India's central bank orders banks to assess AI cyber risks

India’s central bank moved to force banks to confront the cybersecurity risks of frontier artificial intelligence, ordering them to assess exposure from advanced models such as Claude Mythos and submit mitigation plans by the end of June. The Reserve Bank of India is signaling that AI is now a banking-stability issue, not a distant technology debate.

The directive sits on top of a broader RBI effort to define responsible AI in finance. The central bank constituted the FREE-AI committee on December 26, 2024, after a development-and-regulatory-policy announcement on December 6, 2024, and published the committee report on August 13, 2025. That report was built after extensive stakeholder deliberations and laid out 7 Sutras, 26 actionable recommendations and six strategic pillars, including a suggested board policy on AI and an indicative AI incident-reporting form.

The RBI’s 2026 annual report showed the regulator was already pushing the issue deeper into supervision. It said draft directions on model risk management, covering models that use AI and machine learning, were in the final stages of completion. The same report said the FinTech Department expanded CBDC pilots, ULI and MuleHunter.ai, while the Department of Supervision began measures to strengthen cyber mapping of financial systems.

The timing matters because banks are rapidly embedding AI into customer service, document processing, credit assessment, risk monitoring and oversight. That brings clear efficiency gains, but it also widens the attack surface through model errors, fraud, bias, cyber exposure and dependence on outside vendors. Banks with thinner model governance, older core systems and heavier vendor reliance are likely to face the steepest compliance burden, because the RBI’s June deadline leaves little room for vague policy language and forces institutions to show where the controls actually sit.

Senior RBI officials have been warning about that tension for months. T. Rabi Sankar said in October 2025 that AI carries a dual narrative: it can improve efficiency and inclusion, but if left unattended it could pose unprecedented threats. In April 2026, Swaminathan J said AI was already reshaping how institutions serve customers, process documents, assess credit, monitor risks and strengthen oversight, while stressing that finance must remain fair, accountable, inclusive and humane.

The June order makes that message immediate. Banks now have to turn AI ambitions into board oversight, incident reporting, technical controls and cyber resilience by month-end, a clear sign that the RBI intends to treat AI governance as part of everyday prudential supervision.