Resilience in the AI Era: Why Security, Data, and Recovery Must Converge

AI is scaling faster than enterprise resilience models can keep up, and that gap is where risk multiplies.

At RSAC 2026, hosts Daniel Newman and Patrick Moorhead sit down with leaders from cyber and AI resilience company, Commvault. Chief Market Officer Anna Griffin, and SVP, Global Partners and Channels, Michelle Graff examine how cyber resilience is being redefined in the AI era.

As AI adoption accelerates, organizations are encountering a new class of risk driven by agentic workflows, expanding attack surfaces, and ungoverned data growth. Traditional security models built on layered tools and fragmented architectures are starting to fall short in this new environment. This shift highlights the need for resilience, not just protection, as the central operational priority.

In response, teams are adopting unified operating models like ResOps, where data protection, identity, security, and recovery converge into a continuous, automated system. Rather than relying on static backups or reactive security measures, enterprises must adopt real-time detection, response, and recovery strategies that align with the speed and scale of AI-driven systems.

‍Key Takeaways Include:

🔹 AI risk is now the primary barrier to deployment, as organizations struggle with compliance, data readiness, and governance gaps.

🔹 Fragmented security architectures are breaking under AI at scale, forcing a shift toward unified platforms and system-of-record approaches for resilience.

🔹 ResOps emerges as a new operating model, aligning teams, tools, and automation to enable continuous detection, protection, and recovery.

🔹 Partner ecosystems are evolving from integration layers to orchestration engines, enabling automated, policy-driven responses across security and data environments.

🔹 Resilience is becoming a board-level priority, driven by the direct impact of AI on revenue, risk exposure, and enterprise trust.

🔹 Security is moving towards convergence, where identity, data, cloud, and recovery systems operate as a single coordinated framework.

Watch the full conversation at sixfivemedia.com and subscribe to our YouTube channel so you never miss an episode.

Disclaimer: Six Five On The Road is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded, and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors, and we ask that you do not treat us as such.

Anna Griffin:
Every enterprise era has brought forth a system of record, and that's exactly what's going to happen with AI. It is demanding a system of record for resiliency.

Patrick Moorhead: The Six Five is On The Road here in San Francisco at RSAC 2026. Daniel, it's been a good show so far, and unsurprisingly, we're talking about AI. But it has changed over the last few years, right, about we're going from access control to really controlling the agents.

Daniel Newman:
Yeah, it's a big year. We know there's a massive inflection. The speed of innovation is causing some new pressures. You know, we spend a lot of our time talking about infrastructure, talking about compute, talking about energy and constraints, but we are at this massive application inflection. You're hearing things like the App Store from Apple can't literally keep up with the number of apps being submitted right now. And as apps and scale and data and everything grows so quickly, guess what else grows? Security risk.

Patrick Moorhead:
That's right.

Daniel Newman:
That's why we're here at RSAC.

Patrick Moorhead:
That's right, and you put agentic workflows on top of that, it absolutely complicates the whole way. You keep your business resilient, and that is what it really is all about, and new challenges that are out there. And I'm really, really excited to introduce Anna and Michelle from Commvault to have this discussion. Great to see you two. 

Anna Griffin:

Likewise. 

Patrick Moorhead:

First time on the show, thank you very much.

Anna Griffin:
Our pleasure.

Patrick Moorhead:
Yeah, it is the first time.

Daniel Newman:
It's crazy. What's going on? What's going on here? Six Fives like 10 years old. Why you no show? Well, you heard me. I mean, I think this is probably the most significant sea change I've seen at an RSA. You know, we're 35 years or so into the show. But I've been here several years in a row. I can't remember if I took a year off. And I security's always been this thing that's like happening and it's exciting and it's adjacent to the tech craze, but it's almost, I was jokingly calling it the security, the insurance part of the business. Like it's like, as we keep growing tech, how much security do we need? With AI, this thing is exponential. And I think you guys have to be super excited about that. But like, Resilience, right? This whole idea is, okay, we want to go fast. We want to meet board objectives. We want to be more productive. We want to scale our businesses. We want to use AI. Risk, risk, risk, risk. And that's got to be what you're hearing. Talk a little bit about like what you're seeing in terms of how companies are taking on resilience and what are they kind of maybe still doing or now doing wrong with all this change that's happening around us?

