Navigating the new era of identity and AI governance

Identity is increasingly seen as the new perimeter, says Mathew Graham, Senior Director and Re-gional Chief Security Officer, APAC, Okta, reflecting on the seismic shifts redefining cybersecurity in the age of artificial intelligence. As AI agents begin to act on behalf of humans, the question of who or what is accessing enterprise systems has become central to boardroom strategy.

As AI agents assume more human-like responsibilities across industries, governing their digital identi-ties has become a strategic priority. Graham discusses the evolving cybersecurity landscape, the implica-tions of agentic AI, third-party risks, and why independent identity remains essential in a hyperscaler-dominated world.

You were recently appointed as the Senior Director and Regional Chief Security Officer for Okta in APAC. What led you to join Okta, and what does your role involve?

The reason I chose Okta is because the cybersecurity landscape is evolving faster than ever. While the field has always been dynamic, the last few years, especially the last year, have brought a fundamental shift. Identity is now at the centre of this change, and Okta plays a key role as a neutral identity pro-vider.

As organisations adopt AI agents that act on behalf of humans, whether in healthcare, government, or the private sector, managing their identities securely becomes critical. I previously worked at Workday, one of Okta’s HR software partners, and the transition made sense because it placed me at the core of secure digital identity in the age of AI.

At Okta, I lead the regional security strategy, engaging with customers, regulators, and industry stake-holders. We focus on cybersecurity legislation, customer collaboration, and shaping best practices across the region. I act on behalf of our Global Chief Security Officer, David Bradbury, to align APAC ef-forts with our global security vision.

As AI agents act autonomously across enterprise systems, identity governance, oversight, and clear policies have become essential to preventing shadow AI and unmanaged risk.

AI agents are becoming a buzzword in business today, but governance often lags behind. How should boards think about non-human identities?

AI agents are the next evolution in AI’s journey, from machine learning to large language models and now to autonomous business agents. Every innovation follows a hype cycle, and we are now entering a stage of normalisation. The focus is shifting from excitement to solving real challenges.

For boards, the central concern should be governance and oversight. Without these, shadow AI can emerge, where teams deploy AI tools without approval or security checks. This results from a lack of clear rules and accountability. Boards must establish policies, frameworks, and governance structures to ensure all AI use is secure, ethical, and transparent.

We have seen incidents involving third-party access and session hijacking. What lessons should organisations take from these attacks, and how is Okta strengthening its defences?

These incidents highlight the growing need for identity-centric security as AI agents and third-party integrations become more common. One recent focus area is cross-app access, where Okta acts as an intermediary to control and monitor identity interactions across applications, including AI-driven ones.

A core principle we emphasise is treating AI agents like human users, with controlled, time-bound, and auditable access. Implementing just-in-time permissions ensures access is never open-ended. Our solu-tions help organisations define and monitor identity frameworks, track when and how an agent ac-cessed resources, and verify whether authentication was legitimate. Proactive identity governance is crucial to reducing risk.

How does Okta define its standard for customer communication and transparency during potential or confirmed incidents?

Transparency is central to Okta’s security culture. We maintain open communication through global and regional security blogs, technical whitepapers, and post-incident analyses. These materials support cus-tomers and strengthen the industry’s overall security posture.

We regularly share learnings from customers, regulators, and internal teams. The goal is to help partners and policymakers deepen their understanding of evolving threats and mitigation strategies. This culture of openness reinforces trust and industry collaboration.

Supply chain risk is increasing. What questions should boards ask to ensure security across their vendor ecosystem?

Supply chain risk now extends beyond third parties to fourth and fifth parties, especially as AI becomes embedded in more services. Large enterprises typically conduct compliance checks such as SOC 2 Type II, but AI usage requires deeper scrutiny.

Boards should ask: How is our third-party supplier using AI? What services are they relying on? Where is our data going?

In the past, data might have passed through a single hosting provider. Today, AI systems may process it in new and sometimes opaque ways. Boards must understand these flows and verify that sensitive data is handled appropriately. Boards have mastered financial risk; they must now reach the same sophistica-tion in cybersecurity and AI governance.

India often sees a rise in online fraud during festive seasons. What steps should companies take to strengthen customer protection?

We advise organisations to prioritise strong identity implementation and multi-factor authentication as the baseline. Okta’s customer identity products include guidance on preventing fraudulent behaviour and detecting anomalies in real time.

However, technology alone is insufficient. Culture and awareness are essential. Individuals must adopt a mindset of healthy suspicion, examining emails, links, or payment requests that appear unusual. Phish-ing-resistant MFA is vital, even if it adds minor friction. Proactive and well-communicated security be-comes a competitive advantage.

Third-party and cross-ecosystem risks are rising as AI embeds into services. Organisations must know how data flows, who accesses it, and whether controls remain enforceable.

Mergers and acquisitions are increasing in India. What identity risks do companies often overlook during integrations?

Many organisations take shortcuts when merging identity systems. Even with strong due diligence, consolidation is complex, and it can be tempting to bypass steps such as temporarily disabling MFA. This creates long-term vulnerabilities.

Second, failing to establish a unified identity system prolongs fragmentation. When merged entities re-tain separate identity stores, access control becomes more complex, increasing the risk of misconfigura-tions.

Finally, poor coordination between teams managing identity can lead to shadow IT and weakened gov-ernance. All these risks arise from the absence of clear, top-down governance and disciplined execution during integration.

Why should organisations avoid relying solely on a single hyperscaler for security? What advantages does an independent identity layer offer?

Relying entirely on one hyperscaler concentrates risk. It is similar to putting all investments into a single stock; if it fails, the consequences are total. Historically, enterprises used multiple firewall vendors to reduce single points of failure. The same logic applies to identity.

Okta offers an independent, neutral identity layer that integrates across hyperscalers and tools. This en-sures resilience and flexibility. Because we are not tied to one ecosystem, we can deliver best-of-breed features, including emerging capabilities for AI agent identity management. Independence reduces lock-in, enables innovation, and lowers systemic risk.

As AI continues to evolve, what message would you share with business leaders and boards?

The technology landscape is moving at unprecedented speed. Twelve months ago, the focus was gener-ative AI; today we are discussing agentic AI. In another year, the conversation will shift again.

It is essential for boards to stay informed. Governance, cybersecurity, and AI literacy are now funda-mental leadership skills. Directors must proactively read, engage, and deepen their understanding. The future of enterprise security depends on informed oversight.

punams@cybermedia.co.in