Resilience in the Age of AI: Inside Commvault’s ResOps Pitch
If you listen to enough AI keynotes, you start to hear similar refrains: AI is transformative, the pace is unprecedented, and security hasn’t kept up. What was different at Commvault’s SHIFT event was less the diagnosis and more the operating model they’ve put around it: ResOps and Unity.
Commvault’s leadership argued that cyber resilience needs a new name, a new architecture, and a promotion in the enterprise hierarchy. They call their answer “ResOps”—resilience operations—and they introduced Commvault Cloud Unity, a unified platform that embodies that ResOps model across security, identity, and recovery.
You don’t have to buy into the branding to see the signal: resilience is being pulled out of the back office and moved to the center of how AI-era infrastructure is designed and run.
From Cyber Resilience to AI Resilience
Two years ago, Commvault elevated data protection into a more strategic posture they call “cyber resilience,” emphasizing that data protection is more than a last-line-of-defense tape in a vault. At SHIFT, CEO Sanjay Mirchandani pushed that idea further: in an AI-first world, resilience isn’t just about systems and data anymore; it’s about how thousands of autonomous agents interact with those systems and data in real time.
The framing is straightforward:
- Generative and agentic AI are driving an explosion in data volume, variety, and sensitivity.
- AI systems are increasingly being used by attackers as well as defenders.
- Identities are proliferating, with non-human and machine identities outnumbering humans.
In that context, Mirchandani argued that “AI resilience” requires three things to move in lockstep: security, identity, and recovery. If any one of the three lags, AI becomes a new fragility multiplier instead of a growth engine.
Many large enterprises are already living this reality: fragmented data estates, software as a service (SaaS) and cloud-native sprawl, and a rising tide of identity-driven attacks. SHIFT’s contribution is to put a more opinionated operating model around those forces and to insist that resilience needs its own closed loop.
ResOps: Category Creation or Real Operational Shift?
ResOps, as Commvault describes it, is a continuous loop across three stages:
- Understand and govern data and identities (who or what is accessing what, and under which policies).
- Detect anomalies and threats in near-real time, across both identities and data.
- Recover cleanly and predictably at scale, with as little data loss as possible.
On paper, that sounds familiar. Security teams talk about “detect, respond, recover” all the time. What Commvault is doing is pulling data protection and identity recovery into that motion as first-class citizens, rather than something the security team hands off to infrastructure after the incident is contained.
ResOps is less about inventing a new discipline and more about admitting that the old silos are breaking down.
In many organizations today:
- SecOps, identity teams, and backup teams all operate with different tools, policies, and metrics.
- Automation exists, but it’s often local to a domain: SOAR (security orchestration, automation, and response) playbooks, runbooks in ITSM (IT service management) tools, scripting in backup platforms.
- AI is introduced at the edges—a chatbot here, anomaly detection there—without a single control plane that understands resilience end-to-end.
What Commvault is really arguing for is convergence: one fabric that connects identity posture, data governance, threat signals, and recovery orchestration. Whether you call that ResOps or just “finally connecting the dots” is semantics, but the direction of travel is clear across the industry.
Identity Becomes the New Perimeter
One of the more grounded sections of the SHIFT program focused on identity resilience. The thesis: if identity is the new perimeter, then identity recovery and forensics have to be just as mature as server and storage recovery.
A few key points stood out:
- Most breaches still start with stolen or misused credentials, according to industry data like CrowdStrike’s ~80% figure cited on stage.
- Machine identities and service accounts are rapidly becoming one of the dominant attack vectors, especially as automation proliferates.
- Traditional identity recovery is either too coarse (all-or-nothing forest restore) or too manual for crisis conditions.
Commvault’s answer is a set of capabilities around Active Directory and Entra ID that continuously audit changes, flag risky privilege drift, and allow rollbacks of specific changes or entire “attack chains.” In their demo, a compromised service account quietly spreads a malicious group policy; the platform detects the pattern, allows an operator to unwind the changes, and then feeds that insight back into a vulnerability view.
