Kotak Mahindra Bank strengthens AI-led cyber resilience amid rising digital risk

As India’s financial ecosystem becomes increasingly digital, banks are facing a more complex security environment shaped by AI-driven threats, expanding APIs, cloud adoption, evolving regulations, and rising customer expectations around privacy and trust. In this environment, cybersecurity is no longer functioning as a standalone technology layer. Instead, it is becoming deeply integrated with governance, operational resilience, fraud prevention, and digital transformation strategies.

For Abhijit Chakravarty, Executive Vice President – Networks & Cyber, Kotak Mahindra Bank, the future of cybersecurity lies in moving beyond reactive defence models towards predictive, intelligence-led security architectures that combine AI, automation, privacy, and resilience at scale.

In an interaction with Express Computer, Chakravarty spoke about how Kotak Mahindra Bank is embedding AI into its cybersecurity framework, strengthening consent-led data governance under the DPDP Act, and building operational resilience into the bank’s broader digital risk management strategy.

AI moves to the centre of cybersecurity operations

Chakravarty believes that AI is increasingly becoming foundational to how modern enterprises detect, analyse, and respond to cyber threats in real time.

Rather than treating AI as an isolated capability, the bank is embedding it directly into the cybersecurity operating model to enable predictive and intelligence-driven defence mechanisms.

“We are embedding AI at the core of our cybersecurity framework to shift from reactive defence to predictive, intelligence-led security,” he says, adding that the scale and sophistication of modern attacks make it impossible for traditional manual systems to keep pace with evolving threat vectors.

“AI enables us to analyse large volumes of data, identify anomalous behaviours, and detect emerging threats at an early stage,” points out Chakravarty.

At the same time, AI is also helping accelerate response times by integrating automation and orchestration into incident management workflows. “By integrating AI with automation and orchestration, we are accelerating incident response while improving accuracy and consistency.”

However, Chakravarty emphasises that the rise of AI also introduces a parallel responsibility, securing AI systems themselves. “Equally, we are focused on securing AI adoption through strong governance, usage controls, and data protection. This dual approach, leveraging AI for cybersecurity while safeguarding AI itself, is critical to building a resilient, future-ready security posture.”

DPDP shifts the focus from compliance to accountability

For banks and financial institutions, the DPDP Act is driving a structural shift in how organisations approach customer data, privacy, and accountability.

Chakravarty explains that the focus is no longer limited to basic compliance obligations. Instead, organisations now need to build transparent, traceable, and consent-driven digital architectures across customer journeys. “We are strengthening our data privacy and governance frameworks by embedding privacy-by-design and consent-led architecture across all digital operations.”

According to him, the legislation is forcing enterprises to rethink governance structures around ownership, consent visibility, and lifecycle-based data controls. “With the DPDP Act, the focus has shifted from compliance to accountability, driving us to build centralised consent management, clear data ownership, and lifecycle-based controls.”

The bank is also integrating consent frameworks deeply into customer interactions and digital services. “We are integrating consent across customer journeys, ensuring transparency, real-time revocation, and full traceability.”

Alongside this, governance and risk controls are also being strengthened through structured privacy assessments and automated compliance mechanisms.

For Chakravarty, privacy frameworks must ultimately support both trust and innovation simultaneously. “This approach enables us to balance regulatory compliance with innovation while building trust through responsible and secure data practices,” he adds 

Security must evolve alongside digital innovation

As financial institutions accelerate digital transformation through cloud adoption, APIs, ecosystem partnerships, and embedded finance models, the complexity of managing cyber risk is increasing significantly.

Chakravarty mentions that one of the biggest challenges lies in ensuring that innovation itself is designed with security and compliance at the core. He points out that as digital ecosystems become more interconnected, the attack surface expands considerably. “As digital ecosystems expand through cloud, APIs, and partner integrations, the attack surface increases significantly, introducing new risks such as data leakage and third-party vulnerabilities.”

At the same time, regulators are now expecting organisations to demonstrate measurable resilience and governance maturity, rather than simply maintaining compliance documentation.

For enterprises, the answer lies in embedding security directly into digital architectures and innovation frameworks. “The real challenge lies in embedding security and compliance into innovation itself through secure-by-design architectures, continuous risk assessment, and strong governance so that growth is enabled, not constrained.”

Operational resilience becomes central to digital risk management

Chakravarty believes digital risk management is gradually evolving into a broader operational resilience model, where the focus extends beyond prevention towards continuity, recoverability, and sustained service availability.

“Digital risk management is evolving towards an operational resilience-centric model, where the focus extends beyond prevention to ensuring continuity, rapid recovery, and sustained service availability.”

This means organisations are increasingly integrating security, privacy, compliance, and resilience functions into unified governance structures. “Organisations are integrating security, compliance, and privacy controls into resilience frameworks that emphasise real-time monitoring, incident readiness, and tested response capabilities.”

He notes that regulators are also pushing enterprises towards measurable resilience outcomes. “As regulatory expectations increase, there is a clear shift towards demonstrable resilience outcomes, including recovery metrics and control effectiveness.” 

He asserts that resilient architectures must now incorporate security and privacy by design as foundational principles. “Embedding security and privacy by design within resilient architectures ensures that organisations can withstand disruptions, recover quickly, and maintain trust while enabling ongoing digital innovation.”

Fraud detection becomes predictive and AI-driven

As fraud patterns become increasingly sophisticated, organisations are moving away from static rule-based detection systems towards adaptive and predictive fraud intelligence ecosystems.

Chakravarty says the focus is now on leveraging AI, behavioural analytics, and real-time monitoring to identify suspicious activity with greater accuracy. “As cyber threats evolve, organisations are placing a strong emphasis on next-generation fraud monitoring capabilities driven by advanced analytics and AI.”

Modern fraud detection models are increasingly analysing behavioural signals, transaction anomalies, and contextual intelligence across channels.

The integration of threat intelligence with fraud monitoring is also becoming more important. “These capabilities are further enhanced by integrating threat intelligence with fraud signals for a more contextual response.”

At the same time, resilience planning remains equally critical to minimise disruption during attacks or breaches.

According to Chakravarty, enterprises are now building adaptive fraud ecosystems capable of evolving alongside attacker behaviour. “The focus is clearly shifting towards predictive, adaptive fraud detection ecosystems that can anticipate risks, minimise false positives, and protect customer trust at scale.”

The road ahead: AI-led defence with stronger governance

Looking ahead, Chakravarty says the organisation’s broader strategy will continue to revolve around AI-driven cyber defence, intelligent automation, fraud monitoring, and governance.

“Over the next 12–18 months, our key priority is to advance an AI-driven cybersecurity model that enables predictive, intelligence-led defence.”

The organisation is expanding the use of AI across multiple security and risk domains.

“We are focusing on embedding AI across threat detection, fraud monitoring, and incident response to improve speed, accuracy, and scale.” This includes investments in behavioural analytics, anomaly detection systems, and automated response orchestration frameworks.

At the same time, Chakravarty reiterates that governance around AI itself will remain equally important.

Combined with resilience and regulatory alignment, he believes this approach will help organisations navigate the next phase of digital transformation securely.