How Leading CTOs and CISOs Define Data Resilience in the AI Era

In today’s digital economy, the role of data has evolved from being a means to an end to being the end itself. However, in the current race by businesses to leverage the power of AI within their products, platforms and processes, the data that is the force multiplier in this process has never been so vulnerable as it is today. 

The amount of global data creation is likely to surpass 181 zettabytes and most enterprise data is now distributed across Multi-cloud and Hybrid environments. Meanwhile, cyber threats are becoming more complex, regulations are becoming more stringent in different regions and there are relatively new risk types being introduced by AI systems too. Against this background, a very fundamental question arises for technology executives: 

"What exactly is meant by "true data resilience" in the context of the AI-driven era?" 

This was the focus of the closed-roundtable discussion titled “The CXO Playbook for Data Resilience: Protecting Data, AI and Innovation. This was organised by the Commvault in partnership with YourStory. The closed-roundtable discussion featured the participation of the most influential technology organisations in India through the presence of their top CTOs, CISOs and head engineers. 

Instead, what evolved was a complex, experience-based definition of resilience—one which went well beyond back-ups and recoveries and into such diverse areas as governance, culture, architecture and accountability. 

Data Resilience No Longer Relates to Recovery 

For so long, resilience has been synonymous with disaster recovery or the ability to recover after a disaster. But in this new world involving AI, that definition has become hazardous. 

Today’s business takes place on dozens of SaaS platforms, various cloud vendors, edge devices and AI models, all interwoven and constantly evolving. A single breach, model misstep or compliance incident can ripple through business units, customers and regulators in matter of hours. 

As one of the CXOs said during the roundtable, “If a button existed that would restore it all back to normal in an instant, everyone would push that button. Real resilience is about preparing for when that button is not there.” 

In other words, the concept of “resilience” in the modern world no longer means only “bouncing back,” but rather “withstand, adapt and remain responsible even in the face of failure.” 

Data Quality: The Non-Negotiable Foundation of AI Resilience 

However, one topic that was prevalent in the first part of the conversation was: AI systems are only as good as the data they consume 

As per a report by Gartner, low-quality data hampers the performance of analytics and AI by costing organisations close to 12.9 million dollars every year. In the case of a company using an AI-driven compliance engine or a massive automation system, the consequences are more severe. 

In some cases, participants spoke of environments that process billions of records on matters such as invoices, taxes and identity records annually. In such scenarios, data quality can never remain an after process. It has to be integrated into the process. 

These included the following key practices: 

• Automated validation checks at ingestion, transformation and output points 

• Strict refresh cycles to eliminate model drift and outdated decision-making 

• Unlimited monitoring for bias, lack of consistency and anomalous behaviour 

One of the leaders explained that having outdated information is a performance consideration but it is also a matter of governance risk because models that use such information to make any kind of decisions can result in something that is harmful, unethical or even illegal. 

Laissez-Faire Access Controls for AI are a Grave Risk 

One of the most enlightening points of the roundtable discussion was the acknowledgment that conventional role-based access control (RBAC) models are not adequate in the context of the AI First era. 

Where human actors are facilitated through roles, permissions and approval hierarchy restrictions, by contrast, AI agents can potentially access and interconnect data over vastly larger domains if not properly monitored. This poses a silent danger, especially within organisations that manage multi-tenant data. 

This was aptly described by one of our participants: “If humans require access controls, AI systems require access controls even further.” 

This has led to the incorporation of the following in today’s top organizations by the 

• Row-level and column-level data permissions 

• Granular access control policies pertinent to AI-related tasks 

• Data segregation by customers, geographic locations and regulatory environments 

So, for start-ups and scale-ups that work with multiple businesses, these best practices are no longer nice-to-haves but requirements for trust, compliance and success. 

End-to-End Data Protection Across the AI Lifecycle 

For true data resiliency, there must be “defence in depth” from the point of creation and ingestion of the data, all the way to deletion. 

CXOs spoke about multi-layered protective approaches, which include: 

• Encryption and masking of sensitive data 

• Secure, Immutable Backups and Air-Gapped Storage 

• Network isolation and identity hardening layers 
  

Continuous monitoring and anomaly detection 

There are also increasing regulatory expectations. Leaders mentioned an upcoming governance and audit requirement for AI that must be complied with by the Reserve Bank of India, where they will scrutinize not only the storage of the data but the way AI models access, process and use the information. 

To limit their exposure, organizations are: 

• The isolation of LLM training environments from the open internet 

• Limitation of AI tasks within managed virtual desk infrastructures (VDIs) 

• The need for performing human-in-the-loop verification for high-risk processes like KYC, Identity Onboarding etc. 

“You can't show me data I don't understand,” said one CSO, “and I am accountable for what happens in the world because of it.” Today, explainability, accountability and auditability are finally basic building blocks for resilience, not nice-to-haves. 

