Connect with us

Interviews

Vibhuti Sinha, Chief Product Officer at Saviynt – Interview Series

mm
Published

Vibhuti Sinha, Chief Product Officer at Saviynt, leads the vision, innovation, and strategic direction of the company’s workforce identity and intelligence portfolio, while also overseeing product and partner success. With nearly two decades of experience in identity and access management (IAM), he has played a central role in shaping large-scale security architectures for Fortune 500 organizations. Prior to his current role, he served as Chief Cloud Officer at Saviynt, where he drove the development of next-generation cloud security solutions designed to secure complex multi-cloud environments. His expertise spans compliance frameworks such as FFIEC, risk-based authentication, and access lifecycle management, positioning him at the intersection of enterprise security, cloud infrastructure, and AI-driven identity governance.

Saviynt is a cloud-native identity security platform focused on helping enterprises manage and secure access across users, applications, data, and increasingly AI systems. Its flagship offering, the Identity Cloud, provides unified identity governance and administration (IGA), privileged access management, and application access governance within a single platform, enabling organizations to enforce security, compliance, and Zero Trust principles at scale. The platform uses AI to automate access decisions, monitor risks, and govern not just human users but also non-human identities such as service accounts and AI agents, reflecting the growing complexity of modern enterprise environments. By consolidating identity security into a single control layer, Saviynt aims to reduce operational overhead while improving visibility and compliance across cloud, hybrid, and on-premise systems.

You’ve spent over a decade at Saviynt helping scale the company from its early cloud focus to a global identity security platform, how has that journey shaped your view of identity as the foundation for securing AI-driven enterprises?

When I joined Saviynt, identity wasn’t something most boards or CEOs talked about. It was often seen as provisioning accounts and running certifications. Over the years, as companies moved to the cloud and SaaS exploded, identity quietly became the layer that connected everything: people, applications, infrastructure, and data.

Being part of that journey changed my perspective. I started to see identity not as a product category, but as the control layer for how work actually gets done in a company. Every access decision, every approval, every automated process — it all comes back to identity.

Now with AI, we’re seeing the same shift again. AI agents are essentially digital workers that can act on behalf of humans or businesses. If you don’t give them identities, ownership, and governance, you end up with automation without accountability. That’s why I believe identity will be the foundation for securing AI-driven enterprises. Identity is what brings accountability, governance, and control to autonomous systems.

Saviynt is launching a dedicated identity control plane for AI agents, from a corporate perspective what gap in today’s identity and security architectures drove this decision?

Current identity and security tools were not designed for autonomous actors. They were designed for employees and applications, not for software entities that can make decisions, take actions, and operate independently.

Most identity systems today are very good at answering Who are you?” and “What access were you given?” But in the world of AI agents, the more important question becomes “What are you doing right now, and should you be doing it?

There was also a governance gap. Companies are starting to deploy hundreds or thousands of agents across platforms like Copilot, Vertex AI and Bedrock, but many organizations don’t know how many agents they have, who owns them, what data they can access, or what happens if the owner leaves the company. It creates more than just a security problem. It’s a governance and accountability problem.

That’s really what led us to the idea of an identity control plane for AI agents: a centralized way to discover, govern, control, and audit AI identities across their entire lifecycle and their runtime actions.

How does managing autonomous AI agents differ from governing traditional non-human identities like service accounts or bots?

Managing AI agents is very different from governing traditional non-human identities (NHIs) because those identities are typically deterministic and predictable. A service account runs a specific job. A bot performs a defined task. Their behavior doesn’t really change unless someone modifies the code.

AI agents are different because they are autonomous, adaptive, and goal-driven. They don’t just execute a fixed script. These agents decide how to complete a task, which tools to use, which data to access, and sometimes even with which other agents to collaborate. Their behavior can evolve over time as models, prompts, or integrations change.

That means provisioning access once and reviewing it every quarter isn’t a sustainable governance model. You need continuous governance, including discovery, ownership, lifecycle management, and most importantly, runtime controls to evaluate what the agent is doing in the moment.

