Making ResOps Real: AI, Ransomware, Identity & Resilience

Enterprises need guardrails because AI adoption is accelerating faster than most organizations can build governance, security, and resilience frameworks. Without clear policies, cross-functional oversight, and responsible data practices, businesses face increased vulnerability, operational risk, and exposure to AI-enabled threats such as advanced ransomware. 

Safe AI deployment requires understanding where AI models originate, how they are hosted or tuned, and the quality and provenance of the data supporting them. Organizations must evaluate governance processes, ensure clean and trustworthy data, and maintain transparency in model behavior. Cross-functional collaboration and continuous education are essential to reducing risk. 

Partnerships between technology leaders—such as HPE and Commvault—strengthen AI resilience by combining secure infrastructure with trusted data protection and recovery capabilities. Commvault supports HPE by providing clean, reliable data and risk mitigation for AI-driven applications, helping enterprises maintain operational continuity and safeguard customer environments. 

Please view video here for a time-stamped transcript

You have been hearing a lot from Commvault this morning, and I think it’s important for
you to hear from those outside of our company.

And we invited a high-powered partner panel to speak about what’s going on in the broader
marketplace.

So with today’s announcements, we’re going to talk about a bird’s-eye view of what that
can mean in an AI landscape.

So with that said, I want to introduce Patrick Osborne, Senior Vice President, general

manager of cloud data infrastructure at HPE Storage; Kris Lovejoy, global security and
resilience practice leader at Kyndryl; Sean Henry, executive advisor to the CEO and former

CISO at CrowdStrike; and Sanjay Mirchandani, president and CEO of Commvault.

Come on out.

Thank you.

Thank you guys.

a seat.

And the official pretzel delivery boy.

Yes.

Yes.

Thank you.

Thank you.

Thank you.

We’re complaining back there that they didn’t have pretzels.

I dropped a napkin.

Here, have a pretzel.

Unfair.

Red Sox Yankees playoff games.

Fantastic.

Some napkins and full service here.

Okay, let’s jump right in, guys.

um Patrick, thank you for joining us in Fidelma’s absence.

Appreciate that.

She had some FAA challenges.

um

However, I recently read an interview with Fidelma where she talked about the need to lean
into AI but with guardrails.

Will you talk to us about some of the guardrails for enterprises that they should be
striving for for AI resilience today?

Absolutely.

So first off, I just want to a big thank you to Sanjay and all the Vaulters out there.

We had our 10 year anniversary for HPE last week and our relationship actually predates
that event.

So it’s been a very strong partnership

and lot of the folks in the room help us build that together.

So thank you very much.

Yeah, so AI and guardrails at HPE, we do a number of things with AI.

We embed it in our products.

We use it all the time.

We’ve been doing it for about a decade.

AI, machine learning.

We also help customers build some of the largest supercomputers in the world that use AI
and GPU acceleration.

So early on, we did a couple of things.

We did an internal and external consortium around

ethical AI, right, which is super important in the early stages.

And as we started to lean in to using AI within HPE and for our products and in service of
our customers, we were doing supply chain optimization, increasing, you know, improving

the customer experience, building things like agentic AI.

We really needed to lean in.

So we created an AI executive committee that pulled in not just product development,
right.

So product developers will always use the new coolest stuff, right.

um so this brought in folks from legal, from cyber, from security, from HR, from a number
of different product groups and functions so that we could understand if we’re gonna lean

in, how do we educate ourselves?

What models are you using?

Are you renting that model?

Are you tuning that?

Where is it sitting?

What data are they using of ours?

How you can have provenance over that?

And even within HPE IT, for example, we partner with Commvault as a

partner for our own applications on how we’re gonna go mitigate that.

So it has to be resilient, it has to be responsible.

Where’s that data gonna end up?

It’s a bit of the Wild West, right?

And so bringing all those functions in and leading in and educating ourselves on how to
use that, because we’re gonna use it.

It’s a fantastic opportunity for all of us, but how do you do that in a way that’s
governable and safe for our customers?

Fantastic.

And your confidence level that

The world’s ready for this?

We will be.

Yeah, exactly.

I mean, we’re using it quite a bit in a number of different functions.