Scaling AI, With Guard Rails 

The roundtable brought out how integrated AI is in Indian organisations today: 

• EdTech companies undertaking more than 100,000 AI-powered mock interviews 

• Recruitment and HR departments leveraging AI to authenticate documents and identify fraud in lakh plus recruitment per quarter 

FinTech firms that do the following are creating a huge opportunity for innovators in this industry: 

• Automated regulatory compliance and 

Nonetheless, in each instance, the tone was on guardrails, not speed. 

AI systems were deliberately kept under control within a secure environment and with the oversight of human judgment on high-impact tasks. There was a clear message that: “Scale without control is not innovation—it is liability.” 

The Threat Landscape That Learns and Adapts 

Arguably, the most compelling aspect of the conversation was the continuously changing threat posed by cyberspace. 

Cyber security experts warned that the attackers have now begun utilising AI in crafting polymorphic, self-propagating attack patterns that change every time as they adapt to evolving situations in real time. Such attacks will render traditional cybersecurity measures useless. In such an environment, rule-based approaches and audits are no longer sufficient. “AI threats require AI defence.” This means there must be AI defence systems that learn and adapt to threats in real-time. This has dramatic implications for CISOs. Security is no longer solely about prevention; it is about anticipation, detection and rapid containment even for unknown types of threats. 

Resilience as a Cultural and Organizational Mindset 

Apart from technology, among the most robust messages that emerged during the roundtable discussion is that "resilience is ultimately a human and organisational challenge." 

The key players are focusing on investing in: 

• Cybersecurity-awareness programmes on a constant basis 

• Incident simulations and tabletop exercises 

• Post-incident analyses that concentrate on learning, rather than fault finding 

• More control concerning the identity providers and layers of connectivity 

As AI models began to interact increasingly with users—sometimes through publicly accessible models—the obligations to protect users escalated exponentially. The importance of resilience being extended to user trust and ethical prowess was emphasised. 

Compliance in a World of Distributed Data 

For big businesses reaching out to different regions and cloud systems, one of the most challenging aspects of resilience has become compliance. 

Even if a deletion process from the production system itself proves to be easy, the following would have to be ensured: 

• Backups 

• Copies 

• Archival repositories 

• Disaster recovery environments 

This is far more challenging. It remains very relevant in the context of the Indian DPDP Act, which defines the ‘Right to Forget’ and imposes very stringent obligations on organisations to monitor and delete personal data held in the entire data estate. 

Commvault tackled this issue with the explanation that the "modern data resilience platform has to sit closest to the data itself" and index where every fragment of the data is. This is because, without this visibility, "compliance becomes a guessing game—and a regulatory risk." 

Intelligent Storage and The Economics of Resilience 

Another key insight that came out of this series of conversations was the shifting nature of the economics of data protection. 

Today, with the exponential growth in the quantity of unstructured information, the traditional method of having multiple full copies and/or snapshots is simply no longer feasible. Not only would it be costly, but it could also be dangerous. 

Redundancy has no use against ransomware infections in scenarios where the infection spreads to all instances of the document or media. 

Consequently, the forward-thinking organizations are adopting: 

• In-depth deduplication and compression 

• Tiered storage and smart retrieval systems 

• Air-gapped backups: These backups are not connected to any active environments 
  

One of the most potent reframings that occurred during this discussion is that additional copies do not add to safety. This is not true; safe, isolated and recoverable copies do. 

Information Technology Worries Become Boardroom Issues Perhaps the most significant lesson to be gleaned from the roundtable at the CXO level is certainly the fact that data resilience has entered the boardroom in a big way. The challenge that every CXO must focus on today is: “What is the true cost of downtime to our business?” But once this number is well understood, taking into account the lost revenue, fines, reputational capital and trust, then resilience is no longer just a cost but a strategic investment. The Indian engineering teams at Commvault stressed the importance of their continuous cooperation with customers to enhance the speed, reliability and preparedness levels of their recoveries. As stated by one panel member, “If there’s a situation that we have not addressed so far, then we would certainly like to know about that. Our role is to ensure that each and every recovery is quicker, smarter and stronger.”  

Redefining Resilience for the AI Era The age of AI has changed the very notion of data protection and management. Resilience is no longer based upon reacting to failure — it is now based upon designing systems, cultures and controls that plan for disruption and make intelligent responses to those disruptions. From data quality and access to explainable AI, intelligent storage solutions and regulatory requirements to the role of the CISO, the best CTOs and CISOs are rethinking the art of resilience as a holistic enterprise-wide practice. This is a world where innovation is data-driven, where the speed of failure is machine-like and where real resilience is not about reacting. It is all about being competent so that organisations can innovate, perform well and build sustained trust within the intelligent digital world.  Our Directors’ Institute - World Council of Directors can help you accelerate your board journey by training you on your roles and responsibilities to be carried out efficiently, helping you make a significant contribution to the board and raise corporate governance standards within the organisation.