Commvault CEO Mirchandani: We Are A Resilience Company In The Era Of AI

‘The challenge customers are going to encounter with AI is data. And keeping that data safe, trusted, and available is something we believe we can help our customers as they get deeper into the AI journey. Everybody's concerned about infrastructure having enough GPU cycles. Do I do it on the cloud? Do I do it on-prem? All important stuff, but we believe that resilience in AI has to be built proactively, not reactively,’ says Commvault CEO Sanjay Mirchandani.

While data protection and management remain critical business requirements, Commvault wants to take its customers and channel partners to the next level with a focus on data resiliency for the AI era.

Commvault CEO Sanjay Mirchandani (pictured) made that clear when he used the Commvault Shift 2025 conference last week to introduce the concept of ResOps, or resilience operations, which requires not only securing data and monitoring for anomalies but also autonomously controlling the identities of individuals and devices that access and use the data.

“To achieve AI resilience, you must bring security, identity and recovery together,” Mirchandani said during his keynote presentation. “Your organization is counting on you to deliver resilience in the age of AI.”

Mirchandani during Shift expanded on the theme of resiliency in an exclusive meeting with CRN during which he called Commvault a resilience company in the era of AI.

I think of us as a resilience company, and the new world order requires security, identity, and recovery to be managed,” he told CRN. “I am proud of our backup and recovery roots. It's at the core of everything we do. You can't recover if you don't back it up. You can't be resilient if you don't have the ability to recover.”

Mirchandani also said that his company’s ability to integrate resilience across security, identity, and recovery is a huge competitive differentiator for Commvault.

“Integration makes all the difference,” he said. “If your AD [Active Directory] workflow isn't tightly coupled with your security workflow, your identity is not tightly coupled with your security and is not tightly coupled with the actions taken on recovery, you're not getting the full value. We can enhance identity beyond one product to as many as customers need.”

Mirchandani also discussed how Commvault both integrates AI into the technology it brings to customers and partners and into its own processes.

There’s a lot going on at Commvault and its ResOps and data resiliency transformation. For details, read CRN’s complete conversation with Mirchandani, which has been lightly edited for clarity.

How do you define Commvault?

We started about 30 years ago as a data protection company, a backup company, and have stayed very close to our core over the years. About two years ago, we put a stake in the ground that said it's not just about recovery, it's about resilience. We bought a company called Appranix that became Commvault Cloud Rewind. We then also acquired a company, Clumio, which was an expert in S3 and AWS workloads. This was all to build resilience for customers, because our fundamental philosophy two years ago was that one size doesn't fit all. You can't do things just because it worked a certain way for one stack. It's going to work the same for another stack. So we boldly pivoted to resilience, and a lot of our competitors followed suit.

Now we're saying at the heart of it, we are a resilience company in the era of AI, which brings its own nuances to the table. I think of us as a resilience company, and the new world order requires security, identity, and recovery to be managed. I am proud of our backup and recovery roots. It's at the core of everything we do. You can't recover if you don't back it up. You can't be resilient if you don't have the ability to recover.

Commvault’s big news at the Shift conference was the introduction of its new Commvault Cloud Unity platform. How important is it to think of it as a platform?

We have always believed that you're only as secure, or only as resilient, as the breadth of workloads that you protect. I could say to you, ‘Oh, I'm a backup and recovery company,’ or ‘I'm a resilience company,’ or ‘I'm an XYZ company, but I only do the cloud stuff. For the other stuff, you're on your own.’ You're not very resilient.

We've always believed that we have a platform capability with the broadest workload coverage, the broadest to-and-from coverage, where you're backing up from and where you're taking your workloads. The architecture is that of a platform. We completely decoupled things so you have choice as a customer to move things how you want to. And we build the workflows into the platform to take thinking out of it. So all the connectivity, all the prefabricated engineering between where you're going and where you're coming from, security, and now AI, all integrated. We've always had that approach.

A few years ago, people would say, ‘But this is security,’ and this may have been true 10 years ago. But four or five years ago, I started saying data security, data recovery, protection, have to be tight. It's like your CIO and your CISO not working together. You're heading for a disaster. They have to work together. That's been our philosophy. The platform has all the componentry, all the fabrics you need to really deliver a platform-like experience.

Now with agentic AI, those workflows, that interconnectivity, that knowledge of what we're bringing [data] from and where we're going to, becomes paramount, because without that intelligence in the workflows, you really don't have high-class agentic tech. So I'd like to say we've been a platform for a while, but we're really taking it to the next level.