The shift is this: with traditional NHIs, you govern access. With AI agents, you have to govern behavior and actions in real time. Authorization does not imply appropriateness. AI security will be built on that idea.

As enterprises adopt tools like Amazon Bedrock, Google Vertex AI, and Microsoft Copilot Studio, how important is unified visibility across these environments?

You cannot protect what you cannot see. 

Unified visibility across platforms like Amazon Bedrock, Google Vertex AI, and Microsoft Copilot Studio is extremely important, and honestly, it’s where most organizations are struggling right now. AI adoption is happening very quickly, and it’s happening across multiple platforms at the same time. 

One business unit or team might be building agents in Copilot Studio, another team is experimenting with Bedrock, and another group is using Vertex AI. Very quickly, you end up with AI agents spread across the enterprise with no central inventory.

The first challenge companies face is very simple: they don’t actually know how many AI agents they have, where they are running, what data they can access, or who owns them. Without visibility, you can’t govern, and if you can’t govern, you definitely can’t secure.

Unified visibility becomes the foundation. Before lifecycle governance, before runtime controls, before policies, the first step is discovery and inventory across all AI platforms. In the AI world, visibility is an operational, security, and governance requirement.

What does the full lifecycle of an AI agent look like from an identity and governance perspective, from creation to decommissioning?

I like to explain the lifecycle of an AI agent the same way we explain the lifecycle of an employee.

First, the agent is created and onboarded. Someone (a developer, vibe coder or business analyst) builds an agent in Bedrock or Copilot Studio. At that point, we should ask basic identity questions: Who owns this agent? What is its job? What systems does it need to access?

Then the agent starts working. It accesses systems, reads or writes data via APIs, tool calls, triggers workflows, and maybe even talks to other agents. During this phase, we need to continuously monitor what it’s doing and make sure it stays within its intended purpose and permissions. Monitoring and understanding intent is the most important aspect of this, which is not yet well understood by organizations.

Over time, the agent changes. Maybe we add new tools, update the model, expand its access, or change its role. That’s similar to a mover event for a human identity and it needs governance and approvals.

And finally, when the agent is no longer needed, it should be retired — access revoked, credentials removed, integrations shut down, and audit logs preserved.

In simple terms, the lifecycle is:Create → assign owner and purpose → grant least-privilege access → monitor and govern → manage changes → retire cleanly.

How should organizations think about securing agent-to-agent interactions as AI systems begin to operate and collaborate independently?

I think agent-to-agent interactions will become one of the biggest security challenges in the next few years.

Today, we mostly worry about whether a human should have access to a system. In the future, we’re going to have thousands of agents talking to other agents, triggering workflows, accessing data, and making decisions without a human in the loop.

The risk is not just what one agent can do, but what multiple agents can do together. You can end up with situations where no single agent has too much access, but when they collaborate, they can perform very powerful actions. 

Organizations must consider a few things:

  • Every agent must have a unique identity.
  • Design-time security controls are not sufficient. Run-time guardrails are imperative. 
  • Agent-to-agent calls must be authenticated.
  • Actions must be authorized in real time.
  • Delegation must be scoped and time-bound.
  • Everything must be logged for audit.

In many ways, we’re moving to a very different security model: from managing human access to managing machine collaboration at unprecedented scale.

What are the most immediate risks companies face today when deploying AI agents without proper identity governance in place?

The biggest risk right now isn’t some futuristic AI takeover scenario. It’s much more basic, and it’s already happening in most organizations experimenting with AI agents. Companies are creating agents everywhere, but they don’t have a centralized way to track them, govern them, or manage what they can access. 

Adoption has been the priority so far, and that’s understandable. Every new technology goes through that phase, but security and governance need to catch up quickly.

If not, enterprises risk agents without clear owners and with too much data. These agents may leak sensitive information and continue running after the project ends– all without a clear audit trail.

