SEBI to issue AI advisory

Markets regulation is usually about disclosure, fraud, and plumbing. But this week SEBI made clear that generative AI now belongs on that list too. India’s securities regulator said it will soon issue an advisory for market intermediaries on vulnerabilities tied to advanced AI tools and related cyber risks. That matters because the problem is no longer just “should firms use AI?” — it’s “what breaks when they do?” ### What did SEBI actually say? SEBI chairman Tuhin Kanta Pandey said on May 4 that the regulator will soon put out guidance for market participants on how to stay alert to vulnerabilities and mitigate them proactively. The comments came alongside a broader pitch for “optimum regulation” — not light-touch, not overbearing, but targeted at areas where market structure is getting riskier or more complex. In the same set of remarks, he also pointed to transparency, cyber preparedness, and KYC reform as active priorities. ### Why is AI suddenly a market-regulation issue? Because AI tools are no longer just back-office helpers. Brokers, exchanges, depositories, registrars, and other intermediaries increasingly use automation for surveillance, onboarding, customer support, document handling, and internal workflows. That creates a new class of operational risk — bad outputs, model misuse, data leakage, prompt injection, and cyber weaknesses that spread through connected systems faster than old software failures did. SEBI’s message is basically that firms should treat AI as part of core market infrastructure risk, not a side experiment run by the tech team. That’s an inference from the regulator’s focus on vulnerabilities and mitigation, but it fits the direction of the remarks. ### Who will this hit first? Market intermediaries. In India that usually means brokers, mutual-fund entities, depositories, exchanges, clearing corporations, and other regulated firms that sit between investors and the market. SEBI has not yet published the advisory text, so the exact scope, timeline, and whether anything becomes mandatory are still unknown. But the immediate audience is clearly firms that operate market systems, handle investor data, or rely on automated decision tools. ### What kind of risks is SEBI worried about? The public descriptions point to vulnerabilities from advanced AI models and adjacent cyber threats. Think of it less like a debate about robot ethics and more like a resilience checklist: can a model expose sensitive information, be manipulated by hostile inputs, generate unreliable outputs that slip into operations, or create a new attack surface inside a regulated institution? That is why Pandey paired the AI comments with a call for firms to use available tools to identify vulnerabilities early and respond before they turn into incidents. ### Why mention Mythos? Several reports tied the warning to Anthropic’s “Mythos” and similar advanced models. The name matters less than what it signals — SEBI is talking about frontier-model risk, not basic rules-based automation. Once a regulator starts naming the newest class of tools, the compliance conversation changes. Boards, CISOs, risk teams, and legal teams now have to show they understand where those tools are used, what data touches them, and what controls sit around them. ### How does KYC fit into this? Pandey also flagged problems around authentication and clarity in the CKYC pool, with CKYC 2.0 expected in July. That sits next to the AI advisory for a reason. Both are really about trust in financial data flows — who verified what, where the data came from, and whether systems can rely on it. AI makes weak data governance more dangerous, because automated systems can scale mistakes very fast. ### Is this a rule change? Not yet. Right now it is an announced advisory, not a published rulebook. But advisories often shape exam expectations and internal governance long before formal enforcement language appears. So even without penalties on paper, firms will likely start documenting AI use cases, tightening vendor reviews, and running cyber-control checks now rather than waiting. ### Bottom line SEBI is pulling AI out of the abstract and into market operations. That is the real shift. Once a securities regulator starts framing advanced models as a vulnerability-management problem, AI governance stops being optional polish and starts looking like basic financial infrastructure hygiene.