Anna Griffin:
Yeah, well, you nailed it. The greatest barrier to AI success is not the technology, it's the risk. And the companies that move fast are now stalled, and they're paying the price for it. Ultimately, we've found that data is scaling way faster and larger than the architectures are able to keep up with. So we've got antiquated architectures, we've got agents causing expanding the attack surface massively. And then ultimately compliance and the compliance risk and failure. The cost of ungoverned AI is basically paying the price in breaches and compliance failures and ultimately installed deployments. So the risks are real. The implications huge. I think of many companies, many customers we've worked with, your models are poisoned and you don't know it. Compliance has been compromised and you don't know it. Your agents aren't backed up and there is no path for recovery. I mean, there's just a lot going on. So what a company's doing different. They have to think about this completely different and take risk and preparing for risk and pulling this together and working this from the bottom up in a different way. I think I just read that 80% of all enterprise AI deployments last year are stalled, stopped. And even in publicly traded companies, they're citing losses in their AI deployments, and it all comes back to they're not ready and their data's not ready.

Daniel Newman:
They're stalled because of security.

Anna Griffin:
Yes, security and compliance, security and compliance.

Patrick Moorhead:
Absolutely make sense and a lot of companies in highly regulated industries are slow rolling it and the board is actually kind of OK with that but it comes down to agents amplify the situation was one thing to have an LLM and have it give you a bogus result when you're having agents that are actually taking action it it raises it raises the stakes. So Michelle it takes a village and none of this stuff can get implemented without partner without without the channel but also it's a moving target and typically the channel works best when it's not moving all the time but they do have to solidify on something. What are the partner expectations in this shifting environment when you're combining, let's say, identity, different elements together more as a package than they were distinct sub-products?

Michelle Graff:
Yeah, I mean, as we talked about, right, AI is impacting everyone and everything, right? It's also impacting the partner ecosystem and the landscape. And, you know, you've come here many, many, many years. We've become accustomed to this layered security and just adding security after security after security. And that's great for, creating a stronger moat, but it's also now factioned how we manage and how we work across different security and resiliency teams. So you see this siloed environment, right? And the partners have been the orchestration layer historically. bringing those technologies together. But pure integrations of yesteryear aren't the way forward. There's got to be a new playbook and a new model for organizations to rethink how solutions are being delivered to them and helping them unlock truly the power of data systems, infrastructure, as well as the security investments that they've made. And so now we're working with many, many different whether it's a cloud partner, an SI, a technology partner, to build, not just integrations, but agentic solutions that are creating automated workflows to signal the telemetry of the data between threats. And then how do you actually then potentially automate policies and work-based recoveries cleanly, right? And using different technologies in our stack, depending on if the data's sensitive data or not, or whether it's an agentic model, or whether it's a traditional data protection and backup.

Anna Griffin:
Think about every enterprise era has brought forth a system of record, and that's exactly what's going to happen with AI. It is demanding a system of record for resiliency. And so I do think bringing this together into a unified system of record-like system is critical to redefine resiliency. That makes sense.

Daniel Newman:
It's really interesting, though, because we're hearing this in a lot of our conversations about historic fragmentation that existed in cyber and how AI is basically a forcing function of unification, meaning that, you know, and different companies are attacking it differently, right? acquiring parts and pieces and calling it a platform. Some are sort of we're maybe in one area and they're trying to scale out. I mean, you guys obviously have some provenance, you know, and resiliency is a big focus in what Commvault's always done. You've made a number of acquisitions, you've expanded, but you've got something in, you're trying to kind of market this, is it ResOps? Like resilience ops?