And you hear these stats getting thrown out, you know, some recent studies about 90 or 95
percent of these, you know, initiatives fail.

So it’s really good when you lean in with the cross-functional team to understand what’s
the mission, what are the use cases, right, at the end of the day, and how are you going

to do that responsibly, and how are you going to monitor that and see, take a look at the
outputs and service of, you know, whether it’s cost efficiency, you know, freeing up

people cycles to work

on really impactful work or giving customers a really great experience as you saw from
some of these demos here before, which is great.

Great, thank you.

um Sean, yesterday you scared the bejesus out of me when we were speaking and we were
talking about the collision of AI and ransomware.

Will you tell us a little bit about what you’re seeing and how ransomware is being
amplified and how maybe bringing security, identity, and resilience and recovery together

can address this?

Well, first, as a native New Yorker, I appreciate hearing everybody enjoying their
pretzels.

um Certainly, look, I think about AI in a lot of different ways.

um

The technology from a business perspective, from a security perspective is incredibly
valuable.

We’re going to embrace that and utilize that.

There are a lot of guardrails we’ll talk about and have talked about.

There’s a lot more to do.

But the adversaries are using AI for a whole host of issues.

When we talk about scalability, their ability to do reconnaissance, to craft malware based
on identified vulnerabilities on the fly, their ability from a phishing perspective, we’ve

seen adversaries using deep fakes and AI to get hired into companies by using different
identities.

So the kind of the confluence of the virtual world and the physical world.

So ah that’s an incredible challenge.

And um they’re using it to change data.

They’re using uh many of their capabilities that threatens the integrity of data, which is
why resiliency is so critically important.

um The second part of your question, repeat to me one more time.

By bringing together security, recovery.

Sanjay and Pranay and others have talked about identity and uh we at CrowdStrike said
that…

more than 75 or close to 80 % of the breaches that we’ve seen are based specifically on
identities and the adversaries using their capabilities to breach identities.

This whole, when you think about the landscape that we face and it’s disjointed and
fractured and we talked about on-prem and cloud and all of the different identities, oh

VMs and…

um

APIs and bots, et cetera, the agentic identities.

It’s incredibly complex and very, very difficult to manage.

What I appreciated hearing this morning from Sanjay and the other speakers uh was uh the
response is consistent with standard security practices.

And I’m talking about even before the internet, from a physical security perspective,
there are certain things that are standard and two of the most important are speed and

visibility.

And to think about that, how uh identities…

um

are being identified, you have visibility into the totality of your landscape and you’ve
got the speed to detect and respond to those things.

um know, security is not passive, it’s proactive.

Again, it’s being applied.

AI is just a new iteration of the threat landscape.

It doesn’t change how you uh secure things.

There are some variables to it.

Security is dynamic.

It’s not static.

So I appreciated hearing Sanjay and the other speakers because all of that gives me
confidence in how people are at least thinking about AI and that emerging threat.

And it’s really a comprehensive approach from a security perspective to ensure that we
remain resilient.

Awesome.

Thank you.

Kris.

building on Kyndryl’s recent readiness report, which is fantastic if you have not read it
yet.

We’ll certainly make it available in the app for download.

Tell us a little bit, you stated that organizations are re-envisioning resilience in an
increasingly fragmented regulatory landscape.

How do you see this evolving in the world of AI, maybe even intensifying, and how do you
suggest organizations keep up?

So I think regulation is evolving as quickly as AI is.

um Just to take a step back, for those of you who are not in the security field, you may
not be thinking about this quite as much as Sean and I do every single day.

But go back a few years.

Why are we seeing so much regulation?

Well, during the COVID period, 90 % of the world’s corporations introduced new technology.

And of those, about 60 % of them introduced that technology without security control

embedded.

So think about that.

Massive, massive increase in the attack landscape as well as a focus on vendors,
third-party vendors who are supplying us technology, embedding malware into that

technology.

So as a result, you see a lot of ransomware.

And the regulatory authorities who recognize, gee, this is a problem, are getting involved
with regulation.

Why regulation?

Because there’s only three reasons why people buy security controls.

One, they’ve had an incident and they need to repair from it.

