‘AI security is not just about cyber attacks, it’s also about how data is used’

Startup founders often prioritise speed, growth, and innovation — and assume security can come later. That assumption no longer holds. Artificial Intelligence (AI)-driven attacks, stricter data protection laws, and growing user trust expectations mean cybersecurity is now a core business responsibility, not a technical afterthought.

In this interview, Akshay Garkel, partner & leader at Grant Thornton Bharat LLP shares insights for founders navigating AI, cloud infrastructure, and India’s Digital Personal Data Protection Act, 2023 (DPDP) — cutting through hype to focus on fundamentals that truly protect companies, data, and trust.

We began with the idea that the next cyber attacker may not be human, but AI-driven. Are we creating the most advanced attacker ourselves?

Akshay: The most advanced attacker already exists. What has changed is that attacks are no longer limited by human effort or time. AI allows attackers to automate, observe patterns, and scale continuously. Attacks don’t get tired. That’s the real shift. If attackers are operating at machine speed, defence also has to move to machine speed. Human-only monitoring cannot keep up anymore.

What do startups usually underestimate when it comes to cybersecurity?

Akshay: Most companies underestimate the basics. Everyone talks about advanced tools, but breaches still happen because of weak configurations, poor access control, unpatched systems, and bad password practices. Security should be part of how systems are designed from the beginning. You cannot bolt it on later and expect it to work.

In a cloud-first, API-driven world, does the idea of a security perimeter still exist?

Akshay: The perimeter has expanded. It’s no longer just the organisation’s internal network. It includes endpoints, APIs, vendors, partners, and customers. Many breaches today don’t happen inside the core system but through third-party integrations. If you don’t understand your third-party risk, you don’t understand your security posture.

What does digital trust really mean today, especially with deepfakes and synthetic identities becoming common?

Akshay: Digital trust means users believe that their identity, data, and transactions are protected. It’s about confidentiality, integrity, privacy, and transparency. Whether it’s banking, UPI, Aadhaar-based services, or DigiYatra, trust is built when systems authenticate users securely and protect their data consistently. Once that trust is broken, users hesitate to engage digitally.

How should startups and growing companies approach India’s Digital Personal Data Protection (DPDP) Act?

Akshay: The first step is understanding what personal data you collect, where it is stored, and how it moves through your systems. Many organisations don’t even know this. Data often starts on paper, gets scanned, and then enters digital systems without proper controls. DPDP forces companies to take responsibility. If you design privacy and consent mechanisms early, compliance becomes much easier.

Do consumer-facing and D2C startups face the same risks and responsibilities?

Akshay: Absolutely. Even small D2C businesses collect names, phone numbers, addresses, and payment information. If that data leaks, it can be misused for scams and fraud. Scale does not reduce responsibility. If you collect personal data, you are accountable for protecting it.

How should organisations think about securing AI models and training data?

Akshay: AI security is not just about cyber attacks. It’s also about how data is used. If you train models on personal or sensitive data without proper consent, you can violate data protection laws. Public models are careful about this, but private models built casually can cross legal and ethical lines. Governance around AI is critical.

There’s a lot of AI hype. What are founders and investors missing?

Akshay: The biggest risk is careless data usage. Under DPDP, penalties can go up to ₹250 crore. AI cannot be treated as a toy. Investors should ask whether startups understand compliance, governance, and long-term responsibility. AI should solve real problems, not exist just for marketing.

Does the future require more automation or more human oversight in cybersecurity?

Akshay: Both. Automation is necessary for speed and scale, but humans are still needed for context and decision-making. The goal is not to remove people, but to allow them to focus on strategy instead of repetitive monitoring.

How careful should leaders be when using tools like Copilot or Gemini?

Akshay: Leaders should be disciplined. Don’t overshare sensitive information. Understand where data goes and how it’s stored. AI should support thinking, not replace judgment.