Date: May 05, 2026
Circular Ref: HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026

Source: https://www.sebi.gov.in/legal/circulars/may-2026/advisory-on-emerging-advanced-artificial-intelligence-ai-tools-for-vulnerability-detection_101270.html

Background

The rapid evolution of advanced AI tools—such as Claude Mythos—has introduced a new class of cybersecurity risks for regulated entities across India’s securities ecosystem.

These tools can:

• Identify vulnerabilities at scale and speed

• Potentially enable exploitation

• Raise concerns around:

  • Data confidentiality

  • Application integrity

  • Reliability of outputs

SEBI has issued this advisory to proactively address these emerging risks.

Why This Matters for AIFs

Given the interconnected nature of market participants, a vulnerability in one entity can cascade across the ecosystem.

For AIFs, this directly impacts:

• Fund data security

• LP information confidentiality

• Portfolio company integrations

• Third-party vendor risk

SEBI emphasizes a coordinated and continuous approach to vulnerability management and threat intelligence sharing.

Key Regulatory Development: cyber-suraksha.ai Task Force

SEBI has constituted a dedicated task force “cyber-suraksha.ai” with participation from:

• MIIs

• QRTAs

• Regulated entities

• Other ecosystem stakeholders

Mandate:

• Assess cybersecurity risks from AI models

• Develop uniform mitigation strategies

• Enable threat intelligence sharing

• Report cyber incidents in real time

• Evaluate third-party vendor security posture

Key Action Points for AIFs & Regulated Entities

1. Patch Management

• Immediate updates of OS & applications

• Use virtual patching where fixes are unavailable

2. Continuous VAPT

• Regular vulnerability assessments

• Use both traditional + AI-based tools

3. Vendor Risk Management

• Ensure third-party vendors:

  • Conduct AI risk assessments

  • Deploy safeguards (patching, monitoring, hardening)

4. Change Management Discipline

• Full documentation

• Impact analysis

• Secure deployment practices

5. API Security Controls

• Maintain API inventory

• Strong authentication & authorization

• Rate limiting & whitelisting

6. SOC Monitoring & Automation

• Continuous monitoring of alerts

• Adopt SIEM + SOAR frameworks

• Onboard to Market SOC (M-SOC) where applicable

7. Risk Assessment Enhancements

• Include AI-driven threat scenarios

• Perform scenario-based testing

8. System Hardening

• Disable unnecessary services

• Implement:

  • Least privilege

  • Zero Trust (ZTNA)

9. Asset Visibility

• Maintain updated:

  • Asset inventory

  • Software Bill of Materials (SBOM)

10. Strategic AI Readiness

• Build long-term plans for:

  • AI-driven detection

  • Autonomous mitigation

  • AI-augmented SOC