Two, a senior executive wakes up in the middle of the night and gets worried about
security or has dinner with somebody who tells them my daughter is in security and scares

the bejesus out of them.

Or third, there’s a regulation.

So we should be not, we shouldn’t be surprised that following COVID and following the
expansion of the attack landscape, we see this profusion of regulation, particularly in

the area of resilience, which is recognizing it’s gotten beyond us.

We cannot protect ourselves against this threat.

We have to be able to take the punch and come back.

Now, when it comes to AI, this is a really touchy subject.

Now, let’s just be realistic.

AI is not new.

We’ve been using AI for a very long time.

What is new is agentic AI.

What is new is how the tools are becoming commercialized and made available to the
attackers, increasing the threat landscape for us, et cetera, et cetera.

What is happening now is very interesting and is happening in two different ways from a
regulatory perspective.

One, a lot of nation states, because of the heightened populism and nationalism, are
worried about their inability to compete effectively internationally because they don’t

have AI.

So what they’re doing, nation states are investing in AI technology industries within
their nation states using open source technology that has not

been adequately tested and they are building industries and critical infrastructure using
these technologies because they feel that they have to compete.

What they’re also doing is they’re creating digital sovereignty and data sovereignty rules
in and around these nation states so that they can protect the data of their citizens as

well as protect that nascent industry that’s being created.

Now what’s happening from an AI perspective

which is really interesting and impacts the resilience question, is you’re now seeing a
balkanization of data and systems.

And anybody who’s in the security field knows the more you have to spend to protect those
systems, the more complexity there is, the harder it becomes for you to actually manage

this infrastructure.

That’s why honestly, Sanjay, I want to say thank you to Commvault for having released what
you did today.

That makes my life easier.

Because we are seeing a, this is data repatriation

at a massive scale.

Most nation states, most industries today are asking us questions, can you build us a data
center?

Can you build us a sovereign cloud?

Can you run these systems here, not there?

And systems that you’re building, I think, are gonna help us all.

If I can add to that, because I think it’s really important when you talk about nation
states and their investments in AI.

I think you also have to look at they’re not just investing from a financial perspective
and RRD perspective, they’re actually looking to steal it, which makes your agentic

environment a huge target and something to have serious consideration about.

That adversaries are absolutely developing protocols and have an aggressive plan to steal
what you’re developing.

Because any new technology with this unbridled enthusiasm around it and you want to get it
out there and you want to try it, you don’t want to be left behind.

I think in the past, security could catch up.

Brunei’s liveware AI adoption in one year has outpaced anything in the history of mankind.

It has to be while you’re deploying it.

It can’t anymore be after you’ve deployed it.

And while tools and technologies and processes are still, like the dust is still settling
on them, we have to get ahead on the methodology, how you keep the stuff safe,

before it becomes a problem, which is what I was hoping to convey earlier today.

Just one last thing, and I do want to come back to the integration of identity, security,
resilience.

The one thing I would say is when you’re thinking about agentic AI, so polymorphic agents,
agents who evolve on their own,

The interesting thing from a regulatory perspective is how do you create rules for digital
workers?

You have to think about them more as people than you think of them as technology assets.

So identity management within this particular, it’s incredibly important.

Yeah, agree, agree.

um

Sanjay, that was also interesting.

um It just made me think, I think the crowd would be interested in hearing, how are you
thinking about ResOps within the walls of Commvault?

Commvault.

I was wondering why you had me up on this panel.

I thought I earned my dollar for the morning.

Well, I you know, I think we have a you know, most tech companies have fairly unique
characteristics as to how they manage their own IT.

It just is I’ve worked for tech companies my whole life and no two tech companies do it
the same way.

uh Being a CIO or CISO or CTO inside a tech company is a is a very different job than
being in a in the non-tech environment, so it begins with making sure our CIO and CISO

are absolutely working together.

And that starts with humans, no agents, just humans.

So we have them here somewhere.

Let me see, raise your hand.

Side by side, in fact.

There you go.

So I’ve got Ha, who’s a CIO, and Bill, who’s our CISO, sitting right there together.

So when I send an email or a Slack on a topic, usually, it’s bidirectional, it goes to
both.

And that’s really important.

Culturally, it’s really important not to have that segregation.

