The language the Reserve Bank of India chose in its bi-annual Financial Stability Report was deliberate and unambiguous. AI-enabled cyber attacks emerged as the most important near-term challenge for the Indian banking system, the central bank said, in comments that come amid heightened discussion around the capabilities of advanced AI systems.
The designation was the product of a formal survey process, not a theoretical assessment. The RBI said it undertook a survey on the system’s preparedness, which revealed that financial institutions have established robust practices in cyber risk management, particularly vulnerability assessment and penetration testing of critical information systems. Processes relating to regulatory reporting and board-level reporting of significant cyber incidents have also matured.
The survey’s more pointed findings, however, concerned the gaps that remain. Cybersecurity awareness and training for employees remain areas that require further strengthening. Similarly, forensic preparedness also needs improvement to strengthen incident response capabilities, preserve digital evidence, and facilitate regulatory and law enforcement investigations in the event of sophisticated cyber attacks. In other words, Indian banks have made meaningful progress in technical defenses while leaving the human and investigative layers of their security architecture comparatively underdeveloped.
What AI-Enabled Attacks Actually Look Like
The RBI’s formal designation of AI-enabled attacks as the top near-term threat is grounded in a documented and rapidly evolving threat landscape. The central bank’s own FREE-AI report, released in 2025, catalogued in technical detail how AI is being deployed offensively against financial institutions. AI can be used as a powerful tool for executing cyber attacks such as automated phishing, deepfake fraud, and credential stuffing at an unprecedented scale. The year 2024 witnessed a sharp rise in AI-generated phishing campaigns that leveraged natural language generation to craft personalised emails designed to evade spam filters and increase the success rate of credential theft.
The deepfake dimension of this threat has moved well beyond hypothetical risk. Deepfake audio and video are being used by malicious attackers to convincingly impersonate executives and officials, thereby bypassing the chain of approvals for transaction authorisation. Such deepfake photos and videos can also compromise the video KYC process. For Indian banks, where video KYC has become a central pillar of digital onboarding over the past several years, this represents a direct attack on a mechanism that regulators themselves encouraged the sector to adopt.
The RBI has released advisories specifically on AI-Accelerated Cyber Threats and Related Safeguards, framing the shift with a pointed regulatory signal: assume adversaries are already using AI and act accordingly. AI has moved from a support tool to a force multiplier, accelerating both innovation and cyber risk simultaneously.
The Stock Market Warning That Accompanied It
Beyond the banking sector’s direct cyber exposure, the Financial Stability Report also flagged a second AI-related risk with implications for India’s financial system. The RBI classified the AI-led stock market boom in some countries as a potential source of financial fragility, noting that recent outperformance of some emerging markets has been largely driven by AI-linked companies rather than broad-based strength.
Both remain sources of financial fragility, the report said, as sell-offs in AI-linked firms could cause broader market declines in the United States and cause spillovers to other markets through wealth effects. This concern reflects a structural feature of the current AI investment cycle: gains have been concentrated in a relatively small cohort of companies, which means any reassessment of AI valuations could ripple through markets in ways that broad diversification would not easily absorb.
The Compliance Architecture Being Built in Response
The Financial Stability Report’s threat designation sits within a wider regulatory mobilisation. The RBI now expects evidence that critical vendors, including cloud providers, core banking, AML, and KYC providers, have been independently assessed. Vendor questionnaires alone are no longer sufficient. API and digital-channel security has come under sharper supervisory scrutiny as digital lending and UPI volumes have grown.
Banks are required to adopt an advanced automated security stack capable of matching the speed of frontier AI models, including autonomous penetration testing platforms that simulate evolving attack vectors continuously without human intervention, and specialised tools to monitor data payloads flowing through permissioned architectures like the Unified Payments Interface and third-party fintech integrations.
The direction of regulatory travel is clear. India’s banks have built solid foundations in technical cybersecurity. What the RBI’s survey has now made explicit is that the next phase of risk does not arrive through conventional attack vectors where those foundations already hold. It arrives through AI-generated deception, compromised human judgement, and investigative gaps that no amount of penetration testing alone can close. Closing those gaps, the RBI has made plain, is no longer optional.