It’s interesting that identity recovery and identity analytics are now being positioned as central pillars of resilience, not niche features. As AI agents increasingly act on behalf of users and services, the blast radius of a compromised identity gets bigger. The ability to unwind that blast radius precisely—without flattening an entire domain—will matter more than it has in the past.
Clean Recovery as a First-Class Outcome
Another recurring theme in the keynote was the “billion-dollar question”: when you recover, how do you know the data is both clean and current?
Traditionally, recovery teams have had to choose:
- Roll back further in time to ensure a clean copy, and accept more data loss.
- Stay as close to the event as possible and risk reintroducing malware.
Commvault’s proposed answer is an approach they call synthetic recovery, paired with threat scanning and cleanroom testing. Conceptually, it works like this:
- Scan backups with multiple signals (anomalies, encryption patterns, malware signatures, and external threat intel).
- Use that understanding to automatically assemble a composite recovery point that pulls in only the last known-good versions of corrupted files.
- Rebuild systems into an isolated “cleanroom” environment using golden images, then reattach the cleaned data for validation before going back to production.
Embedded in this approach is an important shift: recovery is no longer just about hitting a recovery point objective/recovery time objective (RPO/RTO) number. The new bar is “provably clean” plus “minimally lossy,” with a testable chain of evidence you can show to a CISO, a regulator, or your own board.
That’s a much harder problem than it sounds, and vendors across this space are still evolving their answers. But the directional signal is right. As AI accelerates both attack automation and business reliance on data, the cost of a “dirty” recovery—one that quietly reintroduces the threat—gets higher every year.
Cloud, On-Prem, and the Unity Story
Unity, as positioned at SHIFT, is Commvault’s attempt to bind together three worlds under one control plane:
- SaaS workloads (M365, Google Workspace, Salesforce, DevOps platforms, and more).
- Cloud-native stacks across AWS, Azure, and Google Cloud.
- On-prem environments using their Hyperscale appliances and reference architectures.
Again, the specifics are vendor-branded, but the pattern is market-wide. Enterprises don’t live in one world anymore. A single business process might touch Kubernetes, SaaS customer relationship management (CRM), cloud databases, edge stores, and an on-prem analytics farm. Resilience that stops where a hyperscaler’s responsibility ends is no longer enough.
The architectural bet we’re seeing is:
- Separate control planes from data planes.
- Scale protection and recovery elastically in the cloud, while allowing enterprises to bring their own storage and appliances where they need to.
- Wrap everything in a common policy model and observability layer so you can reason about posture across environments, not per tool.
Unity is one version of that story. Other vendors are building their own versions.
The TechArena Take
If we zoom out from the SHIFT announcements and marketing language, a few broader trends come into focus:
- Resilience is becoming an operating model, not a product line: Boards and CEOs are now asking “how fast can we recover from the inevitable?” in the same breath as “what is our AI strategy?” That pushes resilience into day-to-day operations and out of the “insurance” category.
- Identity and data are converging in resilience conversations: The old model treated identity as identity access management’s (IAM’s) problem and backup as an infrastructure problem. AI collapses that separation. In an agentic world, identity mistakes and data mistakes are tightly coupled.
- “Clean” is the new RPO: Recovery objectives are no longer just about how much data you lose or how fast you come back. They are about how certain you are that you haven’t re-imported the adversary into production.
- AI is both the accelerant and the tool: The same AI that makes it easier to discover vulnerabilities and automate attacks is also being harnessed to correlate signals, propose recovery points, and orchestrate complex workflows. The arms race is well underway.
- SHIFT doesn’t change the fundamentals: Enterprises still need clear ownership across SecOps, identity, and infrastructure. They still need to rationalize tool sprawl and understand where each platform begins and ends. And they need to test recovery assumptions in realistic scenarios, not just on paper.
What SHIFT underlines is that resilience is now part of the AI conversation, not an afterthought. As enterprises experiment with AI factories, agentic systems, and data-native product development, the resilience stack underneath is being reimagined just as aggressively as the AI stack on top.
In the arena, that’s the story to watch: not which platform has the most features this quarter, but which operating models help enterprises withstand—and learn from—the inevitable failures that come with AI at scale.
