Upstox Originals
Does India have a strategy to contain AI attacks?
5 min read | Updated on May 08, 2026, 11:10 IST
SUMMARY
Imagine an AI model that hunts for software bugs while you sleep—and then learns how to exploit them before sunrise. This isn't a "Black Mirror" script; it’s the reality of many upcoming models. From stock markets to banks and hospitals, the rules of cybersecurity are being rewritten. In this article, we look at how Indian regulators are responding, and where the gaps remain. The question is no longer if AI will reshape cyber risk, but whether governance can keep up.
SEBI has recently flagged the cyber threat from AI models
In seven weeks, an AI model found over 2,000 software vulnerabilities that no human had ever spotted. Months' worth of work, done in weeks. It did not stop there — it could exploit them too. The model is Anthropic's Claude Mythos. The vulnerabilities were found during Anthropic's own controlled, pre-release testing.
But it has raised alarm bells among regulators worldwide, including in India. Just recently, SEBI named the model explicitly in an official advisory, which may have been the clearest signal yet that India's cyber threat landscape needs to take cognisance of this potentially rising threat.
In this article, we look at all the steps India is taking to safeguard critical industries.
The stock market's wake-up call
SEBI's concern is not merely that AI can find software bugs faster than humans. India's stock market ecosystem — consisting of exchanges, brokers, depositories and fund houses — is deeply interconnected. A vulnerability in one institution can cascade into others almost instantly.
SEBI's detailed directives
| Directives | What does it mean? |
|---|---|
| Patch all applications immediately | Fix known software weaknesses before AI scanners find them first |
| Conduct cybersecurity audits | Independent review of every system's defences |
| Regular vulnerability assessments | Ongoing, not one-time, checks for weak points |
| Enhance real-time network monitoring | Watch for threats as they happen, not after |
| Adopt a zero-trust architecture | No user or device is trusted by default — everyone must continuously prove identity |
| Review third-party vendor security | Your vendors' weaknesses become your weaknesses |
| Implement priority incident reporting | AI-linked attacks get reported faster than routine incidents |
| Share threat intelligence across market participants | What one institution learns, all institutions benefit from |
Source: News articles
Alongside this directive, SEBI constituted a dedicated task force — cyber-suraksha.ai — bringing together exchanges, registrars, and transfer agents to coordinate responses. This sits on top of SEBI's Cybersecurity and Cyber Resilience Framework, which already required all regulated entities to establish governance structures and incident response protocols.
Banking: RBI measures
The RBI has taken structurally significant steps, moving from recommendations to compliance.
RBI's key cybersecurity actions
| Measure | Requirements |
|---|---|
| Master directions on cyber resilience | Formal cyber policy, regular risk assessments, and mandatory incident reporting |
| Zero-trust architecture | Every employee, device, and transaction must be continuously verified, even inside the bank's own network |
| Authentication directions | Two-factor authentication; at least one factor must be dynamic (changes per transaction, like an OTP) |
| Advisory around AI chatbots | AI chatbots handling customer data must have API controls, anomaly detection, and board-level quarterly security reviews |
| Fraud detection | Real-time AI-powered fraud detection across India's digital payments ecosystem |
Source: News articles
Healthcare: The sector that cannot afford to wait
Healthcare needs more attention. Ransomware attacks on hospital systems can delay surgeries and interrupt ICU monitoring. The 2025 Star Health breach exposed data on 31 million policyholders. Yet India currently has no dedicated healthcare cybersecurity regulation.
The government launched SAHI (Strategy for Artificial Intelligence in Healthcare for India) and BODH (a benchmarking platform for health AI) in February 2026. These mandate pre-deployment validation of health AI tools. This is a great start, but the gap between "validating AI before launch" and "defending against AI-powered ransomware mid-operation" remains wide open.
The deepfake problem
One of India's sharper moves came in February 2026 — reducing the window for platforms to remove harmful AI-generated synthetic content from 36 hours to just 3 hours. The logic is straightforward: a deepfake video of a CEO announcing a fake corporate crisis, or a voice clone of a banker authorising a fraudulent transfer, does most of its damage in the first few hours. The amendment also requires visible labelling of AI-generated content and automated detection systems on large platforms.
What India can learn from the world?
A comparison with global peers shows where the gaps are.
| Country | Key action | India implication |
|---|---|---|
| European Union | EU AI Act: classifies AI by risk level. High-risk AI (healthcare, critical infrastructure) must meet mandatory cybersecurity standards before deployment | India has no equivalent risk-classification system. |
| European Union | Digital Operational Resilience Act: Financial firms must regularly simulate AI-driven attacks on their own systems | RBI advisories recommend resilience testing. Do not require red-teaming, hiring ethical hackers to attack your own AI systems |
| South Korea | Has a comprehensive AI law, with risk-stratified rules and accountability requirements for foreign AI operators | No such law in India, as yet |
| United States | NIST Cybersecurity Framework for AI: A voluntary self-assessment toolkit that regulators can use it as an audit benchmark | No equivalent national AI security standard |
Source: News articles
Final thoughts
India has built a real and functioning defence. CERT-In handled nearly 30 lakh cyber incidents in 2025, ran 122 security drills across 1,570 organisations. The Union Budget 2025-26 allocated ₹782 crore to cybersecurity. The IndiaAI Mission onboarded 38,000 GPUs to reduce dependence on foreign AI infrastructure.
The urgency is not hypothetical. The question is whether the country's legislative machinery can keep pace with the technology it is trying to govern.
About The Author
Next Story
