Spice Route Legal
Artificial Intelligence and Cyber Resilience: SEBI’s Advisory on Vulnerability Detection Tools
INTRODUCTION
On 5 May 2026, the Securities and Exchange Board of India (“SEBI”) issued an Advisory on Emerging Advanced Artificial Intelligence (AI) Tools for Vulnerability Detection (“Advisory”). The Advisory is the latest regulatory development in a series of interventions by SEBI on the use of AI (read more here).
The Advisory is also India’s first regulatory response to risks posed by AI-driven vulnerability identification tools that have demonstrated the capability to identify and exploit vulnerabilities at machine speed and scale (such as Mythos by Claude). It applies to all SEBI-regulated entities, including stock exchanges, clearing corporations, depositories, mutual funds, brokers, portfolio managers, and other intermediaries (“Regulated Entities”).
This article provides an overview of the key measures introduced by the Advisory.
CONSTITUTION OF TASK FORCE
SEBI has constituted a dedicated task force named “cyber-suraksha.ai”, comprising representatives from stock exchanges, clearing corporations, depositories, registrars and transfer agents, and other significant Regulated Entities.
The task force’s mandate is to (a) closely examine cybersecurity risks posed by AI models and devise uniform mitigation strategies; (b) facilitate the sharing of threat intelligence and best practices; (c) report cyber incidents on a priority basis; and (d) review the cybersecurity posture of third-party application service providers, including empanelled vendors.
SEBI issued the Advisory in consultation with the task force.
USE OF AI IN CYBERSECURITY
Regular vulnerability assessments using AI tools: The Advisory requires all Regulated Entities to consider the use of AI-based vulnerability assessment tools for their security assessments. However, given SEBI’s express concern about “reliability of outputs” by AI, every AI-flagged vulnerability ought to be validated by a human before remediation action is taken.
Long-term AI strategy and governance: Notably, the Advisory requires all Regulated Entities to prepare a long-term plan for the use of AI in detection and autonomous or agentic mitigation. Entities must also recalibrate risk thresholds for AI-accelerated threats, pursue AI-augmented SOC transformation, and implement continuous vulnerability management using AI tools.
MEASURES AGAINST CYBERSECURITY THREATS POSED BY AI
Risk assessment incorporating AI threat scenarios: SEBI recognises the risks to the securities market by AI-driven vulnerability identification tools. Accordingly, the Advisory requires that Regulated Entities undertake risk assessments under SEBI’s Cyber Security and Cyber Resilience Framework (“CSCRF”) by considering the capability of AI models as a distinct “risk scenario”.
Immediate system-wide patching: The Advisory directs Regulated Entities to update all operating systems and applications with the latest patches on an immediate basis. Where a Regulated Entity engages third-party vendors, it must engage with such third-party vendors to release and deploy patches in a timely manner. Regulated Entities ought to review their service provider relationships to ensure that: (a) vendors are contractually obliged to release patches within defined timelines; (b) vendors undertake to conduct AI-specific risk assessments of their products; and (c) Regulated Entities have audit rights to verify the vendor’s cybersecurity posture.
Stringent change management: The Advisory requires that any change in systems, including minor changes, be accompanied by full documentation, thorough impact analysis, structured review, rigorous testing, and secure deployment.
SEBI’s CSCRF already requires change management processes and vulnerability-assessment penetration testing for major releases. The Advisory makes “testing” an integral part of every change, and removes the “major release” threshold, making the obligation applicable to minor changes as well.
API security strengthening: Regulated Entities must (a) regularly update an inventory of all APIs and the applications using them; (b) ensure strong authentication and authorisation mechanisms with least-privilege access; (c) implement API rate limiting and throttling to prevent and detect abuse; and (d) adopt a whitelist-based approach for all API connections.
SOC monitoring and expedited Market-SOC onboarding: In addition to the CSCRF standards, the Advisory emphasises that even low-priority alerts must be rigorously monitored. The Advisory also requires those Regulated Entities, who have not yet onboarded with the Market-SOC (operated by BSE and NSE) despite being required to do so under SEBI’s CSCRF, to expedite such onboarding.
System hardening and zero-trust adoption: Regulated Entities must implement system hardening by adopting secure configurations, disabling unnecessary services and default accounts, and enforcing least privilege and Zero Trust Network principles to minimise attack surfaces.
Notably, under the CSCRF, certain types of Regulated Entities are exempted from implementing zero-trust architecture and these detailed hardening measures. Given that SEBI requires the Advisory to be read in conjunction with the CSCRF, these exempted Regulated Entities would continue to be exempted from these requirements. That said, given that the regulatory intent behind the Advisory is to equip Regulated Entities to face AI-enabled threat vectors, all Regulated Entities should consider complying with these requirements.
Asset inventory and software bill of materials: The Advisory requires periodic updating of asset inventories and the Software Bill of Materials for all critical applications, including open-source stacks.
CONCLUSION
SEBI has become one of the first regulators globally to recognise the unprecedented security risks posed by AI-powered vulnerability detection tools. The Advisory highlights the urgency with which SEBI has recognised that AI-powered vulnerability detection has fundamentally altered the threat landscape for the securities market. The Advisory is not a routine cybersecurity circular with a deferred timeline for compliance; the regulator intends to prescribe immediate actions.
The Advisory also makes it clear that cybersecurity and AI governance are now inextricably linked and that the regulator expects Regulated Entities to invest in defensive AI capabilities as a permanent feature of their cybersecurity architecture.
Recent Publications
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.