How long ago did you start adding agentic AI into this platform? Was it from the beginning or only recently as agentic AI has become such an important trend?

I think you can say that for all of generative AI, right? It's been two years in elapsed time and 20 years of delivery, it feels like. We've been keeping an eye on agentic and all things generative AI. We've been building and doing things in the labs. We've done machine learning forever. We've done all those other kinds of things forever. As soon as MCP [model context protocol] capabilities became robust and reasonably mainstream, we started working internally to see what it could do, refine the workflows, tighten the connectivity, used it internally a little bit ourselves, and then brought it to life fairly quickly because the technology allows you to bring it live pretty quickly. I'd say that piece was working in the last year, but support for agentic is something we've been thinking about because we know it's going to happen. It's just how broad, right, and how fast. But enthusiasm without guardrails is dangerous.

Commvault is talking about data resiliency, bringing together security, data protection, and now identity protection. That's also the kind of thing companies like Cohesity, Rubrik, and Veeam are talking about, along with storage vendors like NetApp and Pure Storage. What is Commvault doing differently?

Sadly, our industry tends to sometimes suffer from, ‘Let me put another sticker on it, and maybe I'm a different company.’ We don't believe in that. I'm not gonna hype something that isn't real. That's been our calling card for years. We not gonna hype something that isn't real just because somebody's talking about it. I mean, we talked about responsible AI 18 months ago. I'm not going to rush into it. I want to see what customers want from it. I want to see how it evolves. We have the ability to build and buy, integrate what we want. I think the proof of the pudding lies in the way we deliver it.

For us, it's not about buying product A, product B, and product C that are completely different in the three spaces and say we have a solution. Cohesity doesn't have identity protection. They use somebody else's.

But does that make a difference?

Integration makes all the difference. If your AD [Active Directory] workflow isn't tightly coupled with your security workflow, your identity is not tightly coupled with your security and is not tightly coupled with the actions taken on recovery, you're not getting the full value. We can enhance identity beyond one product to as many as customers need. So we're robust.

Let's take DSPM [data security posture management], which is really looking at the data observability, who's got access, what is protected. When we bought Satori, way before anybody bought other stuff, before Veeam bought Securiti, we said this is going to be an integrated part of the platform because customers shouldn't have to think about it. How can I give you observability and tell you who accessed your data, and how do I correlate that to AD or identity, if I don't have the signal built into my product for real enough time detection, real enough time analysis, real enough time AI application on recovery. We've taken the platform concept very seriously. We've also obfuscated SaaS versus on-premises versus cloud versus edge. Those artificial debates came about because some of my competitors didn't have those capabilities.

We have the capabilities. We're giving customers that capability. We're also saying we're going to make it easy for a hybrid customer to not have to think about, ‘Oh, this is my on-premises thing, so I’ve got to protect it this way. And that's my cloud thing. I got …’ No, you have on-premises, you dock in a Commvault HyperScale X [appliance], it wakes up, it sees all you've got, we discover it, we protect it, we secure it, we recover it. That whole lifecycle is taken care of automatically through the REST API.

It's integrated. That's the difference. If a customer has to do the engineering, I'm not adding a ton of value. I’ll give you an example. NetApp, HPE, AWS, pick your destination of choice. We make sure we're on the bleeding edge of connectivity with those new technologies, because I don't want my customers to have to go engineer it. So if I'm saying I support NetApp Product X or Pure Storage Product Y or HPE block storage Product Z, we engineered it so the customer doesn't have to. And then we stand behind the integration. If CrowdStrike is giving me feeds, I'm not having the customer go figure out what to do with the feeds. I'm doing the correlation for the customer. And if I look at that feed, and I look at my Active Directory anomaly detection, and I look at information on files that were encrypted and changed, I can see you have a problem here. That's the difference. We don't profess to be a security company. Security is implicit in what we do to protect our customers. It’s a different approach. …

[Maybe] it sounds a little nerdy, but it's important to understand. We've always had the most robust policy engine, which means whether you're backing up your mainframe or backing up old Oracle systems or backup from VMs or cloud-native, we had one policy engine that applied policy across it all. We've rewritten that policy engine to include identity and security. So now, with one policy engine, you can apply capabilities across your fleet so that you're not doing three things. You're doing it once, and AI is helping you do it.

Do you have an example?

