fabrication or synthetic identity attacks that evade traditional controls?

The answer is IGA, but not traditional IGA. Legacy IGA solutions suffer from integration challenges, lack of intelligence, and implementation complexity.

To understand how an attack entered a system—such as ransomware—you need complete visibility across identities, access paths, and entitlements. Without that, it becomes extremely difficult to detect anomalies, especially when identities are well-fabricated.

Detection is not based solely on behaviour. It is also based on attributes, context, access patterns, and authorisation history. For example, if a journalist suddenly requests access to a finance application, that may appear anomalous. However, if there is proper authorisation and business justification, the system should understand and allow it.

This level of contextual intelligence is essential to distinguish legitimate access from malicious activity.

What differentiates SailPoint when it comes to integrating identity solutions without disrupting governance or operations?

One of SailPoint’s key strengths is the depth and breadth of our integrations. We offer more than 20,000 connectors globally, with around 300 out-of-the-box connectors.

For example, our SAP connector is SAP-certified. This means that whenever SAP introduces changes, those changes are automatically reflected in the connector without requiring customer intervention. Many competitors rely on community-based connectors, which are not updated consistently.

Because our integrations are seamless and reliable, implementations are far more successful. We have established processes, certified partners, and professional services teams that ensure smooth deployment without disrupting existing governance or development workflows.

SailPoint has introduced AI agents to support governance. What are the objectives of these AI-driven capabilities?

One practical use case is automating documentation and workflow creation. Traditionally, creating workflows was a manual and time-consuming task.

With our AI-powered capabilities, customers can simply describe what they need, and the system generates the workflow or documentation automatically. This significantly reduces effort and complexity, based on direct feedback we have received from customers.

What identity-related challenges do you see across highly regulated sectors such as BFSI, healthcare, and education in India?

The challenges are largely consistent across industries. BFSI is more heavily regulated, while healthcare regulations in India are still evolving and not as stringent as in some other countries.

Across sectors, the most common issues include lack of visibility into who is accessing what, access that is granted but never revoked, and privileges that continue indefinitely. Any identity with access to sensitive or privileged data represents a risk unless governed properly.

Government initiatives such as the DPDP Act focus on customer privacy, while regulators like RBI and SEBI impose additional requirements in BFSI. These regulatory pressures are driving adoption of identity governance solutions, particularly in regulated industries.

Predictive intelligence has been highlighted as a key priority for 2026. How prepared are Indian enterprises in this area?

Indian enterprises are at different stages of maturity when it comes to IT preparedness. While there has been consistent investment in IT systems, organisations are understandably cautious and ROI-driven.

Predictive intelligence is becoming essential in the AI era. Systems must be capable of predicting threats and risks before they materialise. While there is room for improvement, enterprises are increasingly aware of this need and are actively exploring solutions.

Whether business priorities and budgets allow immediate adoption varies across organisations, but the direction is clear.

As we move into the next year, what are your key recommendations for enterprises looking to modernise identity security?

Enterprises must focus on full coverage—covering all identity types, all applications, all infrastructure, and all data sources. Hackers ultimately target data, whether structured or unstructured.

If organisations achieve visibility across identities, applications, and data, they effectively create a secure wrapper around the enterprise. This is especially critical as AI agents transition rapidly from concept to reality.

AI is coming very fast, and enterprises must be prepared. Granular visibility into every access event, what type of access was granted, and what was done with that access is essential.

The more visibility an organisation has, the better prepared it will be—not just for identity security, but for overall digital trust and accountability.