4 min readMay 1, 2026 06:05 AM IST First published on: May 1, 2026 at 06:05 AM ISTAnthropic’s Mythos has put regulators on high alert. Mythos can identify security vulnerabilities in software systems, help plan attacks against them, and simulate how such attacks could unfold — abilities once limited to a small group of highly skilled humans. The advancement of such AI capabilities heightens the risk of bad actors using them to scale attacks on businesses, institutions, and critical infrastructure.The Indian Computer Emergency Response Team (CERT-In) has since issued an advisory on the cyber risks posed by advanced AI systems, acknowledging the criticality of keeping pace with frontier AI cyber capabilities and recommending the reinforcement of baseline cybersecurity measures. The RBI is also discussing with banks the risk posed by such systems. The regulatory alarm should perhaps have come earlier. A 2026 Global Threat Report by cybersecurity firm CrowdStrike indicates that AI-enabled bad actors increased attacks by 89 per cent in 2025 over the previous year. Nonetheless, authorities in India should see this as an opportunity to bolster cyber resilience across the board. The question is: How should they go about it?AdvertisementFirst, the government must shore up the security capabilities of smaller entities in critical sectors. While it seems that the government is looking to secure critical infrastructure like banking and telecom, not all entities have the same capacities. While giving evidence before the Parliamentary Standing Committee on Finance, the RBI acknowledged that cooperative banks lagged on security maturity and had been subject to cyberattacks.Smaller entities like cooperative banks are going to lag on defences because they are resource-constrained. CERT-In’s advisory acknowledges this limitation and prescribes a set of instructions for smaller businesses. However, securing such entities does not necessarily require more regulation. One report indicates that cooperative banks find cybersecurity compliance prohibitively expensive. A related issue is trusted vendors. When banks are looking for the lowest-cost option, they also become vulnerable to bad actors posing as cost-effective options.The solution combines financial support with trusted implementation pathways. The government must create a corpus fund that can be used by smaller entities to strengthen their cybersecurity systems. Such a fund should be paired with a trusted vendor list that they may rely on to scan and secure their systems against threats. Pairing the fund with a trusted vendor list would also reduce the risk of misuse, poor-quality procurement, and malicious actors.AdvertisementSecond, the government must ensure that other areas of regulation do not inadvertently weaken cybersecurity. This requires a review of laws and proposed laws that may increase vulnerabilities in existing systems. The Draft Digital Competition Bill is one example. Broadly, the Bill prohibits mobile operating system companies from imposing restrictions on sideloading, inadvertently expanding the pathways through which malicious applications reach users. Such risks have already manifested in the cooperative banking sector. In 2025, cyber fraudsters made off with Rs 11.5 crore from the Himachal Co-operative Bank by tricking a customer into downloading a malicious application that gave them remote access to his phone, and then using that access to infiltrate its internet banking system.you may likeThird, the government should resist the temptation to respond by restricting access to advanced AI systems altogether. While this does not seem to be on the anvil at the moment, the terms of reference for the recently constituted AI Governance and Economic Group empower it to classify AI use cases into categories such as “deploy”, “pilot” and “defer”, suggesting that access-based restrictions may become part of India’s AI governance toolkit. Such an approach would be counterproductive, and should be avoided. Bad actors are unlikely to be constrained by legal frameworks.With frontier AI systems like Mythos, what matters is not necessarily the number of weaknesses in a system, but which of those weaknesses can be exploited before they are fixed. This requires a departure from traditional cybersecurity approaches, which tend to treat vulnerabilities as discrete issues and overlook the interconnectedness of digital systems today. Such systems-level thinking must also inform national cybersecurity strategy. Planning must not only focus on large targets, but also address smaller and less apparent vulnerabilities that could serve as entry points into critical systems. India’s cybersecurity armour will only be as strong as its weakest link.The writer is director of the Esya Centre, a think tank based in New Delhi. Views are personal