SEBI issues AI vulnerability-risk advisory for regulated entities
Regulated entities must fold AI vulnerability risks into cyber controls
Change
SEBI issued a May 5, 2026 advisory directing regulated entities to address AI-led vulnerability detection risks under existing cybersecurity controls.
Why it matters
The advisory ties AI-led vulnerability detection risks to patching, vulnerability assessment, API security, SOC monitoring, vendor controls and cyber risk assessment. Eligible regulated entities must expedite onboarding to the Market SOC where not already onboarded. MIIs must support onboarding through awareness and handholding programs.
Implications
- — Cybersecurity teams at SEBI-regulated entities must include AI-led vulnerability detection risks in periodic cyber risk assessments — excluding AI attack scenarios leaves CSCRF risk coverage incomplete.
- — Application and infrastructure teams must update patching, API inventories, hardening controls, asset inventories and SBOM records — stale controls widen exposure to AI-accelerated vulnerability exploitation.
- — Eligible regulated entities must expedite Market SOC onboarding — entities outside M-SOC lose centralised 24x7 threat monitoring coverage.
Who is affected
- — Cybersecurity teams at SEBI-regulated entities
- — Application and infrastructure teams at regulated entities
- — Eligible regulated entities not onboarded to Market SOC