As cyber warfare shifts from disrupting systems to infiltrating organisations through employees, vendors, customers and autonomous identities, enterprises must treat identity as a frontline defence layer rather than a back-end access function, industry leaders said on Friday. The panel said deepfake biometrics, synthetic identities, third-party compromise, machine identities and agentic AI are making identity attacks more precise, sector-specific and difficult to detect, requiring continuous trust models that go beyond compliance.

The discussion took place at the ETCISO Identity & Access Management Summit 2026, organised by The Economic Times in Mumbai. It was moderated by Sneha Jha, Editor – Special Initiatives, ETCIO and ETCISO.

Opening the discussion, Jha said identity is no longer just an access point but something that must be constantly proven, verified and trusted. She noted that in the past 18 to 24 months, cyber warfare has moved beyond taking systems down to entering systems as employees, vendors, executives and customers.

“Identity is also becoming the frontline of cyber warfare,” Jha said. “Cyber warfare is not just about taking out systems. It is about worming into your systems as employees, vendors, executives and customers.”

For Asit Kumar, CISO and DPO, Digi Yatra Foundation, the weakest link in biometric identity ecosystems is remote digital onboarding and subsequent liveness checks. He said attackers are increasingly using deepfakes and manipulated camera feeds to bypass onboarding processes by replacing a live camera feed with synthetic or malicious video.

“The weakest link is remote digital onboarding and the subsequent liveness check,” Kumar said.

He said the answer to AI-enabled biometric fraud must also come from AI-enabled detection. Systems must be able to distinguish between real human presence and synthetic or replayed inputs by analysing signals such as 2D artefacts, involuntary facial movement and reflection patterns.

“The protection also has to be from AI,” he said.

Kumar said biometric identity cannot be treated as permanently safe simply because the biometric itself is difficult to change. Systems must be designed with reset mechanisms, because what cannot be broken today may become breakable tomorrow.

“Whatever cannot be broken today is going to be broken,” he said. “The provisions for that should be there in the design and architecture.”

He explained that biometric systems can be strengthened by combining immutable biometric parameters with changeable elements such as salts or algorithms. This allows organisations to reset or reissue identity templates if required.

“You have to take the immutable parameters and add something that can be reset or changed,” Kumar said.

Sandesh Jadhav, Global DPO, Wipro, said the biggest blind spot in large, cross-border and multi-cloud enterprises is the growth of non-human identities, agentic AI, service accounts and vendor-linked privileged access. These identities often continue to exist even after a project ends, a human sponsor leaves or a vendor relationship changes.

“The biggest blind spot is non-human interfaces, agentic AI and vendors,” Jadhav said.

He said cloud and supply-chain complexity have changed the traditional perimeter. Enterprises no longer deal with one network or one service provider, but with multi-cloud environments, authentication providers, IAM vendors, IGA systems and multiple layers of service delivery.

“The compromise can happen at any end or at any point in this entire supply chain,” he said.

Jadhav also warned that data sovereignty and control must become central to identity and access conversations. The issue is not only where data is stored, but who controls it, who manages it and which geopolitical or contractual risks apply when conflict arises.

“Who owns the data is not the question. Who controls your data is the question,” he said.

He said enterprises must contractually define responsibility across the supply chain, especially when data is processed, sub-processed or handled by third parties. Accountability must not disappear across vendors, cloud providers and downstream processors.

“If my data is getting compromised at your end, then you are the one who is responsible,” Jadhav said.

Steve Dsouza, CRO, ICICI Lombard General Insurance, said the insurance sector must distinguish between traditional fraud and large-scale coordinated cyber attacks by looking at scale, velocity and identity patterns. Conventional fraud may involve an individual or small group, while coordinated attacks can use synthetic IDs and automated identity manipulation.

“The first difference is the scale and velocity of identities,” Dsouza said.

He said synthetic identity fraud is already a real risk. Attackers can use compromised credentials, high-risk addresses, silicon fingerprints, deepfake videos and manipulated KYC processes to bypass onboarding controls and open accounts or execute fraud.

“This is real,” he said, referring to synthetic identity and deepfake-enabled fraud.

Dsouza said identity must be viewed holistically in insurance, not only from the customer perspective but also across those operating for and around the organisation. Third-party compromise, web aggregators and intermediaries can become entry points for fraud and cyber attacks.

“It is important to look at identity holistically, not only from a customer point of view, but also from who is operating and working for us,” he said.

He added that large-scale manipulation of identity data can distort actuarial models because insurance assumptions depend on historical data being trustworthy and statistically stable.

“Any large-scale manipulation of data can distort actuarial assumptions,” Dsouza said.

Manoj Nayak, CISO, SBI Life Insurance, said identity fraud in insurance can occur at inception, during the policy lifecycle and at the claims stage. While checks such as digital KYC and system integrations have improved onboarding, identity manipulation can still happen through beneficiary changes and claims processes.

