The cybersecurity landscape is undergoing a structural transformation as enterprises embrace automation, cloud, and AI at scale. Identity, which once centred primarily around human users, is now expanding rapidly to include machines, APIs, applications, and autonomous AI agents. This explosion of non-human identities is changing attack surfaces, governance models, and risk frameworks globally.
In this in-depth conversation with Express Computer, Jeffrey Kok, Vice President – Solution Engineers, Asia Pacific & Japan at CyberArk, shares how organisations must re-architect identity security strategies to remain resilient in an AI-driven world. Drawing from real-world enterprise engagements across the region, he explains why traditional identity approaches are failing, where the most dangerous gaps exist today, and how Indian enterprises can move towards a unified, identity-first security model that delivers measurable outcomes.
The cybersecurity landscape is undergoing a massive shift with the rise of both human and non-human digital identities. How do you see the explosion of machine and AI agent identities redefining identity security strategies globally, and particularly for enterprises in India?
I think the first thing is that I’m glad you recognise this trend. Human identities are growing rapidly because organisations are using more SaaS applications and deploying more systems than ever before. But what sits behind all of this growth is something even bigger, machine identities. To give you a real data point, last year, when we conducted a survey, for every single human identity, there were roughly 40 machine identities. This year, that number has grown to around 80. That means in just one year, the number of non-human identities has doubled. This is no longer linear growth it is exponential.
This creates serious concern for organisations because most enterprises believe they already have an identity management or identity access strategy in place. The reality is that these strategies are almost entirely built around human identities, and they rarely cover machine identities, let alone AI identities.
If you ask an organisation how many employees, contractors, or applications they have, they can usually answer very precisely. But if you ask the same organisation how many machine identities exist in their environment, most can only give you an estimate. That is because they often don’t fully understand what they have, let alone how to manage it.
In many cases, organisations simply take a human identity and assign it to a machine. While this may work functionally, it is not secure. Humans can use MFA; machines cannot. This alone means existing strategies are fundamentally misaligned with the nature of non-human identities. What we are now seeing is a shift. Organisations are beginning to treat identity as a separate security domain, much like network security. Instead of thinking only about identity management, they are thinking about identity security and how to secure all identities across humans, machines, and now AI agents.
This requires a fundamental rethink. Enterprises need new approaches for discovering identities, defining policies, automating controls, and managing entitlements, particularly as AI introduces identities that can create other identities, leading to exponential expansion.
That realisation is pushing organisations to re-examine their entire identity strategy with one core objective: securing every identity across the enterprise.
As AI is increasingly used by both defenders and attackers, how should organisations balance the use of AI for cybersecurity with the risks AI itself introduces, especially around identity governance and trust?
AI adoption is unstoppable. Every organisation is either already using AI or will be using it very soon. The real challenge is understanding how AI can be both a solution and a risk at the same time.
We typically look at this across three domains. The first is securing against AI, where attackers are using AI for more effective phishing, spoofing, impersonation, and social engineering. Defenders need to assume attackers are already operating at a higher level of sophistication.
The second is securing with AI. If attackers are using AI, then defenders must also use AI to detect threats faster, respond more effectively, and identify anomalies that traditional tools would miss.
The third, and often the most overlooked, is securing AI itself. When organisations deploy AI internally, they must protect those AI systems from abuse, compromise, or misuse.
For enterprises using AI, there are three foundational areas to focus on.
First, AI is fundamentally a data security problem. AI systems are driven by data, and without a strong data strategy and governance framework, it becomes extremely difficult to secure AI identities, which tend to be fluid and dynamic.
Second, most organisations rely on third-party AI platforms, whether that is Microsoft Copilot, ChatGPT, or similar services. This introduces third-party risk. Enterprises must evaluate whether those vendors are adequately securing the data and identities involved. Recent incidents, such as platforms being leveraged to exfiltrate data across hundreds of organisations, highlight this risk clearly.
