In a signal that India’s financial regulators are beginning to treat artificial intelligence not merely as a productivity tool but as a new class of cyber-risk accelerator, the Securities and Exchange Board of India has issued an advisory to a wide range of market intermediaries on emerging AI-driven vulnerability detection tools, including platforms such as Claude Mythos.
The advisory, issued on May 5, 2026, is addressed to nearly every major category of regulated securities-market participant: alternative investment funds, clearing corporations, credit-rating agencies, custodians, depositories, investment advisers, research analysts, KYC registration agencies, merchant bankers, mutual funds, asset-management companies, portfolio managers, stock brokers, stock exchanges and venture capital funds, among others.
At the heart of SEBI’s warning is a paradox that has increasingly unsettled cybersecurity professionals: the same AI systems that can identify vulnerabilities at speed and scale can also make those vulnerabilities more visible, more exploitable and more dangerous if used maliciously or without adequate safeguards.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
A New Kind of Market-Wide Cyber Threat
SEBI’s circular frames AI-led vulnerability detection tools as part of a broader shift in emerging technology risk. These tools, the regulator said, can identify and potentially enable exploitation of existing vulnerabilities with unprecedented speed and scale. The concerns extend beyond direct hacking risk to questions of data confidentiality, application integrity and the reliability of AI-generated outputs.
That formulation is important because it places the risk not only in the hands of attackers, but also inside the institutions that may adopt or interact with such tools. A vulnerability scanner powered by advanced AI may help a bank, broker or exchange detect weaknesses faster. But the same capability, if poorly governed, could expose sensitive systems, leak internal data, generate unreliable assessments or become part of a wider attack chain.
For India’s securities markets, where trading, settlement, investor onboarding, fund management and depository systems are deeply interconnected, the concern is not limited to one company’s security failure. SEBI explicitly warned that the interdependency of market participants requires a coordinated approach to vulnerability management, information sharing and monitoring to prevent cascading impact across the securities ecosystem.
The Creation of cyber-suraksha.ai
To address these risks, SEBI has constituted a task force called cyber-suraksha.ai, bringing together representatives from market infrastructure institutions, qualified registrars and transfer agents, qualified regulated entities and other stakeholders. Its mandate is broad and unusually forward-looking.
The task force has been asked to examine cybersecurity risks posed by AI-based models and devise a uniform mitigation strategy. It will also facilitate sharing of threat intelligence, best practices, vulnerability-management playbooks and use cases for responding to AI-linked threat vectors.
The advisory also places emphasis on fast reporting. Cyber incidents, malicious activity, significant attack vectors and vulnerability-related information must be reported on priority when they are relevant to strengthening the cybersecurity posture of the securities market. SEBI has also asked the task force to review the cybersecurity posture of third-party application service providers, including empaneled vendors.
This reflects a growing regulatory view that cyber resilience cannot be confined to the perimeter of a single regulated entity. Exchanges, depositories, brokers, vendors, APIs and outsourced technology systems operate as part of a shared market infrastructure. A weakness in one node can become a systemic concern.
Immediate Measures: Patches, APIs, SOCs and Vendors
The advisory attached to the circular sets out a detailed operational checklist for regulated entities. SEBI has directed institutions to update operating systems and applications with the latest patches immediately. Where patches are not available, entities may consider virtual patching as an interim defensive measure.
The regulator has also called for regular or continuous vulnerability assessment and security audits, using conventional tools and suitable AI-based vulnerability assessment tools where possible. Third-party vendors have been brought directly into the compliance frame, with SEBI asking regulated entities to engage with vendors for timely patches and appropriate deployment. Exchanges and depositories have been told to direct empaneled application vendors providing commercial off-the-shelf solutions to assess risks arising from AI-led vulnerability detection models and implement safeguards such as patching, VAPT, continuous monitoring and hardening.
SEBI’s focus on API security is especially notable. The advisory calls for a regularly updated inventory of all APIs and applications using them, strong authentication and authorization, least-privilege access, API rate-limiting and throttling, and a strict whitelist-based approach for API connections.
The circular also asks entities to strengthen Security Operations Centre monitoring. Low-priority alerts should be examined adequately, and where feasible, entities should implement tested SOAR playbooks integrated with SIEM systems. Eligible regulated entities that have not yet onboarded with the Market SOC established by NSE and BSE have been asked to expedite the process.
From Defensive Compliance to AI-Era Resilience
Beyond immediate controls, SEBI’s circular points toward a longer regulatory transition: from conventional cybersecurity compliance to AI-era cyber resilience.
The advisory asks regulated entities to conduct risk assessments under SEBI’s Cyber Security and Cyber Resilience Framework, including their third-party service providers. These assessments must include scenario-based testing of internal and external cybersecurity risks, and SEBI said the capability of AI-based models may be considered as one such risk scenario.
Entities have also been told to implement system hardening through secure configurations, disabling unnecessary services and default accounts, least-privilege access and Zero Trust Network Access. SEBI has called for periodic updates to asset inventories and software bills of materials for critical applications, including open-source stacks.
The final direction is perhaps the most strategic: market infrastructure institutions and other regulated entities must seek guidance from their IT committees on mitigating risks from AI-led vulnerability detection models. They must also prepare a long-term plan for the use of AI in detection and autonomous or agentic mitigation, including recalibration of risks for AI-accelerated threats, AI-augmented SOC transformation and continuous vulnerability management using AI tools.
For India’s securities market, the message is clear. AI is no longer being treated as a distant technology trend or an optional efficiency layer. It is now part of the risk architecture of financial markets, requiring board-level attention, vendor accountability, continuous monitoring and coordinated response across the ecosystem.
