Finance Minister Urges Banks to Harden AI Defences

Finance Minister Nirmala Sitharaman convened a high-level review with Ashwini Vaishnaw, RBI, NPCI, CERT-In and scheduled commercial bank chiefs to assess AI-driven cyber threats, citing concerns around Anthropic's Mythos. She directed banks to work through a coordinated institutional mechanism led by the Indian Banks' Association to build "something new and something far more versatile" to counter emerging threats and to report suspicious incidents immediately. The meeting included directions to evaluate investments, vendor dependencies, and how AI can be used defensively.

The concern centers on advanced foundation models that can autonomously scan for, and in some cases be used to exploit, software and infrastructure vulnerabilities. Anthropic described Mythos as potentially too dangerous for public release after internal findings that the model could identify major vulnerabilities. Banks were asked to:

• •create a real-time threat intelligence sharing mechanism interoperable with CERT-In and regulators;
• •engage top cybersecurity professionals and specialised agencies for continuous monitoring and security testing;
• •audit vendor and third-party dependencies.

Participants will map critical attack surfaces across banking workflows, prioritise quick wins for detection and containment, and standardise incident reporting. The government indicated direct engagement with model developers and global partners to understand failure modes of models like Mythos and to build mitigations. Banks were also asked to explore using AI defensively.

This is one of the first national-level, finance-sector responses focused explicitly on risks from generative and autonomous AI models rather than conventional cybercrime. The banking sector has relied on layered defenses, patching, firewalls, and process controls to date, but generative models change the threat calculus by automating vulnerability discovery and by scaling social-engineering attacks. The move mirrors international concerns voiced by regulators and IMF leadership and follows reports of unauthorized access attempts tied to advanced models.

Risk teams must broaden threat models to include AI-native vectors: automated code and infrastructure probing, scale phishing with context-rich personalization, and synthesis of cross-system attack plans. Defensive investments should prioritise telemetry, high-fidelity observability, and AI-aware security testing that treats models as both threat actors and defensive tools. Vendor risk management must now include model-access policies, data leakage controls, and contractual obligations around incident notification and model safety.

Expect near-term directives and coordinated exercises from the Indian Banks' Association and increased interaction between banks and CERT-In. Procurement cycles may shift toward specialised detection platforms, managed threat services, and contractual clauses for access controls on third-party models. Regulatory guidance from RBI on cyber resilience and reporting cadence is likely to follow.

The key open questions are whether banks will standardise an interoperable threat-sharing schema, how quickly RBI and other regulators formalise requirements, and whether engagement with Anthropic and other model developers yields practical mitigations. The government will also monitor geopolitical friction in West Asia for systemic exposures that could amplify cyber threats.

The finance ministry has elevated AI-driven cyber risk into a coordinated national response for the banking sector. Practitioners should accelerate model-aware threat assessments, ramp up observability and security testing, and prepare for tighter vendor controls and real-time intelligence-sharing mandates.