As AI, digital platforms, fintech systems and autonomous agents reshape how identities are created, used and misused, identity access management has become a core legal and regulatory issue for enterprises, Dr. Karnnika A Seth, Cyber Law Expert, DRDO, Ministry of Defence, Government of India, said on Friday. She said identity can no longer be seen narrowly as a password, user ID or access credential, because it now extends to personality rights, likeness, voice, personal data, machine identities and AI-generated digital actors.

Seth was speaking at the ETCISO Identity & Access Management Summit 2026, organised by The Economic Times in Mumbai.

Opening her special address, Seth said identity and access management has become one of the most important topics for organisations at a time when India’s regulatory and compliance landscape is undergoing major shifts. Businesses across sectors, as well as government bodies, are being forced to rethink how they manage identity, access, digital evidence and data protection obligations.

“Identity access management becomes a key issue for any and every global and domestic business,” Seth said.

She said the legal fraternity looks at identity risk differently from technology teams because cyber incidents eventually have to be examined through statutes, regulatory guidelines, evidence standards and judicial interpretation. In litigation, she said, courts may examine whether banks, platforms or enterprises followed applicable guidelines, software standards and security practices.

“When we argue RBI guidelines for banks, we look into the software and the standards which have been deployed, and whether those have been followed or not,” she said.

Seth said the scope of identity has expanded far beyond traditional authentication. Identity today includes account access, biometric likeness, voice, image, social media presence and even an individual’s commercial persona. This has become particularly important as deepfakes, morphing, fake profiles and impersonation scams increase.

“Identity is not only limited to use of password, user ID or any other way of accessing your account,” she said. “It goes much beyond your persona.”

She cited deepfake and impersonation cases involving celebrities and public figures to underline how identity misuse now intersects with personality rights, copyright principles and commercial rights over voice or likeness. Such misuse, she said, can lead to extortion, fraud and reputational harm.

“Today, when we are talking about identity, do not look at it from a narrow standpoint,” Seth said. “It mingles with personality rights.”

According to Seth, courts have increasingly recognised identity and associated elements such as likeness as legally significant. Unauthorised use of a person’s identity or persona can raise questions of rights violation, passing off, impersonation and cyber fraud.

She said the challenge has become more complex because the legal framework must now be applied to AI-enabled scenarios, machine identities, robotic attacks and AI-generated identities. Traditional legal concepts such as unauthorised access, exceeding authorised access, copying data or introducing malicious code must be interpreted in the context of autonomous digital systems.

“We have machine identity, robotic attacks and AI-generated identities,” Seth said. “Identity is the primary security boundary.”

Seth said AI-driven attacks and shadow identities are already creating new legal and forensic challenges. In such cases, investigators may have to determine whether an AI tool, autonomous agent, API endpoint or compromised service account was used to discover, copy, scan or harvest data.

She said these scenarios require stronger audit trails, timestamps and electronic evidence practices so that organisations can trace what happened, preserve evidence and produce it correctly when required.

“We need electronic evidence, because we need mapping of timestamps and audit trails,” she said. “How we collect, preserve and produce evidence is very important.”

Seth also highlighted emerging identity threats across APIs, insider misuse, cross-border data compromise, machine analytics, service accounts, UPI, fintech, social media and digital grooming risks involving minors. She said children’s data requires particular attention under data protection obligations.

Referring to the Digital Personal Data Protection framework, she said organisations must recognise their roles as data fiduciaries and processors, build appropriate systems and processes, and comply with breach-notification obligations.

“Data fiduciaries have to put in place systems and processes in order to comply,” Seth said.

She added that breach notification timelines are becoming critical, with organisations expected to respond quickly when personal data is compromised. Cyber incident reporting, takedown obligations and regulator-facing communication must therefore be part of identity and access governance.

On cybercrime provisions, Seth said identity theft, cheating by personation and misuse by service providers are already addressed under legal provisions, but the application of these laws is becoming more challenging as technology changes. She pointed to provisions dealing with identity-related offences and service-provider liability as particularly relevant.

“Sections 66C and 66D are more identity-related,” she said, referring to offences around identity theft and cheating by personation under India’s cyber law framework.

She also said service providers must recognise the significance of provisions dealing with confidentiality, privacy and unlawful disclosure of information.

“Section 72A is also important for service providers,” Seth said.

Seth said banks and regulated entities cannot treat cybersecurity guidelines as advisory documents without consequence. Courts have already considered whether banks followed prescribed security practices, and failure to maintain appropriate standards can lead to liability.

“It is not just that there is a guideline and nobody follows it,” she said.

She said identity governance must also account for retention rules, children’s data, tokenisation, anonymisation, pseudonymisation and re-identification risk. Even anonymised data may become legally sensitive if it can be re-identified through AI or other advanced methods.

“If it is anonymised data, can you decipher the original content and identify it? Those things are also important,” she said.

Seth said organisations must strengthen role-based access, monitor gaps, conduct audits and deploy secure mechanisms. In AI-led environments, she said, organisations must assess whether data use is necessary, proportionate and aligned with legal obligations.

She also pointed to the role of government agencies and policy bodies, including the Ministry of Electronics and Information Technology, CERT-In, law enforcement and cyber policy institutions, in shaping cyber compliance and incident response expectations. She noted that takedown timelines for certain forms of harmful online content are becoming shorter, making response readiness more important.

For enterprises, Seth outlined a roadmap centred on identity-centric zero trust, strong authentication, governance, monitoring, legal compliance, breach notification, resilience planning and contractual safeguards. She said organisations must also address cross-border transfers, vendor identities and AI-related identity risks.

“We need an identity-centric zero trust programme with strong authentication and policies in place,” she said.

She urged organisations to unify identity across platforms, cloud environments and AI systems; automate controls wherever possible; and build resilience against identity-led attacks.

“Unify identity across all platforms, automate to whatever extent possible and build resilience against identity attacks,” Seth said.

Seth’s address positioned identity as a convergence point for cybersecurity, law, regulation, evidence and digital rights. The message for enterprises was that identity governance can no longer remain a back-end IT control. In the AI era, it is becoming a legal control plane that determines how organisations secure users, protect data, prove compliance and respond when digital trust is challenged.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!