Because the processes, the tooling and the actual ability tends to be separated.

We have another interesting capability where Rajiv, who you saw up here as our Chief
Product Officer, if you go to his LinkedIn, he doesn’t call himself the Chief Product

Officer, he calls himself the Chief Backup Officer.

So he actually does the backups for the company.

So now I got a trifecta of people.

I’ve got these two and I’ve got Rajiv and they have to work together.

So ResOps is exactly that.

Security, identity, and recovery.

And making it all come together.

Now we’re in the early days of ResOps as I described it this morning.

But if I take all the disciplines we’ve built.

um

In cyber, cyber resilience, they carry right into this.

And now we’re looking at AI.

Now Ha’s on point to build our internal AI capabilities.

And Pranay and Rajiv do all our product-based capabilities, but they work together.

And we have a Chief Trust Officer uh who’s on point to make sure that what we’re doing, to
your point, is responsible and we’re it the right way.

So it’s work in progress.

Now tooling, our product platform allows us to talk to,

on this side or CrowdStrike that we use or Microsoft Defender that we use in other places.

So that technology has to talk to our platform for us to have the full circle of
intelligence.

So we try to be customer zero within our environment.

And we’re committing, as part of this launch actually, to start publishing more of how we
do things, what mistakes we make, so that you don’t make the same.

Okay, so we’re gonna share that with you.

Awesome, and we actually do, shameless plug from the CMO, we actually do share that on our
Readiverse.

She’s ahead it…

on our website.

But again, it is aimed to really share the best practices that we see ourselves, and to
make sure that we’re sharing that responsibly with others.

uh

Patrick, how will a unifying, a ResOps approach help HPE AI-bound customers, both on-prem
and in GreenLake environments?

Yeah, so in general, so we’re talking about ResOps here.

When we started the GreenLake cloud platform a number of years ago, it was in service of
AIOps in general, right?

And now you’ve seen AI ops, sustainability ops, FinOps, right?

And so the whole premise for us was how do you, um

manage all these systems and IT systems and applications and workloads at scale with a
platform approach?

It’s very similar to what your team talked about earlier today with the Commvault Cloud
Platform.

And so for us, shifting left in the development process, things like cyber and security
and resiliency at the time of development, right, when you’re actually architecting the

application, what the service is, et cetera, is super important.

And the only way that we can essentially allow

customers to do this at scale.

This is, you know, it becomes out of bounds for a human intervention uh type of feedback
loop.

And so for us, we introduced AIOps into the platform.

All of our systems have uh MCP agents and we can help them create agentic uh mesh to do a
number of things in a number of different categories.

uh And so this ResOps thing, this concept is really resonates with me because when we
started the Greenlight Cloud Platform journey,

it was all around using AI and machine learning to make operations simplified.

And so now we can take that foundational work we’ve done for GPU, compute, ah Obviously,
we’re bringing in Juniper Mist into our AIOps platform now that that acquisition has been

closed, ah as well as data.

And so being able to have that platform approach with GreenLake and then partner with
Commvault, it makes the whole equation

automated, right?

You get visibility across the estate whether that’s on-prem, in a colo, at the edge, in
the public cloud, right?

And so this is stuff that’s really difficult for the developers to do manually, right
exception driven, it all has to be automated.

Building agents, agents that share data and talk to each other in service of your most
mission critical and business critical workloads.

So the approach that Commvault’s taking and the one that we introduced a number of years
ago with GreenLake Cloud Platform is the only way to achieve that scale.

We have 50,000 customers on our platform.

We’re managing ah close to five million infrastructure endpoints with the platform.

So the only way you can achieve that scale is through through AIOps, ResOps, shifting it
left in

the development cycle, and we’re partnering to help our customers achieve that.

um Sean, what does ResOps mean for threat intelligence and incident response
orchestration?

When I think about, um I talked earlier about adversaries and the automation of their
attack process, the automation of the response process.

uh

needs to be put into place, starting with, I think, detection first.

So maybe partnering with CrowdStrike.

Use ransomware as an example.

A ransomware uh attack is detected.

And the

identities are rotated, credentials are rotated because you want to protect other uh
devices, identities within the estate.