Third, organisations must start addressing AI identity security directly. This is where emerging AI governance frameworks become critical. Bodies like the National Institute of Standards and Technology (NIST) have published AI risk management frameworks and playbooks, and for organisations just beginning this journey, those resources are an excellent starting point.
What are the most critical gaps you are seeing today in how enterprises secure AI agents and automated systems? What risks arise if these gaps are left unaddressed?
One of the biggest gaps is that most organisations simply do not have a machine or AI identity security programme. They lack effective discovery, management, and monitoring capabilities for these identities.
The way you monitor a machine or AI identity should be very different from how you monitor a human user. Yet most organisations apply the same policies, the same detection engines, and the same controls across everything. As a result, when machine or AI identities are compromised, those incidents often go undetected.
Another major issue is that machine identities are typically static. They are created with OAuth tokens, session cookies, or passwords that remain valid for the entire lifecycle of an application. These credentials often never rotate and are rarely monitored.
If a static credential is stolen, and there is no visibility or control around its use, the organisation is exposed. However, even basic controls can dramatically reduce risk. For example, restricting where API tokens can be used from, monitoring behavioural deviations, or identifying abnormal access patterns can quickly highlight compromise.
The technology to do this already exists. The problem is not capability, it is adoption. What we are seeing today is just the tip of the iceberg. Organisations have significant opportunities to improve, but many have not yet taken the first step.
You have consistently emphasised the need for a unified identity security strategy. What does this look like in practical terms, especially for Indian enterprises with legacy systems and complex identity environments?
The first thing organisations must recognise is that identity security is a journey, not a one-time project. This is not something you install and forget. It is an ongoing organisational transformation with no real endpoint.
Given constraints around time, resources, and people, organisations should take a risk-based approach. Start by identifying which data and applications are most critical to the business, and which would cause the greatest impact if compromised.
Plot these against the effort required to secure them. Once you do that, it becomes clear where to begin. Focus first on high-risk, low-effort areas. This allows organisations to materially reduce risk quickly. Legacy environments are common, but organisations do not need to rely on legacy solutions to secure them. Identity security has evolved significantly over the past few years. Modern approaches, such as just-in-time access, zero standing privilege, and newer protocols, dramatically reduce both the attack surface and the management overhead.
If you can eliminate half your identities simply by not having them exist permanently, you significantly reduce both complexity and risk. Building a clear blueprint and following it step by step is critical, and there are strong reference frameworks available today to guide organisations through this process. Insider risk, orphaned access, and governance failures continue to trouble large enterprises.
How can organisations better address these issues, particularly at scale?
This is extremely common. In many customer environments, we still find identities belonging to people who left the organisation years ago but continue to have access. At its core, this is an identity governance problem. Modern governance solutions can now discover identities across applications and use AI to analyse which ones are active, which are redundant, and which should be removed.
AI significantly reduces the effort required to review access. Instead of manually reviewing everything, AI highlights exceptions that actually need human attention. It becomes much easier to identify dormant identities, excessive privileges, and access that no longer makes sense.
This is particularly important for organisations managing large volumes of data and users, where manual processes simply do not scale.
Finally, what advice would you offer to security leaders preparing for a future shaped by AI-driven threats and identity-centric risk?
Let me offer three pieces of advice. First thing is to recognise that we are operating in a VUCA world that is volatile, uncertain, complex, and ambiguous. That reality must shape how security strategies are designed. Second, avoid perfection. Many organisations fall into analysis paralysis, trying to build strategies that cover every possible scenario. As a result, years pass without meaningful action. Take the first step. Start small. Focus on the highest-risk gaps and build from there. Third, adopt a platform approach. Too many organisations deploy siloed tools that do not work well together. Over time, this becomes unmanageable. A platform that secures all identity types allows organisations to scale while focusing on outcomes and time to value rather than tool sprawl.
And one final thought starts with AI in everything you do. If you wait, you fall behind. The pace of innovation is relentless, and procrastination only increases technical debt. AI is not here to replace humans; it is here to elevate them. The key is to start now.