SEBI issues AI vulnerability-risk advisory for regulated entities
→Regulated entities must fold AI vulnerability risks into cyber controls
Change
SEBI issued a May 5, 2026 advisory directing regulated entities to address AI-led vulnerability detection risks under existing cybersecurity controls.
Why it matters
The advisory ties AI-led vulnerability detection risks to patching, vulnerability assessment, API security, SOC monitoring, vendor controls and cyber risk assessment. Eligible regulated entities must expedite onboarding to the Market SOC where not already onboarded. MIIs must support onboarding through awareness and handholding programs.
Implications
- → Cybersecurity teams at SEBI-regulated entities must include AI-led vulnerability detection risks in periodic cyber risk assessments — excluding AI attack scenarios leaves CSCRF risk coverage incomplete.
- → Application and infrastructure teams must update patching, API inventories, hardening controls, asset inventories and SBOM records — stale controls widen exposure to AI-accelerated vulnerability exploitation.
- → Eligible regulated entities must expedite Market SOC onboarding — entities outside M-SOC lose centralised 24x7 threat monitoring coverage.
Full decision brief
See the decision layer
Use 1 free preview to unlock implications, who’s affected, what to watch, and Clarify for this brief.
2 free previews left this month · Resets 1 Jun
Source
View on SEBI