‘Banks require a scalable, secure and compliant AI’: Subhathra Srinivasaraghavan, vice-president at IBM India Systems Development Lab

With Unified Payments Interface (UPI) processing over 228 billion transactions in 2025 (more than 21 billion in December alone), real-time digital payments have reached a scale where infrastructure failures are no longer isolated IT incidents but national-level risks. As transaction volumes surge, banks need resilient and intelligence-ready infrastructure that can secure every transaction and safeguard against evolving cyber threats. “Modern banking systems must be engineered for continuous availability and cryptographic assurance by design, not retrofitted after incidents occur,” Subhathra Srinivasaraghavan, vice-president at IBM India Systems Development Lab (ISDL) – the largest R&D hub in Big Blue’s infrastructure division with centres in Bengaluru, Pune and Hyderabad – tells Sudhir Chowdhary in an interview. Excerpts:

How should banks rethink digital trust and user safety?

Fraud has evolved from static rule violations to AI-enabled, adaptive attacks that exploit identities, devices, and contextual signals in real time. Traditional role-based access controls assume a fixed perimeter and predictable behaviour – assumptions that no longer hold in digital banking ecosystems. Banks need to move toward continuous trust evaluation, where every transaction is assessed dynamically based on behaviour, device posture, and contextual risk.

Equally important, trust must be embedded into the infrastructure itself. Approaches such as trusted boot and trusted execution ensure that only verified, approved software and configurations are allowed to run. By establishing a chain of trust from hardware through firmware, operating systems, and applications, banks can significantly reduce systematic risk. In this model, digital trust and user safety are continuously enforced across both transactions and infrastructure.

Are data residency and sovereignty now core infrastructure considerations?

In India’s regulatory landscape, these have shifted from compliance checklists to core architectural requirements. Sovereignty today extends beyond where data sits to who controls the infrastructure, how access is governed, and under which legal jurisdiction workloads and AI workloads operate. Regulators increasingly expect institutions to demonstrate operational control and auditability, not just data localisation. This aligns with the principles outlined in IBM’s Why CEOs Must Act Now to Secure the Future’ white paper, which emphasises verifiable control, transparency, and enforceability across the full technology stack. As banking becomes more AI-driven, embedding sovereignty into infrastructure design is critical to sustaining trust.

How are banks designing their core IT infrastructure to support real-time digital payments?

Indian banks are modernising core systems around resilience, scale, and security as first principles. This includes investment in enterprise-grade platforms such as IBM Z and IBM Power, which offer massive transaction throughput, pervasive encryption, hardware-assured isolation, and built-in AI acceleration. These platforms also support quantum-safe cryptography and consistent security controls across hybrid environments. Increasingly, banks are designing systems with integrated observability and automated recovery, enabling real-time payments to continue even during peak demand or active threat conditions.

With AI increasingly embedded in transaction processing and quantum risks on the horizon, what defines a future-ready banking infrastructure?

A future-ready banking infrastructure must be AI-native, sovereign-aware, and quantum-resilient and cyber-resilient. As AI models play a growing role in fraud detection and transaction decisions, banks must protect model integrity, ensure explainability, and secure data pipelines end-to-end. On the quantum front, institutions should begin adopting quantum-safe cryptography and crypto-agile systems to address “harvest now, decrypt later” risks.

Equally critical is preparing for inevitable cyber incidents, not just preventing them. This is where cyber-vault plays a role by providing an integrated cyber-resiliency approach aligned to frameworks such as NIST. By using immutable snapshots that are automatically captured, stored, and tested on a defined schedule, banks can protect against data corruption and ransomware-style attacks while enabling rapid, trusted recovery. Ultimately, safeguarding trust will depend on whether trust, resilience, and sovereignty are engineered into the core of banking infrastructure.