AI Security & Privacy: How Indian Firms Can Leverage Startup Innovation - Q&A with Sameer Ahirrao

Sameer Ahirrao -

In this in-depth conversation, Vinayak Godse CEO, Data Security Council of India(DSCI) and Sameer Ahirrao, Founder & CEO of Ardent Privacy, shares his journey in building privacy technology, the challenges of implementing privacy in enterprises, and how startups can bring innovation to the space. Below is a structured Q&A capturing the highlights.



Q1: What inspired you to approach privacy challenges from an engineering and technology perspective?

Sameer Ahirrao:

My background is in security engineering, having worked at companies like Lockheed Martin, Symantec, and Deloitte for nearly two decades. Over time, I saw a gap: organizations had strong infrastructure security, but implementations were rarely data-centric. We often spoke of “data as the crown jewel,” yet we weren’t mapping what data we had or where it lived.

This inspired me to create the concept of a Data Bill of Materials (DBOM), knowing exactly what sensitive data exists, its lifecycle, ownership, and location. Without this, securing data is like protecting a house without knowing what valuables are inside.

Q2: How do you define the difference between security and privacy?

Sameer Ahirrao:

Think of a house, doors, windows, guards are security. Curtains are privacy, you control when to open them, based on comfort and consent.

Security focuses on keeping outsiders from getting in; privacy is about how insiders handle the data they already have, in accordance with consent, contracts, and transparency obligations.

Q3: What are the key types of data security technologies you see in the market?

Sameer Ahirrao:

  • Data Discovery & Classification - Know your data’s location, type, and sensitivity (including DBOM).
  • Protection Technologies - DLP (Data Loss Prevention), cryptography, information governance.
  • Privacy Compliance Tools - Systems that manage procedural obligations, such as handling data subject rights requests or breach notifications.

Q4: How is the Data Bill of Materials different from typical data discovery?

Sameer Ahirrao:

  • Privacy Impact Assessment (PIA) & Data Protection Impact Assessment (DPIA) - Identify scope, systems, and business owners.
  • Data Discovery & Classification - Generate DBOM to validate PIA/DPIA findings.
  • Data Principal Rights Management (DPRM) - Enable rights like access, deletion, correction, and opt-out.
  • Consent Management - Gather, track, and allow revocation of consent in a provable way.
  • Data Minimization & Privacy by Design - Collect only necessary data, apply retention limits.
  • Breach Management - Investigate, assess impact, and notify affected parties transparently.

Q6: How can technology help automate privacy compliance at scale?

Sameer Ahirrao:

You need a centralized system of record for privacy obligations. Automation is key to:

  • Assigning tasks from PIAs to accountable teams.
  • Linking DBOM to real-time data discovery.
  • Handling subject access requests at scale, with verifiable identity checks.

This ensures compliance even when processing millions of transactions or requests.

Q7: Can you share real-world examples of applying these principles?

Sameer Ahirrao:

One example is with HDFC Bank. Initially, we focused on data discovery, but quickly realized PIAs needed to be automated as the first step. Implementing a structured, tech-driven approach helped scale privacy compliance far beyond what spreadsheets or manual tracking could achieve.

Q8: What’s the biggest takeaway for Indian firms looking to adopt privacy-enhancing technology?

Sameer Ahirrao:

Don’t treat privacy as just a legal checkbox, treat it as a data-centric engineering challenge. Start with a clear inventory of sensitive data, integrate automation into compliance processes, and adopt technologies that scale across enterprise complexity. That’s how startups and enterprises alike can stay ahead.

Q9: What role does Data Security Posture Management (DSPM) play?

Sameer Ahirrao:

DSPM is gaining traction, especially in cloud environments. It leverages APIs for real-time discovery and monitoring. However, most enterprises still have sensitive data on-premises (even on mainframes), so DSPM alone is not enough. That’s where DBOM bridges the gap.

Q10: How can startups like Ardent help large enterprises manage complex privacy requirements?

Sameer Ahirrao:

Startups innovate faster and solve hard problems like data discovery at scale. For instance, large banks or telecoms face millions of daily transactions. We bring automation, from DBOM to DSAR management, that replaces spreadsheets and scattered emails.

Q11: What are the toughest engineering problems you’ve solved for customers?

Sameer Ahirrao:

Two stand out:

  • Automating PIAs and DPIAs for large banks, moving away from manual assessments.
  • Scaling DSAR management with verifiable consent and automated routing to the right internal teams.

Both problems required balancing compliance with engineering innovation.

Q12: What advice would you give to organizations starting their privacy journey?

Sameer Ahirrao:

  • Start with data mapping and create a DBOM.
  • Automate privacy assessments (PIAs, DPIAs).
  • Build centralized systems for consent and DSARs.
  • Don’t over-collect data, apply minimization and retention policies.
  • Be prepared for breaches with tested incident workflows.

Q13: How do compliance requirements (like PII, PHI) drive data protection efforts?

Sameer Ahirrao:

Compliance acts as the forcing function to know your data. Regulations such as GDPR or India’s DPDPA mandate identifying and protecting sensitive information. That legal push helps organizations finally invest in data-centric security.

Q14: Why do you emphasize data-centric approaches over traditional security methods?

Sameer Ahirrao:

Traditional security has focused on infrastructure, firewalls, antivirus, intrusion detection, but attackers target data, not networks. Breaches are measured by sensitive data lost, not the number of firewalls breached. Without knowing what data exists and where, security is incomplete.

Conclusion

The dialogue between Vinayak Godse, CEO of DSCI, and Sameer Ahirrao, Founder & CEO of Ardent Privacy, shed light on the critical role of startups in driving innovation at the intersection of AI, security, and privacy. As Indian enterprises navigate the complexities of data protection and responsible AI adoption, collaborative platforms like these highlight how emerging solutions can bridge gaps and strengthen trust in the digital ecosystem.

This insightful session was organized by the National Centre of Excellence (N-CoE), and a special thank you goes to the Data Security Council of India (DSCI) team for facilitating such meaningful discussions that advance India’s digital trust and innovation agenda.