As enterprises accelerate their AI journeys, cyber resilience is no longer limited to backup and recovery; it is becoming a strategic, boardroom-level priority. The shift from assistive AI to autonomous systems, coupled with growing ransomware threats, is fundamentally redefining how organisations approach data protection, governance, and recovery.
In a conversation with Express Computer, Bhavyan Mehta, VP of Engineering, and Balaji Rao, AVP – India & SAARC, Commvault, reveal how this transition is unfolding, why traditional resilience models are falling short, and what enterprises must do to secure AI-driven environments at scale.
From backup to cyber resilience: A paradigm shift
For most enterprises, cyber resilience conversations still begin with ransomware. However, the scope is expanding rapidly.
Rao notes, “The whole data protection scenario or the cyber resident scenario, coming from the ransomware standpoint, required quite a few extra things to be done.”
What is changing now is the introduction of AI as a core workload, one that goes beyond traditional systems. Rao explains, “This is a paradigm shift, customers moving from an assistive AI to autonomous AI, where decision-making is going to happen in an automated way.”
This shift introduces new risks. As AI systems begin to take decisions autonomously, governance becomes critical, not just for data protection but also for controlling how decisions are made. He adds, “It creates an entirely new paradigm shift – the high level of automation, without governance, the risk of exposing critical data is extremely high.”
Mehta frames this transformation through a simple analogy: “We are asking a kid not only to drive, but also to try to fly and fly at a speed… amazingly fast.”
The clear implications are that AI amplifies both capability and risk, making governance and observability non-negotiable.
The reality check: Cloud resilience still a work in progress
Even before AI, enterprises have struggled to achieve true resilience in the cloud era.
Rao observes, “Customers are now already grappling with the resilience in the cloud era, they have still not achieved the kind of resilience they would hope to achieve.”
A key issue lies in fragmented architectures. As organisations move from on-premise to multi-cloud environments, they often accumulate multiple tools across different platforms. This fragmentation makes recovery complex and slow, especially during cyber incidents where speed is critical.
At the same time, cyber resilience testing is still not as mature as disaster recovery (DR) testing.
Rao points out, “Unlike DR testing, it is not still a very popular category… it has not moved into a kind of an audit scenario.” This gap becomes even more critical as AI workloads are added to already complex environments.
Identity becomes the new control layer
One of the most significant shifts in cyber resilience is the growing importance of identity. In AI-driven environments, where multiple agents operate autonomously, identity becomes the gateway to systems.
The scale of risk increases dramatically when AI agents, far outnumbering human users, are making decisions and accessing systems independently.BTo address this, organisations are focusing on automated identity recovery and authentication mechanisms.
Rao explains, “The first and the most important step is… authentication of all the users.” This is complemented by innovations such as cleanroom environments, where organisations can securely recover systems after an attack.
Why traditional models fall short in an AI world
While backup and recovery remain essential, they are no longer sufficient in the context of AI. Rao says, “The ability to back up and recover is another workload, but the governance mechanism would be very different.”
One emerging use case is leveraging historical enterprise data to train AI models. However, this introduces new governance challenges. This requires fine-grained control over who can access data, for how long, and under what conditions.
Data masking and persona-based access are becoming critical capabilities, ensuring that sensitive data is protected even when used for AI-driven insights.
Mehta adds, “We smartly mask it, expose the data to the right individuals, and to the right personas.”
Governance in the age of agentic AI
As AI systems evolve into agentic architectures, governance frameworks must also evolve.
Mehta says, “Red teaming is pretty popular, data lineage is very important, and audit is super important.”
He further highlights a growing challenge: understanding why AI systems make decisions. “There is no good reason as to why an agent is taking action… that needs to be articulated.”
This has led to the emergence of “maker-checker” governance models, where one system acts and another validates.
Rao adds that even simple prompts can introduce risks. “A simple prompt executes everything and exfiltrates data. The security angle becomes extremely critical.”
Regulatory frameworks such as DPDP are further raising the stakes.
AI risk moves to the CEO’s office
Unlike traditional IT initiatives, AI is increasingly being driven at the highest level of the organisation. Rao says, “It is a task force orientated from the CEO’s office, run like a separate function.”
This reflects the dual nature of AI as both a risk and an opportunity. As a result, AI governance is becoming a strategic function with higher budgets, tighter oversight, and lower tolerance for risk.
From fragmented tools to unified resilience platforms
To manage this complexity, enterprises are moving towards integrated platforms that unify data protection, recovery, and governance. Rao explains, “The important thing here is to have a single platform which is fully integrated.”
Such platforms enable organisations to recover faster and more predictably during cyber incidents.
Real-world implementations are already demonstrating this approach. Rao notes, “They do cyber resilience testing… It takes about eight hours to recover.”
Beyond technology, partnerships are also playing a critical role in building resilient ecosystems. Mehta adds, “Partnerships are key signals. If there is a probable attack, we can roll back.”
This collaborative model allows enterprises to detect threats early and respond proactively.
The road ahead: Resilience as a continuous discipline
As AI adoption moves from experimentation to production, resilience is becoming a continuous discipline rather than a one-time capability. Mehta says, “AI is no longer about engineering. Departments are coming together.”
This convergence is blurring traditional boundaries between IT, security, and business functions.
At the same time, leaders acknowledge that failures are inevitable. The focus, therefore, is shifting from prevention alone to rapid recovery and adaptability.
Conclusion: Resilience is now a business imperative
The evolution of AI is compelling enterprises to rethink cyber resilience from the ground up. What was once viewed as a technical concern has now become a business-critical capability, closely tied to growth, trust, and regulatory compliance.
As Rao and Mehta emphasise, the future of resilience will depend on strong governance over data and AI-driven decisions, the adoption of unified platforms in place of fragmented tools, and the continuous testing and validation of recovery capabilities. In an AI-driven world, resilience is no longer defined by whether systems fail but by how quickly organisations can recover, learn, and move forward.