Since the early 2000s, global capability centers (GCCs) have evolved from back-office operations to global drivers of innovation and growth. Around 60% of Fortune 500 companies have set up their GCCs in India, with a majority of them focusing on AI-led innovations. The sheer amount of intellectual property housed in Indian GCCs makes them an attractive target for cybercriminals.
GCCs today store a significant part of their IP in hybrid cloud environments, which means the complexity of securing this landscape also increases due to overlooked risks, such as the toxic cloud trilogy—publicly exposed, critically vulnerable, and highly privileged assets. This is perhaps why cybersecurity is a top priority for 73% of GCCs in India.
GCCs have a cloud problem
GCCs today are the epicenters of innovation. They are leading cloud and AI adoption across India. However, cloud and AI together introduce complex cyber risks. While cloud providers offer security under the shared responsibility model, GCCs working with multiple cloud providers should also ensure that the integrity of data entrusted to them is secured because cloud providers tend to offer security tools limited to their own cloud. Managing heterogeneous security across multiple clouds that don’t talk to each other is impossible.
Case in point: According to Tenable’s Cloud AI Risk Report 2025, approximately 70% of cloud AI workloads contain at least one unremediated vulnerability and 77% of organizations have the overprivileged default Compute Engine service account configured in Google Vertex AI Notebooks. This creates Jenga-style cloud misconfigurations, which means that all services built on Compute Engine are at risk.
Managing toxic combinations in the cloud is a challenge. At the same time, ensuring a user or service has “least privilege” can be an administrative headache. Doing this every day for thousands of human and service identities across multiple clouds is next to impossible, especially for GCCs that employ thousands of people. Industry trends suggest that over 90% of identities are using less than 5% of permissions granted.
In the new era of cloud and AI, security measures must evolve to meet new challenges and find the balance between protecting against complex attacks on AI data and enabling GCCs to achieve responsible AI innovation.
Protecting the cloud and intellectual property
Limit exposures of all AI systems: Adopt a contextual approach to manage exposure across cloud infrastructure, identities, data, workloads and AI tools. Monitor all assets, and install exposure management solutions that integrate telemetry and security configurations both on-prem and in the cloud. This offers unified visibility and prioritized remediation across the entire attack surface, ensuring risk is managed as environments change and AI threats evolve.
Inventory all high-business-impact assets: Sensitive intellectual property or data and privileged identities must always be protected. GCCs must include AI tools and data in their asset inventory, scan them continuously and understand the risk if they are exploited.
Adopt the right CNAAP solution: Replace the patchwork of siloed cloud and AI security products as they cause more problems than they solve. Multiple false positives and excessive alerts can be fatiguing. A unified CNAPP solution offers total visibility into all data, users and assets, while correlating their risk relationships. CNAPPs allow businesses to monitor the health of cloud native applications as a whole rather than individually monitoring cloud infrastructure and application security. Security, DevOps, DevSecOps, IAM, and IT teams can use a CNAPP to collaboratively improve cloud security posture and protect intellectual property.
Apply cloud provider recommendations and zero-trust policies: For AI services, GCCs must avoid risky configurations — while bearing in mind that defaults are commonly insecure. In deploying AI services, ensure any resource provisioned in the process adheres to best practices and the principle of least privilege. Prevent unauthorized or over-privileged access to cloud-based AI models or data banks. This is necessary to detect Jenga-style misconfigurations. Reducing excessive permissions and effectively managing cloud identities improves security posture significantly.
Prioritize remediation by impact: There are hundreds of thousands of vulnerabilities and remediating all of them is not an effective solution. Instead, focus on identifying those with the greatest risk severity. Use sophisticated cloud security solutions that help prioritize vulnerabilities without bombarding teams with excessive notifications.
GCCs are actively introducing AI in their development environments. Increased use of AI creates massive data volumes, making the cloud — excellent at handling dynamic data stores — a natural AI growth platform. However, cloud-based AI poses significant cyber risk as AI services and frameworks are commonly misconfigured. AI components in the cloud often contain sensitive data, including intellectual property, proprietary algorithms and the AI models themselves, making them a sought-after target. Despite this, most companies have mitigated only a small portion of their AI-related risks.
Business and security leaders must consider these implications as a part of their broader risk management strategy and adopt the right security tools to tackle this exponential threat immediately because attacks will happen. GCCs must be prepared to deter these attacks or risk facing the loss of precious intellectual property.