If you listen to enough AI keynotes, you start to hear similar refrains: AI is transformative, the pace is unprecedented, and security hasn’t kept up. What was different at Commvault’s SHIFT event was less the diagnosis and more the operating model they’ve put around it: ResOps and Unity.
Commvault’s leadership argued that cyber resilience needs a new name, a new architecture, and a promotion in the enterprise hierarchy. They call their answer “ResOps”—resilience operations—and they introduced Commvault Cloud Unity, a unified platform that embodies that ResOps model across security, identity, and recovery.
You don’t have to buy into the branding to see the signal: resilience is being pulled out of the back office and moved to the center of how AI-era infrastructure is designed and run.
From Cyber Resilience to AI Resilience
Two years ago, Commvault elevated data protection into a more strategic posture they call “cyber resilience,” emphasizing that data protection is more than a last-line-of-defense tape in a vault. At SHIFT, CEO Sanjay Mirchandani pushed that idea further: in an AI-first world, resilience isn’t just about systems and data anymore; it’s about how thousands of autonomous agents interact with those systems and data in real time.
The framing is straightforward:
- Generative and agentic AI are driving an explosion in data volume, variety, and sensitivity.
- AI systems are increasingly being used by attackers as well as defenders.
- Identities are proliferating, with non-human and machine identities outnumbering humans.
In that context, Mirchandani argued that “AI resilience” requires three things to move in lockstep: security, identity, and recovery. If any one of the three lags, AI becomes a new fragility multiplier instead of a growth engine.
Many large enterprises are already living this reality: fragmented data estates, software as a service (SaaS) and cloud-native sprawl, and a rising tide of identity-driven attacks. SHIFT’s contribution is to put a more opinionated operating model around those forces and to insist that resilience needs its own closed loop.
ResOps: Category Creation or Real Operational Shift?
ResOps, as Commvault describes it, is a continuous loop across three stages:
- Understand and govern data and identities (who or what is accessing what, and under which policies).
- Detect anomalies and threats in near-real time, across both identities and data.
- Recover cleanly and predictably at scale, with as little data loss as possible.
On paper, that sounds familiar. Security teams talk about “detect, respond, recover” all the time. What Commvault is doing is pulling data protection and identity recovery into that motion as first-class citizens, rather than something the security team hands off to infrastructure after the incident is contained.
ResOps is less about inventing a new discipline and more about admitting that the old silos are breaking down.
In many organizations today:
- SecOps, identity teams, and backup teams all operate with different tools, policies, and metrics.
- Automation exists, but it’s often local to a domain: SOAR (security orchestration, automation, and response) playbooks, runbooks in ITSM (IT service management) tools, scripting in backup platforms.
- AI is introduced at the edges—a chatbot here, anomaly detection there—without a single control plane that understands resilience end-to-end.
What Commvault is really arguing for is convergence: one fabric that connects identity posture, data governance, threat signals, and recovery orchestration. Whether you call that ResOps or just “finally connecting the dots” is semantics, but the direction of travel is clear across the industry.
Identity Becomes the New Perimeter
One of the more grounded sections of the SHIFT program focused on identity resilience. The thesis: if identity is the new perimeter, then identity recovery and forensics have to be just as mature as server and storage recovery.
A few key points stood out:
- Most breaches still start with stolen or misused credentials, according to industry data like CrowdStrike’s ~80% figure cited on stage.
- Machine identities and service accounts are rapidly becoming one of the dominant attack vectors, especially as automation proliferates.
- Traditional identity recovery is either too coarse (all-or-nothing forest restore) or too manual for crisis conditions.
Commvault’s answer is a set of capabilities around Active Directory and Entra ID that continuously audit changes, flag risky privilege drift, and allow rollbacks of specific changes or entire “attack chains.” In their demo, a compromised service account quietly spreads a malicious group policy; the platform detects the pattern, allows an operator to unwind the changes, and then feeds that insight back into a vulnerability view.
