Indian Firms Unprepared for Insider Risks in AI Era, Warns Protiviti–Microsoft Report

New Delhi, 12 September, 2025: With AI adoption accelerating, Indian enterprises urgently need to strengthen their Insider Risk Management (IRM) programs, says a new whitepaper jointly released by Protiviti and Microsoft. BFSI, Healthcare & Life Sciences and IT/ITeS emerge as key at-risk sectors according to the paper, given their heavy reliance on customer data, intellectual property, and third-party vendors.

The paper, “Safeguarding From Within: Insider Risk Management in India”, finds that, insider risk management in India remains at a major concern for organizations, with fewer organizations having established enterprise-wide frameworks. These findings are based on an in-depth joint study conducted by Protiviti and Microsoft Engineering teams by interviewing senior leaders from Indian enterprises spanning across banking and financial services (BFSI), healthcare, pharmaceuticals, FMGC, Airlines, Technology and others.

While AI and GenAI offer productivity and innovation benefits for all enterprises, the paper emphasizes the dual challenge of enabling these technologies responsibly while safeguarding their sensitive data and intellectual property, particularly in the context of regulators like Reserve Bank of India (RBI) tightening scrutiny on financial data handling and the Digital Personal Data Protection (DPDP) Act coming into force.

“Insider risk management is no longer discretionary, it is a regulatory imperative for a majority of Indian enterprises with frameworks such as the Digital Personal Data Protection Act (DPDPA) 2023 and sectoral mandates from SEBI, RBI, IRDAI, Telecommunication Act. Further, effective IRM is also foundational to customer trust, particularly in industries where data sensitivity is paramount. These organizations are therefore expected to demonstrate robust internal controls in line with the recommended roadmap presented in this whitepaper,” said Sandeep Gupta, Managing Director, Protiviti Member Firm for India.

“Nothing erodes trust faster than insider risk. We need to address it with board ownership, transparent processes, and privacy-first, signal-driven technology that surfaces risky behavior—and makes trust measurable” said Vaibhav Koul, Managing Director, Protiviti Member Firm for India.

The whitepaper notes that while 63% of data breaches are found to involve an insider in some capacity, according to Microsoft’s Security Insights, another recent global survey has found that 84% of organizations believe they need to do more to protect against risky employee use of AI. 

“Proactive IRM offers a structured approach to safeguarding sensitive data, supporting compliance efforts, and building trust. By considering the strategies and recommendations outlined in this whitepaper, Indian enterprises can better manage insider risks while continuing to innovate in an AI-driven landscape.” said Anand Jethalia, Country Head – Cybersecurity at Microsoft.

“Customers, regulators, and investors don’t buy promises; they demand evidence of compliance and control. Under India’s DPDP Act, trust must be demonstrated through accountable practices. By embedding Insider Risk Management across people, processes, and technology—leveraging platforms like Microsoft Purview to translate policy into enforceable action—Indian enterprises can reduce legal exposure, protect brand reputation, and turn compliance into a measurable competitive advantage.”  Ashish Adhikari, Principal Product Manager at Microsoft. 

The paper recommends and describes in detail the key components of a mature insider risk program for Indian enterprises. These include establishing clear ownership through cross-functional committees and accountable leadership, classifying their insider risks and prioritizing enhanced monitoring and protection controls for high-value data assets. 

Data assets such as UPSI, intellectual property, and patient records require stronger safeguards, with policies aligned to SEBI’s PIT regulations, the Digital Personal Data Protection Act (DPDPA) 2023, and sectoral mandates from RBI and IRDAI. The paper further highlights the importance of building technical controls like role-based access controls, insider-specific incident response playbooks, and role-focused training for high-risk functions like finance, legal, and R&D.

The “Safeguarding From Within: Insider Risk Management in India” whitepaper serves as a wake-up call for Indian enterprises. With insider incidents accounting for the majority of breaches and AI introducing new risk dimensions, reactive measures are no longer sufficient. Embedding IRM as a board-level priority with clear accountability and cross-functional ownership is essential. While strategy and governance come first, technology matters too—platforms such as Microsoft Purview Insider Risk Management help operationalize policy through detections, out-of-the-box policy templates, privacy-preserving investigations, case workflows, and audit-ready reporting. Organisations that act now can mitigate costly breaches, ensure compliance, and build digital trust with customers, regulators, and investors. In India’s rapidly evolving digital economy, proactive insider risk management is fundamental to sustainable success.