Key Points
- Veeam CEO says agentic AI is forcing enterprises to rethink data protection and cyber resilience
- Sean Cairncross, U.S. National Cyber Director says cybersecurity now requires stronger private sector collaboration and faster recovery capabilities nationally
- Veeam positions Securiti AI acquisition as foundation for unified data and AI trust platform strategy
NEW YORK — Veeam Software Chief Executive Officer Anand Eswaran said the rapid spread of agentic AI inside enterprises has rendered traditional security architectures obsolete, and that organisations now need to enforce controls at the data layer rather than at the level of individual users or applications.
Speaking at the company’s annual VeeamON 2026 conference in New York, Eswaran said autonomous AI agents are now accessing systems of record, reading unstructured data and taking action faster than human-led security workflows were designed to govern. “Every legacy security model was designed on one principle and one assumption: that the actor was human,” he said. “That assumption has fundamentally broken.”
He said non-human identities — a category that includes service accounts, API keys, bots and AI agents — now outnumber human employees by an average of 82 to one inside an enterprise, translating to more than 250,000 such identities in a mid-sized firm. He cited research indicating that 81 per cent of enterprises are already running AI agents in production, and that roughly 97 per cent of those agents operate with what security teams would consider excessive privileges.
Broken Perimeter
The implication, Eswaran said, is that the perimeter that zero-trust frameworks were designed to defend has effectively collapsed. “Zero trust was built for humans. It assumed that humans were the actors,” he said. “Today, agents bring AI directly to your data. You must open the perimeter to let AI work. So the perimeter did not just move; it completely collapsed.”
Eswaran said the operational risk is no longer limited to malicious attack. He cited two incidents that have circulated in developer communities in recent months: an AI coding agent at a software firm that deleted a production database and its backups in nine seconds, and an Amazon AI agent called Kiro that he said autonomously deleted and recreated an AWS environment in mainland China, causing a 13-hour outage and 6.3 million lost orders. “Neither of these was malicious,” he said. “These were autonomous systems acting with incomplete context.”
He added that 47 per cent of decision-makers in industry surveys have already acted on AI-generated content that turned out to be hallucinated. “The new failure is not just a breach. It is a wrong decision executed at machine speed before anyone notices,” he said.
Veeam, historically known for backup and recovery software, is using the shift to reposition itself around what it is calling “data and AI trust.” Eswaran said the company’s $1.725 billion acquisition of Securiti AI, completed in December 2025, was intended to combine data resilience with data security posture management, privacy, governance and AI trust capabilities into a single platform.
Eswaran argued that the broader AI industry has built out infrastructure, models, data platforms and applications without addressing how enterprises can trust the data feeding those systems. “Between models and data, there is a massive gap. There is a missing layer — the layer and infrastructure needed to trust AI,” he said.
In his keynote, Eswaran outlined four requirements for that layer: granular understanding of data at the element level, full context across identity and entitlements, runtime enforcement before agents act, and precision remediation when something goes wrong. He said traditional restoration approaches are inadequate in an AI-driven environment because the damage may be limited to a few seconds of agent activity that needs to be reversed without rolling back entire systems.
“When things go wrong, you cannot recover to the last known safe state from three days ago. That is going to kill your business,” he said. “You must be able to undo just those five seconds of agent action.”
Veeam said its platform brings five domains — security, governance, compliance, privacy and resilience — into a single intelligence layer that it is calling the Data and AI Command Graph, with more than 300 connectors across enterprise environments. Eswaran said these domains are still commonly delivered through separate vendors and dashboards, creating fragmented views of enterprise data.
The company is also tying its pitch to mounting regulatory pressure on AI. Eswaran referred to the EU AI Act, DORA, GDPR, HIPAA, the NIST AI Risk Management Framework and what he said were 18 new state-level AI laws passed in the United States over the past 12 months. He said enterprises increasingly need auditable evidence of what data AI systems accessed, when, and under what consent.
Washington Weighs In
The policy dimension was reinforced in a fireside chat with Sean Cairncross, the U.S. National Cyber Director, who said cybersecurity now requires closer coordination between government and the private sector because companies operate the infrastructure that citizens and businesses depend on.