It’s interesting that identity recovery and identity analytics are now being positioned as central pillars of resilience, not niche features. As AI agents increasingly act on behalf of users and services, the blast radius of a compromised identity gets bigger. The ability to unwind that blast radius precisely—without flattening an entire domain—will matter more than it has in the past.
Clean Recovery as a First-Class Outcome
Another recurring theme in the keynote was the “billion-dollar question”: when you recover, how do you know the data is both clean and current?
Traditionally, recovery teams have had to choose:
- Roll back further in time to ensure a clean copy, and accept more data loss.
- Stay as close to the event as possible and risk reintroducing malware.
Commvault’s proposed answer is an approach they call synthetic recovery, paired with threat scanning and cleanroom testing. Conceptually, it works like this:
- Scan backups with multiple signals (anomalies, encryption patterns, malware signatures, and external threat intel).
- Use that understanding to automatically assemble a composite recovery point that pulls in only the last known-good versions of corrupted files.
- Rebuild systems into an isolated “cleanroom” environment using golden images, then reattach the cleaned data for validation before going back to production.
Embedded in this approach is an important shift: recovery is no longer just about hitting a recovery point objective/recovery time objective (RPO/RTO) number. The new bar is “provably clean” plus “minimally lossy,” with a testable chain of evidence you can show to a CISO, a regulator, or your own board.
That’s a much harder problem than it sounds, and vendors across this space are still evolving their answers. But the directional signal is right. As AI accelerates both attack automation and business reliance on data, the cost of a “dirty” recovery—one that quietly reintroduces the threat—gets higher every year.
Cloud, On-Prem, and the Unity Story
Unity, as positioned at SHIFT, is Commvault’s attempt to bind together three worlds under one control plane:
- SaaS workloads (M365, Google Workspace, Salesforce, DevOps platforms, and more).
- Cloud-native stacks across AWS, Azure, and Google Cloud.
- On-prem environments using their Hyperscale appliances and reference architectures.
Again, the specifics are vendor-branded, but the pattern is market-wide. Enterprises don’t live in one world anymore. A single business process might touch Kubernetes, SaaS customer relationship management (CRM), cloud databases, edge stores, and an on-prem analytics farm. Resilience that stops where a hyperscaler’s responsibility ends is no longer enough.
The architectural bet we’re seeing is:
- Separate control planes from data planes.
- Scale protection and recovery elastically in the cloud, while allowing enterprises to bring their own storage and appliances where they need to.
- Wrap everything in a common policy model and observability layer so you can reason about posture across environments, not per tool.
Unity is one version of that story. Other vendors are building their own versions.
The TechArena Take
If we zoom out from the SHIFT announcements and marketing language, a few broader trends come into focus:
- Resilience is becoming an operating model, not a product line: Boards and CEOs are now asking “how fast can we recover from the inevitable?” in the same breath as “what is our AI strategy?” That pushes resilience into day-to-day operations and out of the “insurance” category.
- Identity and data are converging in resilience conversations: The old model treated identity as identity access management’s (IAM’s) problem and backup as an infrastructure problem. AI collapses that separation. In an agentic world, identity mistakes and data mistakes are tightly coupled.
- “Clean” is the new RPO: Recovery objectives are no longer just about how much data you lose or how fast you come back. They are about how certain you are that you haven’t re-imported the adversary into production.
- AI is both the accelerant and the tool: The same AI that makes it easier to discover vulnerabilities and automate attacks is also being harnessed to correlate signals, propose recovery points, and orchestrate complex workflows. The arms race is well underway.
- SHIFT doesn’t change the fundamentals: Enterprises still need clear ownership across SecOps, identity, and infrastructure. They still need to rationalize tool sprawl and understand where each platform begins and ends. And they need to test recovery assumptions in realistic scenarios, not just on paper.
What SHIFT underlines is that resilience is now part of the AI conversation, not an afterthought. As enterprises experiment with AI factories, agentic systems, and data-native product development, the resilience stack underneath is being reimagined just as aggressively as the AI stack on top.
In the arena, that’s the story to watch: not which platform has the most features this quarter, but which operating models help enterprises withstand—and learn from—the inevitable failures that come with AI at scale.
.png)