Anna Griffin:
I love that you call it marketing, but I'd like to call it a discipline that we're trying to teach. We call it res ops.

Daniel Newman:
You're trying to get to market this new, but it's a sea change. You are trying to have a rethinking of how security is consumed, how it's procured, how it's selected, all these different things. What does that mean in practice and why are you going down that path?

Anna Griffin:
Yeah, yeah, so I'm cracking up because I'm looking at your studio and I see DevOps.com.

Daniel Newman:
I know, do we need a new site?

Anna Griffin:
No, no, but ResOps reminds me a lot of DevOps. When you think of the rise of DevOps, there was a very linear waterfall way of teams that hand off and pass off and pass off and that's exactly what happens with security and IT. So to get something, to take a backup and to take something that was a static practice and make it active and so that it's constantly discovering, detecting, protecting, doing micro-recoveries. Everything has to become super, super automated to feed these teams to work together in a way that they can get something across the line faster and constant, and keeping the business continuous. So when I think of ResOps, I think of DevOps, but it is about bringing technology, teams, and processes together, but in a really, where automation can really feed these teams real time.

Patrick Moorhead:
Makes sense. So we talked a little bit about the channel partners and the role they play, kind of unifying. Because in the end, they're the end of the line for this with customers. Let's shift to strategic partnerships, which is a little bit of a different animal and also in your purview. How are those changing in where cloud is constantly cycling. The definition of resiliency is completely cycling. Then you've got this security thing that seems to change every year as well.

Michelle Graff:
Yeah, so as Anna mentioned, right, there's a new operating model, right, which is ResOps. And if you remember, when organizations moved to the cloud, there was the cloud operating model, right? This is the resiliency operating model. And in order for organizations to really bridge the gap between identity, cloud, and resiliency, they need to be able to work together with all those technologies. So Commvault, right, is partnering with Identity organizations like Microsoft, Enter ID, and AD, as well as Okta and other organizations. All the hyperscalers, right? So all the big hyperscalers, how we go to market with them is not just for on-prem to cloud, but it's cloud-native, SaaS applications, AI. And we need to be able to ensure AI can be resilient across all of that, as well as their data. And then finally, I think that the security technology partnerships are going to become super critical in signaling that telemetry between Commvault and others. We just launched two big announcements this week. One with NetApp and their autonomous ransomware protection. they can be identifying ransomware that's coming into the resiliency and the backup data, and we can have automated policies in that continuous loop that Anna talked about that can kick off policies to recover cleanly, or make sure we're using synthetic recovery, which you don't reinfect your data with that ransomware. And then another big one, one of my sort of babies this year, is what Microsoft is doing in their new four-plane security layer. And we've integrated now with being able to provide signaling back into Microsoft's security data lake. And what's really cool about that is customers can use Copilot to then create Policy driven recovery and we can send that also to the Microsoft sock for recovery so it truly is now that convergence between the security teams the identity teams and the and the data governance.

Patrick Moorhead:
Yeah, and by the way, your customers thank you, and I know that there is the tension between the data teams and the security teams, okay, which one starts first, but you've created a platform where you could bring your best-of-breed technologies and then some of your partners as well, and people aren't necessarily having to stitch it together, which, by the way, increases, adds a security threat of its own if it's not done correctly.

Anna Griffin:
I know you were talking about platform. I call that the difference between platform with a capital P and platform with a lowercase p. Capital P, a serious platform, integrates every point solution so it can work seamlessly. It doesn't stitch together an ecosystem. That's how you're going to get control of your operations, your cost, and your ability to move with speed.

Daniel Newman:
As crazy as that is, there's not a lot of true capital P platforms out there.

Anna Griffin:
I know.

