We have reached a point where Zero Trust must move beyond verifying humans to governing Non-Human Identities (NHIs) bots, AI agents, and automated services
As India accelerates its digital transformation through initiatives like UPI and widespread cloud adoption, the security landscape has moved beyond traditional perimeters. With the enforcement of the DPDP Act and the rise of autonomous AI agents, the definition of “identity” is being rewritten. Today, we sit down with Anirban Mukherji, the visionary behind miniOrange and the driving force behind the IdentityShield Summit 2026, to discuss how organizations can navigate this complex new reality.
With autonomous AI agents on the rise, how must Zero Trust evolve to govern Non-Human Identities (NHIs) and prevent “Shadow AI” from accessing data without DPDP-compliant consent?
We have reached a point where Zero Trust must move beyond verifying humans to governing Non-Human Identities (NHIs) bots, AI agents, and automated services. Because these entities operate independently, they cannot have broad, “standing” access. Every agent needs a verifiable digital identity constrained by least-privilege, just-in-time access.
To prevent “Shadow AI,” Zero Trust controls must evaluate context and the purpose of data processing. Under the DPDP Act, access decisions should be dynamically checked against consent-derived policies. If an agent’s requested action doesn’t align with the data subject’s current consent status, the system must automatically deny and log that attempt. We cannot rely on the AI to “self-police”; the policy engine must enforce this linkage.
The DPDP Act mandates a 72-hour notification window for breaches. How do automated Incident Response (IR) playbooks help, and are traditional logs enough to prove “reasonable security”?
That 72-hour clock starts at the moment of awareness, not at the end of an investigation. Automated IR playbooks are vital because they correlate alerts with data classification in minutes, allowing you to quickly identify if sensitive personal data was involved.
However, traditional audit logs are often insufficient. To satisfy the Data Protection Board, you need “state-of-data” evidence. Your logs must prove that at the exact time of the breach, your safeguards—like encryption or masking—were active and effective. This proves that even if an actor accessed the system, the data remained unreadable. Without this, proving “reasonable security” becomes an uphill battle.
Attackers are now using Generative AI for “Living-off-the-Land” (LotL) attacks. How can behavioral analytics provide better protection than static controls?
Static Zero Trust focuses on the “front door”—once a user is in, visibility drops. LotL attacks exploit this by using legitimate tools to blend in. Behavioral analytics solves this by building baselines for every user and device.If a non-technical account suddenly executes administrative commands or probes systems outside its scope, the system detects the anomaly. Instead of blindly trusting a valid login, we calculate a real-time risk score. If that score spikes, we can automatically trigger step-up authentication or suspend the account, stopping an AI-assisted attack in its tracks even if the credentials used were technically “valid.”
Given the DPDP liability for third-party processors, how does miniOrange’s strategy prevent lateral movement during a vendor breach?
Under the DPDP Act, the Data Fiduciary is primary accountable, even if a vendor (Data Processor) makes the mistake. We treat all vendor access as “untrusted by default.” Instead of broad VPN access, we use micro-segmentation. Vendors are confined to specific API endpoints or “access zones” required for their tasks. Even if a vendor’s credentials are stolen, the attacker is trapped in an isolated segment. Lateral movement into your core customer databases becomes structurally impossible because those network paths simply don’t exist.
How does automated data deletion help operationalize “purpose limitation” and reduce the risk of ransomware?
Purpose limitation means you shouldn’t keep data longer than necessary. We operationalize this through Time-to-Live (TTL) policies. Data is tagged at creation with retention rules. Once a transaction or warranty period ends, the system automatically initiates deletion or anonymization.
This is a massive win for ransomware defense. Ransomware leverage depends on the volume of sensitive data an attacker can find. By eliminating Redundant, Obsolete, or Trivial (ROT) data, you shrink your attack surface.9 If there is less data to steal, the “blast radius” of a breach is significantly smaller.
Cloud adoption is booming, yet “Shadow IT” remains a major blind spot. What concerns you most about unmanaged cloud usage?
Employees prioritize speed. If corporate tools are slow, they’ll use a personal credit card for an unauthorized SaaS tool. The biggest blind spot today isn’t just the app itself, but SaaS-to-SaaS integrations. An unauthorized app can silently connect to your Google Drive or Slack and sync data in the background.
To solve this, a Cloud Access Security Broker (CASB) must look beyond traffic logs to scan OAuth tokens and endpoint activity. We need to identify these “invisible” connections to prevent data from lingering in third-party apps long after an employee has left the company.
What led you to start the IdentityShield Summit 2026? What gap were you trying to fill?
India is a global technology powerhouse, yet we lacked a flagship platform dedicated to digital identity and the future of cybersecurity. The USA has RSA; the UAE has GISEC. India needed a “home base” where CEOs, CISOs, and policymakers could align on a national security narrative.
Beyond the enterprise, we wanted to address grassroots cybersecurity. As India digitizes through UPI and digital public platforms, cyberfraud has become an everyday risk for citizens. IdentityShield is designed to make security affordable and understandable for everyone—from large institutions to small businesses and individual users.
Beyond the commercial impact, what responsibility do industry leaders have to the public regarding cybersecurity?
Digital safety is a public good, like clean water. Leaders have a responsibility to protect the most vulnerable—the elderly, students, and rural citizens. We need to build “digital herd immunity.” By investing in free workshops and public awareness, we help citizens recognize scams. When the average person knows how to secure their digital identity, attackers lose their scale. This isn’t just charity; it’s about ensuring that the benefits of our digital economy are safe and inclusive for everyone.