“Frauds during the claim process have larger implications because money is going out during that period,” Nayak said.

He said insurance companies are developing their own controls while also collaborating on fraud intelligence. Identity-led fraud must be treated as a business risk as much as a cyber risk.

“Cybersecurity is always aligned with business,” he said. “If we do not align ourselves to business, we will not exist in the company or in the industry.”

Nayak said insurers must future-proof identity assurance by monitoring risk across the full lifecycle of a policy. Long-duration policies require continuous due diligence because beneficiaries, addresses and other linked identity attributes may change over time.

“During the lifecycle of the policy, we have to see what kind of due diligence can be done,” he said.

He added that threat intelligence and identity intelligence will become increasingly important for anticipating fraud and cyber threats.

“We need to anticipate the threats and the frauds that can happen to us,” Nayak said.

Akanksha Garg, Chief Data Protection Officer and Head: Digital Products PMO, HDFC Securities, said OTP-based authentication is no longer sufficient in a high-risk financial ecosystem. OTPs were designed for convenience, but the current environment requires stronger and more adaptive authentication.

“Is OTP enough? The answer is no,” Garg said.

She said authentication must become federated and continuous, with checks not only at login but also during transactions and behavioural changes. When money is involved, compromised identity does not only break trust; it can directly affect an individual’s hard-earned savings.

“Authentication has to be federated, not just at the time of entry, but maybe at the transaction and behaviour level,” she said.

Garg added that identity protection is not a one-time activity. Trust must extend across the organisation and its ecosystem, because customers depend not only on the enterprise but also on the security and privacy posture of its partners.

“Identity protection is not a one-time thing,” she said. “Everyone must trust the security and privacy of the organisation and its ecosystem.”

Amit Subhanjee, Cyber Security Leader, RTX, said identity security in aerospace and defence is a national security issue, not merely a data protection or IT-control issue. The biggest risk, he said, is credential loss through third-party breaches in a vast and interconnected supplier ecosystem.

“The biggest risk right now would be credential loss due to a third-party breach,” Subhanjee said.

He said attackers increasingly target smaller vendors rather than large enterprises with mature security cultures. In aerospace and defence, engineering sites and intellectual property-heavy environments are especially attractive targets.

“Bad actors are really targeting the small vendors, not the big vendors,” he said.

Subhanjee said the industry must move beyond compliance and from identity verification to identity assurance. Every vendor should be treated as a possible entry point, and every credential as potentially compromised.

“We are changing from identity verification to identity assurance,” he said.

He said the goal is not to assume that every identity everywhere can be perfectly protected, but to ensure that even when compromise occurs, attackers cannot move freely or cause major disruption.

“Even if compromise happens, I do not want bad actors to move around smoothly within my ecosystem,” Subhanjee said.

Yazad Balsara, AVP – Pre-Sales Lead and Product Specialist, Cymmetri, said one of the most underestimated identity risks is undefended access created by service identities with unclear ownership. Service accounts often begin as project requirements and then remain active after proof-of-concepts, projects or sponsors disappear.

“The risk comes when we talk about undefended access,” Balsara said.

He said the issue is not always the absence of tools or processes, but unclear accountability. Service accounts may accumulate privileges over time because no one clearly owns the decision to deny or revoke access.

“Controls do not have clear accountability at certain stages, and that leads to gaps,” he said.

Balsara said enterprises must consolidate identity data, logs and behavioural signals into systems that can provide unified visibility and session intelligence. Attackers can exploit gaps created by fragmented tools and incomplete inventory.

“You really have to have a solution which can bring different logs, analyse them, create behavioural insights and provide session intelligence,” he said.

He added that agent-to-agent communication requires controls now, not later. AI agents may create new productivity models, but without governance they may also expose customer data or trigger harmful actions.

“Agent-to-agent communication is new, but the things it can do are remarkable. Controls have to be put in now,” Balsara said.

The panel agreed that identity security now requires a broader mindset than traditional access management. Enterprises must discover all human and non-human identities, manage exceptions, adopt just-in-time access, strengthen vendor governance, consider privacy and AI laws, and design systems for geopolitical and regulatory complexity.

Jadhav said technical teams can no longer think only like engineers when designing identity systems. They must account for law, policy and geopolitical context.

“You do not have to think just like a technical engineer. You have to think like a lawyer, a public policy leader and a geopolitical expert,” he said.

Subhanjee said the biggest mindset shift is accepting that identity is no longer definitive proof of who someone is. In an AI-enabled world where behaviour, voice and digital profiles can be imitated, identity must be treated as a probability that requires continuous validation.

“Identity is no longer proof that guarantees who you are,” he said. “It is about probability.”

The discussion closed with the view that identity can now be compromised, cloned or even manufactured. In an era of geopolitical cyber conflict, enterprises will need leadership models that defend trust continuously across people, machines, vendors, agents and data ecosystems. The future of identity security, the panel concluded, will depend on assurance, accountability and resilience rather than one-time verification.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!