We’ve seen this before with service accounts and cloud resources. First comes adoption, then sprawl, then security and governance problems. AI is following the same pattern, just much faster and with more autonomy and agency. 

Without identity governance, AI agents basically become unmanaged privileged identities. That’s risky for any organization. That is not innovation, but rather additional institutional risk. 

How is the rise of AI agents reshaping the definition of identity within enterprise systems?

I think the definition of identity inside enterprises is expanding in a big way. It used to be mostly employees, then it expanded to external identities with an explosion of supply chain workers, remote workers, etc. The pandemic accelerated it even more as we started managing service accounts and bots as non-human identities. Now, AI agents are taking it one step further.

AI agents are not just accounts or scripts. They make decisions, access systems, generate content, trigger workflows, and collaborate with other agents. They touch your data, make decisions and change outcomes. They start to behave more like digital workers than like software accounts.

That means identity is now about more than simply who can log in. It’s about who or what is acting inside the enterprise, what they are allowed to do, who owns them, and how we track and govern their actions.

Identity is evolving from something that represents a user to something that represents any actor — human or machine — that can take action and change outcomes inside an organization.

When evaluating founders or teams building in AI security or identity, what signals indicate they truly understand the complexity of this space?

The ones who truly understand this space don’t lead with the technology. They lead with the problem. They can articulate not just what they’re building, but why the current approach is broken and who’s losing sleep over it.

The tell for me is specificity. Anyone can say “AI introduces new identity risks.” But can they walk you through exactly how an OAuth token gets misused in an agentic workflow? Do they understand why non-human identities are fundamentally different from human ones, not just in volume, but in behavior, lifecycle, and blast radius?

I also pay attention to how they talk about customers. The best founders in this space have usually lived the pain themselves as a CISO, an architect, a compliance lead, or they’ve spent so much time with practitioners that they can almost finish their sentences. They’re not selling a category. They’re solving a specific, gnarly problem they genuinely couldn’t stop thinking about.

And then there’s regulatory and ecosystem fluency. Identity and AI security don’t exist in a vacuum. The founders I’m most impressed by understand how their product sits inside a broader compliance posture — NIST, SOC 2, emerging AI governance frameworks — and they’ve thought hard about where they plug into the stack versus where they own it.

For me, the red flags are teams that are simply chasing the AI narrative. They can describe the market beautifully, but when you push for specific details, the narrative weakens. 

Do you see identity becoming the primary control layer for AI systems in the same way network security once defined enterprise boundaries, and how should security teams prepare for that shift?

Yes, and I think we’re closer to that inflection point than most security teams realize.

The network perimeter made sense when assets were physical, such as servers in a data center, employees in an office, or traffic at the edge. But cloud dissolved that boundary, and we relied on identity to fill the gap. Zero trust wasn’t just a marketing term; it was an acknowledgment that the perimeter was gone and that identity matters more than ever.  

AI agents are about to impact identity in the same way the cloud did to the network. These systems access resources, make decisions, invoke APIs, chain actions across tools and platforms, and do all of this autonomously at machine speed. The question of “is this allowed?” can no longer be answered at the firewall. It has to be answered at the identity layer, in real time, with full context of what the agent is trying to do and why.

Identity becomes the control plane. But it’s a fundamentally harder version of identity than what we’ve built before. It’s not just authentication. It’s authorization that’s aware of intent, context, and the chain of actions an agent has already taken. That’s a different problem than issuing a certificate or rotating a credential.

For security teams, the preparation starts with a mindset shift. Stop thinking of AI systems as applications to be secured at the perimeter and start thinking of them as principals — entities with identities, with privileges, with a lifecycle that needs to be managed end to end. Who provisioned this agent? What is it allowed to do? Who’s accountable when it does something unexpected?

The teams that get ahead of this won’t be the ones who bolt on AI security as an afterthought. They’ll be the ones who extend their identity governance posture to cover NHIs and AI Agents before those identities are the ones making consequential decisions.

Thank you for the great interview, readers who wish to learn more should visit Saviynt.

mm

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.