Let's say we go discover a whole developer instance of AWS that we have been protecting, and that there are people accessing it that shouldn't really have access to it, like third parties or whatever. We won’t just give you that dashboard and say, ‘Now you go to the manual work.’ Our AI will say this, ‘This AWS instance looks a lot like this one. You want this policy applied here.’ And you go, ‘Heck yeah, okay.’ And then don't worry about it. We got this. We're doing that kind of work within the policy engine. That makes us very different. … We help the customer finish the last mile. We don't tell them what the problem is. We help them solve it.

How does Commvault work with AI?

We do three things. One is just using AI in the product to make the product easier, to enable views, troubleshoot, and deploy. Second is protecting AI and workloads. The third is everything to do with recovery, and that's where our strength is. [We recently] touched on synthetic recovery and Commvault clean room, which is something we brought to market two years ago and just gave a major update. Clean room is important technology because you're only as good as your confidence. How many times have you done it? And do you have an automated runbook where you can just hit a button and it knows exactly what you want to do so it can do it for you in bad times just like you did in good times. Our platform enables that.

And with this release, our Runbooks [are tied to] Active Directory [which can] create a runbook for your environment or your branch. We applied that technology so you can get that same level of automation inside the clean room so the last mile isn't manual, it’s automated. And then we took it one step further and said, ‘Oh, if you detect something here in Active Directory and you want to fix it, we can actually cut and paste it into a clean room and apply whatever you want to do there with it. And then you've got those two workflows automated.

How is Commvault using AI internally to improve processes?

All my executives have a responsibility to bring AI into their businesses in a productive way. The executive on point to champion it for us is our CIO Ha Hoang. We're doing what every other company does, really. We're testing some stuff. We've got policies on how we want to use it. We encourage employees in a ring-fenced way, but with some guidelines as to what tools they can and shouldn't use and how to use it. So if you want to use ChatGPT, you've got a license for it to protect the data. Because we're responsible to customers, we can't just have folks go off and be wrong.

We’re doing what most forward-thinking AI companies are doing. Every one of my leaders, or each of their functions, has an AI plan. And I'm encouraging it. We’re quickly taking it from vanity metrics to productivity metrics. You’re doing more, that's great. But are you driving productivity? Are you driving efficiency? Are you driving business growth? Going into our next fiscal year, those are going to be very detailed questions as part of our planning process. When adopting any new technology, I love vanity metrics. That means people are thinking about it. But I have to translate vanity metrics into productivity metrics.

My engineering team, as you would imagine, is fairly advanced in their use of AI tools for coding or security or QA or documentation. And now they're building their own capabilities and workflows, which used to be manual. Now they're integrating some of their AI workflows into their existing tool sets. We’re seeing broader adoption, group by group. … This is the year of encouragement, experimentation, trial, policy, and next year is going to be productivity and efficiency.

We’re close to the end of 2025. What are some of your strategic priorities for 2026?

The challenge customers are going to encounter with AI is data. And keeping that data safe, trusted, and available is something we believe we can help our customers as they get deeper into the AI journey. Everybody's concerned about infrastructure having enough GPU cycles. Do I do it on the cloud? Do I do it on-prem? All important stuff, but we believe that resilience in AI has to be built proactively, not reactively. We're going to spend a lot of time getting our customers through that. I don't like having three priorities for my employees. We have to help customers build resilience in the era of AI, understand it, and help them through it.

We did very well with the cyber piece three years ago. We brought that to market, and we've really helped customers be more resilient. It's not something you see every day, because if you get hit, you want to just quietly come back and not be noticed. You want your business back up. We help our customers every single day, so we want to do the same now with AI.

Anything else we need to know about Commvault?

I'm excited about AI and its potential as a business leader. I think, done right, productivity and efficiency should be a definite outcome. I don't think it's the be-all and end-all of life, but it's definitely going to be an interesting part of our life. Agents intrigue me. It really intrigues me how fast people are allowing them into their environments. Everybody's talking about agents, but they need to be protected. You're suddenly going to give this inanimate object, a non-human identity, access to your core systems with the ability to make decisions and learn from other decisions and evolve? That scares me. You gotta be careful. So we're taking a careful approach. How do we help customers be careful and in turn, how do we build capabilities that are careful with our technology?

We focus on workflows and are looking at access. Why is identity so important? It's one thing to know that I have 3,500 employees and a bunch of machine IDs and they do these things. It’s another thing to suddenly say I've got Salesforce agents, Dynamics agents, Copilots, something else, all touching my systems in some way. And at some point you go, ‘Who are these things, and what access do they have, and what are they able to change?’ We're excited about it. I think the potential is amazing but not unbridled. … We have to be careful. At least that's my approach. Let's be careful. Let's learn. This is one where you walk before you run.