Cairncross said the Trump administration’s cyber strategy, released on March 6, 2026, marked a shift away from a purely defensive posture toward one that also seeks to impose consequences on cybercriminals and hostile state actors. “For so long, cyber was not recognised as its own domain. It was always adjacent to something else,” he said, adding that “defence alone is not enough.”
He said the cost-benefit equation has long favoured attackers and that the administration was working to change those incentives. A March 2026 executive order designated ransomware operators and scam-centre networks as transnational criminal organisations, allowing what Cairncross described as more coordinated interagency action against them.
Cairncross also acknowledged a long-standing complaint from corporate security leaders: that breached companies often face regulatory penalties on top of the attack itself, which discourages information sharing. “It cannot be the case that a company gets hit by the Chinese or the Russians, and then turns around and gets hit by the U.S. government on some kind of checklist issue,” he said. “That is not going to work.”
He said the administration was pushing for a long-term reauthorisation of the Cybersecurity Information Sharing Act of 2015, ideally for ten years, to provide the liability and antitrust protections that allow firms to share threat intelligence with the federal government. The current authorisation has been a recurring point of contention in Congress.
On AI, Cairncross said the existing cybersecurity model could not operate at the speed agentic AI requires. “The cybersecurity paradigm that has existed to date, which is not able to move and identify at the speed and scale that agentic AI will make available, is passing into the rear-view mirror,” he said.
He said AI also introduces new risks that require controls at multiple layers, including data, model training, runtime systems and supply chains. “If you cannot trust the data, then it is garbage in, garbage out,” he said.
Cairncross was sharper on the question of supply-chain origin, an issue that has animated transatlantic debates over so-called sovereign AI. He said the United States and Chinese technology stacks should not be treated as equivalent. “The U.S. does not pipe its PII to Washington, D.C. The Chinese tech stack does,” he said. The U.S. or allied stack may carry a higher up-front cost, he said, “but it does not carry the back-end bill that the cheaper stuff has.”
He said the administration was not seeking to build a regulatory body that would certify AI models, arguing that would slow innovation. “We are not looking to build some kind of bureaucracy that sits on top and certifies models. That would move in the wrong direction and harm innovation. We are looking to accelerate it,” he said.
Veeam repositioning
For Veeam, the announcements at VeeamON represent a strategic expansion beyond its historical backup and recovery base. Eswaran said the company now protects more than 550,000 customers across more than 150 countries, including 80 per cent of the Fortune 500, with annual recurring revenue above $2 billion. The company is the market leader in data replication and protection software, according to IDC’s most recent worldwide market share rankings.
The repositioning places Veeam in an increasingly crowded segment that includes Microsoft Purview, Palo Alto Networks, Cyera, BigID and Varonis, alongside native offerings from the major cloud providers. Securiti, which Veeam acquired, had topped GigaOm’s recent report on data security posture management before the transaction closed.
Eswaran said recovery remains central to Veeam’s identity but argued that its definition is changing. In the agentic AI era, he said, the question is not only whether data can be restored, but whether enterprises can understand the context of what changed, who or what changed it, and how precisely the damage can be reversed.
“Resilience, cybersecurity and where agentic AI innovation is going are no longer just IT or technology conversations,” he said. “Trust, recovery and continuity are now economic and national policy issues.”
Your Questions, Answered
Why does Veeam say legacy security models are broken?
Veeam CEO Anand Eswaran said traditional security models were designed assuming the actor was human. AI agents now access systems, read data and trigger actions without human-led workflows, breaking this fundamental assumption.
What did Veeam acquire to address AI trust challenges?
Veeam completed a $1.725 billion acquisition of Securiti AI in December 2025 to combine data resilience with data security posture management, privacy, governance and AI trust capabilities.
What are the four requirements Veeam identifies for AI governance?
Eswaran identified granular understanding of data, full context across identity and entitlements, runtime enforcement before agents act, and precision remediation when something goes wrong.
How does recovery change in an AI-driven environment?
Traditional system rollbacks are insufficient. Companies may need to undo specific actions taken by an AI agent — potentially just seconds of agent activity — rather than restoring to a previous system state from days earlier.
