By Nitin Varma, SVP & MD, India & SAARC, Saviynt
In the middle of India’s digital acceleration, from Unified Payments Interface (UPI) to AI-driven automation, we talk a lot about securing people. But what about the identities that are not human?
Behind every cloud service, API, and bot sits a machine identity quietly authenticating millions of transactions. They don’t ask for leave. They don’t forget passwords. But when left unmanaged, they can open the biggest gaps in enterprise security.
I call them the “invisible workforce”, essential, yet often forgotten.
The Growing Machine Identity Blind Spot
CERT-In’s recent report shows that identity-related breaches are among the top causes of cyber incidents in India. What’s striking is how often these incidents trace back to the basics of expired certificates, hardcoded credentials, or service accounts no one owns anymore.
Earlier this year, researchers found API credentials from an Indian fintech startup sitting in a public repository. A tiny oversight, but one that could have given attackers access to sensitive customer data.
We see the same pattern across sectors -healthcare, manufacturing, even public infrastructure. It’s rarely a lack of awareness. Instead, it’s a lack of visibility.
Why Machine Identity Management Matters Now for India
India’s digital stack is one of the most vibrant in the world, but with that growth comes a new kind of risk.
According to a report, 93 % of Indian organizations had two or more identity-related breaches in the past year, with machine identities flagged as the riskiest identity type.
In the Asia-Pacific region, 78 % of security leaders reported security incidents or breaches linked to machine identities in the last year.
When everything connects to everything, those invisible credentials become a very visible risk.
Why Machine Identities Are Easy Targets
Attackers today do not always “hack” their way in. They look for the keys you have already left lying around. Machine identities are particularly tempting because they are:
* Highly privileged – a single token can unlock multiple systems
* Long-lived – credentials often don’t expire or rotate automatically
* Hidden in plain sight – they live in code, logs, configuration files, and backups.
Once compromised, these identities allow attackers to blend in. No alarms go off because technically, the access looks legitimate.
Machine-to-Mac The Challenge for Indian Enterprises
From cloud-first startups to large enterprises modernizing legacy systems, machine-to-machine trust underpins India’s digital infrastructure. Yet, many organizations still lack a unified view of all their non-human identities; who owns them, what they access, and whether they comply with policy.
And with the Digital Personal Data Protection Act (DPDP), 2023, and evolving CERT-In guidelines, that gap now directly impacts compliance. Machine identities are no longer just an IT concern, they are a boardroom topic.
Making It Practical
For security teams in India, here’s where to start-
Inventory everything. Find every certificate, API key, and service account in your environment.
Assign ownership. Each machine identity should have a responsible team or individual.
Automate lifecycle management. Use identity governance tools to rotate, renew, or revoke credentials automatically.
Apply least privilege. Machine identities don’t need broad access. Keep permissions narrow and time-bound.
Monitor continuously. Track usage patterns. Unusual access or expired credentials should trigger alerts.
These steps are not theoretical, they are being implemented right now by forward-thinking organizations that understand the link between automation and accountability.
Why This Is an Opportunity
India has an advantage, our digital ecosystem is still evolving. That gives us the opportunity to embed strong identity governance right from the start and not as an afterthought.
As organizations scale their AI, IoT, and cloud footprints, securing machine identities will define how resilient and trusted that growth becomes. Because at the end of the day, every connection in a digital ecosystem represents trust. Every API key, token, and certificate is a promise that one system can safely talk to another.