KubeCon + CloudNativeCon India 2026

We have been coming to KubeCon for ten years and talking about supply chain security for at least five of those years. We know the attacks and the mitigations. We have the frameworks, the SBOM attestations and the CNCF projects.

So why are the houses still burning?

That is what this talk is about. Not the tools, you know the tools. The gap between knowing and doing. And what happens when AI arrives on both sides of that gap at the same time.

Every security vulnerability comes with a score. But no severity score captures what it costs to be the person who reads that advisory at two in the morning, maintaining a project in the hours between their actual job and life, for a community that depends on them.

GitHub RCE, Trivy supply chain attack, tj-actions compromise, the xz backdoor. CVSS rankings from High to Critical. And behind every one, a human.

Every technological wave has done this. Humans absorb the cost.

The CNCF TAG DevEx survey of nearly 100 projects confirms top concerns of maintainers include security vulnerabilities and the burden caused by a potential flood of low-effort PRs and issues.

This talk traces the human cost across real incidents, asks why the pattern keeps repeating, and explores what it would take to finally break it.

Key takeaways include empathy for the maintainers along with a demo of how the same AI could be used to help maintainers know whether a published CVE affects their project and to what extent.

In highly regulated fintech environments like Razorpay, compliance with RBI and PCI DSS mandates is a license to operate. A single misconfiguration can trigger severe penalties or risk payment licenses. However, traditional manual "audit toil" and late-stage production fixes create massive engineering friction and business risk.

This session explores a multi-layered, automated framework to map complex mandates directly into "Policy-as-Code" (PaC) controls. The speakers demonstrate how to move from periodic audit woes to "steady-state ops hygiene" using PaC across three critical layers: Proactive Controls (Shift-Left) to catch issues in CI/CD, Preventive Controls to block non-compliant workloads, and Detective Controls for continuous, automated evidence gathering.

You will learn how to translate abstract compliance standards into enforceable policies and immutable audit trails, reducing technical debt and satisfying regulators without slowing down innovation.

Most banks still depend on legacy core banking systems designed for on-prem infrastructure. But modern fintech workloads, real-time payments, AI systems, and evolving regulations like DPDP are forcing a very different architecture.
At Slice small finance bank, we took a different path - building and operating a deeply cloud-native banking platform on Kubernetes while handling strict uptime, security, and compliance requirements from day one.
In this short keynote, I’ll share some real engineering problems we faced while running regulated banking systems on cloud-native infrastructure:

• handling PII safely inside observability pipelines
• enforcing security and compliance at platform level
• rethinking legacy CBS assumptions for Kubernetes environments
• balancing reliability, developer velocity, and regulation together

This is not a tooling talk. It is about how regulation is starting to reshape cloud-native architecture itself.
As India’s fintech ecosystem grows, the patterns emerging here may influence how modern regulated systems are built globally.