The recovery process and ensuring the validity of the data before it is reinstated is
automated.

And then the intelligence that you obtain from this particular attack is the TTPs, the
tactics and techniques and procedures, the indicators of attack or indicators of

compromise.

All the intelligence that you learn from this particular attack is put back into the
system and then the detection process takes place again.

So it’s automated and it’s continuous and it is dynamic and it’s so important, I think, to
recognize, you know, people, I used to use this example years ago,

but I think it’s still valid.

uh You can’t build a 10-foot wall because the adversary comes in with a 15-foot ladder,
right?

So it’s this concept of this constantly dynamic.

Things are changing as new attack patterns are identified.

We talked today about agenetic AI, and then we talk about what quantum looks like and
what’s the next attack vector after that.

It’s going to continue to evolve.

We need to continue to evolve.

So that intelligence process has to lead to better detection and the

the ability to have automated recovery resilience.

That process has to be automated because in today’s uh state with where we are and what
the adversaries are doing, if it’s not automated, if you don’t start to remove humans,

humans are still a part of this, of course an important part, then you’re gonna fall way
behind.

The learning piece is super important.

Like you have one customer that is seeing um either attack vector or some anomaly,
learning from that one

customer can benefit your entire community.

It’s almost like the power of the crowd.

Crowd sourcing.

And striking.

Kris, I’m going to have you bring us home with some practical advice for CISOs, CIOs in
here in the room today.

um You have often said that to be successful in this new world, security and resilience
have to be built in by design and by policy.

So what advice would you give to our practitioners here today?

I want to say something that Sanjay said, is about the, again, coming back to the
combination of things.

oh

Honestly, I think that the fact that we’ve got security, resilience, and identity is very
unfortunate.

Those aren’t three different markets.

It’s becoming one market.

And I’ve always defined cyber resilience as the ability to anticipate, protect against,
withstand, and then recover from any and all cyber-related events, including but not

limited to cybersecurity.

Now that’s important because when you are looking and anticipating cyber threats,

those aren’t just threats from a security individual with a 15-foot ladder.

It’s from our employees doing something stupid.

It’s from a network fiber cut.

It’s from, you name it, something bad can happen.

And so buildings, security and resilience by design is nothing more than just
anticipating, using threat intelligence, to understand what can possibly happen.

Now, I can invest this much here to protect

against it, but guess what?

The attackers have a 15-foot ladder.

So we’re going to have to invest in making sure that we can recover because it is
inevitable that something is going to happen.

So security and resilience by design is not about protecting the organization from all
threats, it’s about enabling the organization to balance its investments

between protection as well as the recovery such that it can meet its business objectives.

Here’s the however, and I won’t talk too much about it, but on the agentic AI side, gotta
think about this differently because again, in a polymorphic world, developing security

and resilience has to include a redefinition of what we’re thinking about vis-a-vis policy
and monitoring of policy.

Because again, like monitoring your employees, you’ve got to establish a policy that has
bounds

so that as the agents begin to evolve on their own, you have policy enforcement mechanisms
that keep them in their box.

That is something that we’re all working on today, but it’s something for you to be
thinking about.

The only thing I’d add to that is I think we haven’t seen yet the scale at which this
stuff can change.

yeah.

That’s, you know, in this era,

scale is a whole new, you when we went about building our new Active Directory
capabilities, we were just, it was amazing how much data is just created, not all bad

data, good data, but it’s just the change factors.

We’re a mid-sized company, we ran it on ourselves, was like tens of thousands of events

a minute and then to be able to correlate that with all the other threat intelligence that
Pranay showed us, you know, is not for the faint hearted.

And so you’ve got to build systems that scale to that capability, whatever they may be.

I’m not just talking about the platform we’ve built, but in general, I think the one
challenge that people sort of underestimate is the scale at which the management and the

operations of this stuff has to evolve, you know, because using the approaches and the
tooling to your point of the past will…

you’ll have a lot of natural roadblocks that won’t work.

So I think that’s something we learned quickly in the process of how we restructured our
thinking on the platform.

Well, guys, I want to thank you.

We are out of time, and we have one more esteemed guest.

so thank you, our partners, our friends.

Thank you.

We appreciate it.