Beyond models, compute, or even data strategy, enterprises are undergoing a critical shift while they accelerate their AI journeys. It is a shift in how organisations fundamentally think about sensitive data, especially personally identifiable information (PII).
In an exclusive interaction, Roshmik Saha, Co-founder & CTO, Skyflow, emphasises that in an AI-first, regulation-driven world, data privacy can no longer be solved through incremental tools or compliance checklists. Instead, it must be embedded at the architectural level.
Rethinking PII as a separate data layer
At the core of this shift is a simple but powerful idea that PII must be treated differently from all other data. “PII data is treated as non-negotiable, meaning its protection is essential and cannot be compromised.”
Saha points out that despite years of investment in cybersecurity tools, breaches continue to rise, exposing a fundamental flaw in how enterprises approach data protection. “If you look at the last 10 years… the number of data breaches has gone up… even though we are spending a lot more money and time, we haven’t been able to address it.”
The problem, he explains, lies in treating all data uniformly. In reality, PII makes up less than one per cent of enterprise data but carries disproportionate regulatory and business risk.
The answer, according to Skyflow, lies in isolating this data into a dedicated architectural layer, which it calls a data privacy vault. “PII data has to be treated as a separate entity, a separate data type.” By doing so, organisations can simplify their entire data stack, reduce risk exposure, and make compliance more manageable.
Moving from tools to architecture
One of the biggest misconceptions Saha highlights is the belief that privacy can be achieved by layering tools on top of existing systems.
“Just buying a few tools and slapping them on top of your tech stack is not going to solve it,” he points out.
Instead, he emphasises that data privacy is both a cultural and architectural transformation. Legacy enterprises, in particular, face a greater challenge due to fragmented systems and multiple data copies. “Legacy companies have a lot more applications, a lot more places where the data is stored.”
A key principle in this transformation is centralisation, ensuring that there is only one authoritative copy of PII across the organisation.
To enable this, Skyflow uses tokenisation and encryption techniques that allow most operations to be performed without exposing actual data. “Most of the work happens within the token space. This method safeguards sensitive data, even if a breach occurs, allowing applications to operate without interruption,” he explains.
The risk beneath the surface: PII sprawl in AI systems
A new and more complex challenge emerges as enterprises adopt AI that is PII sprawl across prompts, logs, pipelines, and models.
AI, unlike its predecessors, creates several avenues for sensitive data to escape, often through logs or the datasets used for training. “A lot of the problems come from just somebody logging the PII without realising that they are logging the PII,” avers Saha.
Once PII enters AI systems, the risks multiply. Unlike databases, large language models do not offer straightforward ways to delete or control access to embedded data. “There is no delete button in an LLM model… there is also no access control,” he says
This makes prevention, not remediation, the only viable strategy. “Do not let PII enter into any of these systems,” warns Saha
Enabling AI without compromising privacy
This creates a challenge for enterprises: how to innovate with AI while maintaining strict data governance.
Saha’s answer separates direct intelligence from identity. “In most use cases, AI does not need raw PII to function effectively. It needs behavioural signals, patterns, and preferences, not sensitive identifiers.
They need an identity, but they don’t need your … Aadhaar card number… to decide what product somebody would like.”
By keeping PII outside AI systems and introducing it only when necessary through controlled layers, organisations can unlock AI’s potential without compromising compliance.
This approach also accelerates AI adoption by removing legal and regulatory bottlenecks. “A lot of these AI-proof concepts are not making it to the market because the legal teams are not confident that they have addressed all the PII issues.”
Privacy by design: Beyond compliance checklists
With regulations like India’s DPDP Act gaining traction, the concept of privacy by design is becoming central. However, Saha cautions against interpreting this as merely a policy exercise. “Privacy by design cannot just be. Create your system, and later just create controls.”
Instead, privacy must be embedded into the architecture itself, where data, access control, and security mechanisms are tightly integrated. “Privacy by design is where the data, the access control and all the protection are in one place,” says Saha.
This architectural approach simplifies compliance across multiple dimensions—auditing, breach detection, and regulatory reporting. For instance, centralised data makes anomaly detection significantly easier. “Let’s say one customer success agent now has accessed a thousand people’s data… you know there is something wrong.”
Similarly, audit requirements become easier to fulfil when all access flows through a single controlled layer.
Transitioning without disruption
One of the biggest concerns for enterprises is how to adopt such architectures without disrupting existing systems.
Saha suggests that the transition can be gradual and minimally invasive. “The good part about this new architecture is that the old architecture doesn’t have to change completely.”
By replacing sensitive data with tokens, legacy systems can continue operating with minimal modification, while actual PII is accessed only when necessary via secure APIs. “In 80–90 per cent of the time people don’t even notice.”
Organisations can begin this journey at different entry points—transactional systems, data lakes, or even AI workflows—depending on priorities and readiness.
The cultural shift behind the technology
Beyond architecture, Saha emphasises that this transformation is fundamentally cultural.
“There is no magic button that will solve this problem.”
Enterprises must treat data privacy as a long-term journey rather than a one-time compliance exercise. Encouragingly, he notes a growing alignment at leadership levels. “There is a lot of appetite in the enterprises to invest. Now is the right time,” he asserts.
Boards and executives are increasingly recognising that privacy is not just a regulatory requirement but also a strategic enabler—especially for global expansion and AI adoption.
What future-ready data architecture looks like
Looking ahead, future-ready organisations, especially digital natives who are already adopting these principles. They are already treating PII as a separate data type.
The goal is to build systems where AI models, analytics platforms, and operational workflows function without direct exposure to sensitive data.
This not only reduces risk but also protects long-term investments in AI systems.
The one priority for 2026
As enterprises plan for the near future, Saha offers a clear recommendation. “Don’t let PII enter any of your workflows… it will just derail the progress.”
In a world where technology cycles are shrinking from years to weeks, getting data privacy right early is foundational and not optional. “Let’s not handle data privacy as an afterthought for AI; it will be impossible to catch up,” he concludes.