Bhushan argued that the centre of gravity has moved from protecting “assets” to validating identity continuously—especially in distributed, hybrid architectures where attackers no longer need to break systems if they can impersonate trusted users. “It’s no longer about protecting only the assets it’s more of the identity,” he said, adding that in an AI-first world even bots and agentic workloads must be treated as identity-bearing entities. “It has to be my agentic approach we are running, the bots we are running—each one of them has to be treated as a threat vector,” Bhushan said, noting that organisations often can’t reliably distinguish whether requests originate from humans, bots, or autonomous agents unless identity governance becomes stronger and faster.
Duggal extended that point, calling identity the new control plane as enterprises deploy AI-driven digital workers across business functions. “We have a new digital worker which has its own identity,” he said, adding that deepfakes and AI impersonation are no longer theoretical. “We have seen an incident where a call came from a top CEO as a video call but it was a wrong video call. It was an AI call,” he said, warning that compromised identity is increasingly the most scalable entry point for attackers in large digital ecosystems.
The conversation also highlighted the growing risk surface created by AI tool sprawl and model supply chains. Duggal cautioned against uncontrolled adoption of third-party AI agents and models, arguing that enterprises must vet what gets used and where it gets deployed. “Somebody downloads a model and deploys it in production you never know—these models may have time-based attacks,” he said. At Jio, he said the focus is on “shift-left” controls across descopes pipelines, with guardrails on what models are allowed and how identities are handled. “We ensure that identities are masked, we have a hash identity, a virtual identity created on top,” Duggal noted, describing tokenisation-style approaches as a way to reduce blast radius even if data is exposed.
Third-party risk, both speakers said, is increasingly inseparable from cloud security—especially as API ecosystems expand. Duggal cited an example involving partner access and downstream delivery operations, where exposure of customer contact information enabled social engineering and fraud at the last mile. “We encrypted all of that and we said we will give you call masking APIs, where you do not even get the final number of our customers,” he said, describing how API design, data minimisation and masking can become practical countermeasures against ecosystem leakage.Bhushan acknowledged that zero trust is not a single product checkbox, and that excessive controls can degrade experience and raise costs—especially in consumer-facing digital businesses. “The only job we are doing is to find the balance,” he said, describing the trade-off between security layers, performance overhead, cost escalation and customer friction. He noted that not all interactions carry equal value-at-risk, and security controls must be calibrated accordingly rather than applied uniformly.
When it comes to proving impact to leadership, the speakers suggested boards increasingly look for control plane maturity and demonstrable resilience rather than vanity metrics. Duggal framed the equation as risk-managed speed: “If you don’t have zero trust you’re driving a car at Ferrari speed, but it can crash,” he said, arguing that shift-left implementation can minimise overhead while increasing safety. Bhushan, meanwhile, positioned cloud security as a brand trust investment that must scale with threats even when the absence of incidents makes ROI harder to quantify. “To remain where we are, we have to,” he said, pointing to customer confidence as the ultimate success metric in consumer digital ecosystems.