Daniel Newman:
And securities. Got probably one of the worst reputations because it's just a lot of growth through bolt-on and integration takes time. And by the way, things were just not born to be together. And so we've got your problems. You can get everything from us, but it doesn't necessarily work better than if you bought seven different point solutions or whatever that looks like. So let's end talking about the high level here. The boardroom, okay? In the boardroom, you know, technology, digital transformation was a big thing. Like I said, sometimes, my opinion, you can disagree with me, cyber was a bit, like I said, more like an insurance policy in the boardroom. It was, hey, we know we need it, but how little can we invest here to keep our tech moving?

Patrick Moorhead:
Or what's the metric? Like the CFO wants a metric. Hey, if I double my investment in security, am I going to be twice as secure? Well, how far are we from absolutely as secure as you can get?

Daniel Newman:
And this is something I've been writing and researching for a long time. Or how much can we spend to where we actually get, we're more secure, but the risk dollar savings aren't actually there anymore. Right.

Anna Griffin:
And you'll never get there.

Daniel Newman:
Never?

Anna Griffin:
Because they'll always have breaches, right? Yeah, they're always going to find a way in, which is why resiliency is so important.

Daniel Newman:
Yeah, so like time now has a see-saw of the year.

Anna Griffin:
Yes, yes.

Daniel Newman:
You know, are we, is the conversation elevating? Is the board room getting more serious? Do the people in that room start, are they starting to understand this and prioritize this and putting, you know, security first, knowing that even though they maybe can't directly get that CFO ROI, that indirectly the downstream risks are massive of not getting this right?

Anna Griffin:
Yes, there was already the cyber risk of what is the downtime going to cost us? And then that started to move from, to your point, precautionary checklist to, wait a minute, can you prove, prove to me that we can recover, prove to me that we can get ourselves back up. So gave way to the era of testing and the ability to actually put some proof to it. But then comes AI. So you had cyber and now you have compliance and regulatory and the expense to a board as and to a company and to the trust of a company is multiplied by a thousand. So I love that Time decided to, with our prodding and our insight that we brought to them, pounding, to make us a CISO of the year. We talked to them about the unsung heroes of the industry and the bravery it takes to not only do their job that is completely thankless. but also to push and reinvent it so that companies can actually see and use staying continuous as a competitive advantage. And it's true. The company that stays up is going to be the company that inevitably is going to…

Michelle Graff:
And if I could just add one thing to that. You talked about tools rationalization. There's only so many seats at the board, right, at the board level. And security's not a revenue driver, or it historically hasn't been. It was considered more of a cost-layered security approach. With AI, because of needing to use your data, for AI, that is revenue generating for companies. And they can't afford to both not protect that AI and be resilient, but also how do you actually have the right trusted data to feed into AI. So it's, I think it's elevating that because it's actually, it is a revenue generating and unlocks moving from POC into production.

Patrick Moorhead:
Well invariably the question comes up in the board which is, hey, this brand new agent that is going to drive revenue, this is what we need to do to get there, and then they talk about all the data it has access to, and invariably somebody asks, hey, how are we protecting that data that the super agent is going to be tapping into, and what happens if they do, and what happens if it's missing, if it's corrupted, if it gets stolen, what is the game plan after that?

Anna Griffin: And what's the audit trail? So many people don't have an audit trail to the data that the agents are using, and so, If you've got to rewind this thing back and you've got to get it back to a certain place, you've got to know where it came from.

Daniel Newman:
Makes sense. Well, Anna-Michelle, I want to thank you both so much for spending time. I hope you have a really great rest of your RSA.

Anna Griffin:
Thank you.

Daniel Newman:
Congratulations on all the progress. I look forward to tracking it. And we'll try to keep the market apprised.

Anna Griffin:
Sounds great, guys. Thank you so much. Thank you, guys.

Daniel Newman:
And thank you, everybody, for being part of this Six Five. We are on the road here at RSAC 2026 in San Francisco. Check out all the coverage here for the Six Five. Subscribe, be part of our community. And of course, watch all of our content on the Six Five. But for this episode, for Patrick Moorhead and myself, it's time to say goodbye. See you later.

‍