Express Computer
Home  »  Guest Blogs  »  Beyond automation: Why AI infrastructure must be designed around business risk and resilience

Beyond automation: Why AI infrastructure must be designed around business risk and resilience

0 7

By Amit Jaju, Senior Managing Director – India, Ankura Consulting 

AI has quietly shifted from being a set of experiments at the edge of the enterprise to becoming part of core business infrastructure. It is now embedded in loan approvals, trading, customer support, fraud monitoring, plant operations and citizen services. When that infrastructure fails, it is no longer an interesting technical incident; it is a business crisis.

At the same time, global studies show that unplanned downtime is already costing large organisations hundreds of millions of dollars every year, and AI is increasingly a source of that downtime rather than just a tool to prevent it. In India, where digital public infrastructure and financial inclusion are driven by highly automated platforms, the impact of a misfiring model or an AI outage can be felt by millions of users in minutes.

The central argument is simple: AI infrastructure cannot be designed only around performance and automation. It must be designed around business risk and resilience, with the same discipline that we brought to core banking systems, payment networks and power grids.

From pilots to critical infrastructure

Most organisations started their AI journey with contained pilots: a recommendation engine on a website, a chatbot for FAQs, or an internal productivity assistant. Those pilots have now evolved into decisioning systems that influence credit limits, claims settlement, hiring choices, pricing and security operations.

Two things have changed. First, AI systems are increasingly in the transaction path, not just in an advisory role. Second, they are deeply dependent on cloud platforms, APIs and data pipelines, which form a complex and often opaque supply chain. A single outage at a cloud provider or a major AI platform can now disrupt hundreds of enterprises at once. We have already seen global outages at large cloud and AI providers that impacted everything from retail to transportation in a single day.

In other words, AI is no longer a set of models. It is an interconnected infrastructure layer, and its failure modes are systemic. Risk has outpaced resilience, when I look at AI programmes across sectors, I see four categories of risk where adoption has outpaced resilience.

  1. Operational risk
    Models drift, data quality degrades, prompts and guardrails are changed without proper testing. Seemingly minor issues in a feature pipeline can lead to wrong decisions at scale. An AI system that misclassifies transactions for a few hours can create backlogs, regulatory breaches and reputational damage that take weeks to unwind.
  2. Cyber risk
    AI systems introduce new attack surfaces: prompt injection, data poisoning, model theft and exploitation of generative models to bypass existing controls. Attackers are also using AI to automate reconnaissance and craft highly tailored fraud campaigns. If cyber and AI teams work in isolation, these risks are missed.
  3. Regulatory and compliance risk
    Globally, regulations such as the EU AI Act and sectoral guidance on model risk management are raising expectations on explainability, governance and testing. Financial regulators are already extending existing model risk frameworks to cover AI and machine learning. In India, data protection obligations and sector specific norms for financial services and telecom are converging on stricter expectations around automated decisioning and data use. Non compliance will not be treated as a technical lapse; it will be treated as a governance failure.
  4. Reputational and strategic risk
    Bias, hallucinations, misuse and outages can erode customer trust very quickly. For consumer facing organisations and government platforms, a single high profile failure can undo years of digital adoption efforts. Over reliance on opaque AI systems can also reduce internal capability, leaving organisations less adaptable when the environment shifts.

Designing AI infrastructure from business risk backwards

To move beyond automation, we need to reverse the way we think about AI infrastructure. Instead of starting with a model and asking where we can use it, we should start with business services and ask what level of risk and disruption is acceptable.

A practical approach includes a few key steps.

First, perform business impact analysis for AI enabled services. For each AI use case, ask: what happens to revenue, compliance and customer trust if this system is wrong for an hour, or unavailable for a day? Not all models are equal. A productivity assistant for internal documents does not need the same level of resilience as a fraud detection model in a real time payments system.

Second, tier AI workloads based on criticality, and let that drive infrastructure design. For high criticality workloads, you should see:

  • Redundant data pipelines and model instances across availability zones or even across providers
  • Fallback models (simpler, well understood models) that can be activated when the primary model fails or behaves anomalously
  • Graceful degradation paths, where the service can continue in a reduced or manual mode rather than failing hard

Third, embed model risk management into the enterprise risk framework. This is not just about accuracy metrics; it is about governance. Clear ownership across the first, second and third lines of defence, documented risk appetite for each AI use case, and standardised processes for validation, change management and de commissioning are essential.

Fourth, treat observability and resilience testing as first class citizens. Continuous monitoring of inputs, outputs and drift, anomaly detection across model and data behaviour, and regular chaos exercises on AI systems should become routine. Incident post mortems must cover both model behaviour and infrastructure dependencies.

Finally, manage third party and supply chain risk. Many enterprises now depend on external foundation models, SaaS tools and open source components. Contracts, due diligence and ongoing monitoring need to cover model changes, security practices, uptime commitments and exit strategies. Relying on a single external AI service without a plan B is no longer acceptable for critical operations.

Integrating security by design

Security for AI is not a separate topic; it is the foundation of resilience. CISOs and security architects should extend existing threat modelling frameworks to explicitly cover AI components. That includes:

  • Maintaining an inventory of all AI assets: models, datasets, embeddings, feature stores, prompts, agents and integration points
  • Applying zero trust principles to AI workloads, with least privilege access for models and data
  • Protecting training, fine tuning and inference data from leakage and misuse, using strong identity, encryption and data loss prevention controls
  • Conducting adversarial testing and red teaming focused on AI specific attack techniques such as prompt injection, data poisoning and model inversion

In the Indian context, where many organisations operate in highly interconnected ecosystems such as UPI, ONDC or account aggregators, securing model interfaces and APIs is particularly important. A compromise of one participant can quickly propagate through the network.

Building organisational readiness

Technology alone will not deliver resilience. Board members and senior management need to understand that AI risk is now part of overall business risk and must feature on risk registers, audits and strategy discussions. Questions that boards should be asking include:

  • Which of our critical services rely on AI for decision making or control?
  • How do we know those systems are resilient to outages, cyber attacks and model failures?
  • Do we have tested playbooks for AI incidents, including communications with customers, regulators and partners?
  • Are we measuring the right resilience metrics: time to detect and recover from AI incidents, proportion of transactions that can fail safe, and dependency concentration on specific providers?

For technology and operations leaders, the priority is to bring AI teams, platform engineers, cyber security and risk functions together. AI cannot be a lab sitting outside production reality. Regular joint exercises, integrated dashboards and shared accountability for outcomes are crucial.

A forward-looking path for enterprises

As AI adoption accelerates across Indian and global enterprises, we will see more cases where AI driven failures have material financial, regulatory and societal consequences. The organisations that will stay ahead are those that treat AI infrastructure like they treat their most critical business systems: engineered for resilience, not just for speed.

Designing around business risk and resilience does not slow innovation; it enables sustainable innovation. Enterprises that invest in resilient AI architectures, robust governance and security by design will be able to scale AI with confidence, recover faster from inevitable incidents and maintain the trust of customers, regulators and citizens in an increasingly automated world.

Leave A Reply

Your email address will not be published.