Over the past few days, In conversations across the fintech and banking ecosystem, there’s a certain urgency that doesn’t typically accompany discussions around new technology.
The trigger, of course, is Claude Mythos. The Finance Minister recently flagged unprecedented risks that AI could pose to the BFSI sector. She stressed upon the fact that there is a greater need for vigilance, even the early signals from this model have been strong enough signals from industry bodies like the Fintech Association for Consumer Empowerment (FACE) to advise firms to strengthen their cyber defences. The industry is not reacting to an incident; it's reacting to a possibility. And in my view, that possibility is very real.
This Isn't Just Another Tech Cycle
For years, cybersecurity has operated within a familiar rhythm. Attackers probed systems, defenders responded. There was always a gap, sometimes uncomfortable, but manageable. Human effort, layered controls, and periodic audits kept things in check.
What's changing now is not just the sophistication of attacks, but the nature of the attacker. With systems like Mythos, we are beginning to see AI that can independently discover vulnerabilities, reason through how those vulnerabilities can be exploited, and iterate at a pace no human team can match. It's not just automation anymore; it's autonomy. That distinction matters. Once discovery and exploitation both start operating at machine speed, the economics of cybersecurity change completely.
Why This Hits Close to Home for India
India's fintech story is something we should be proud of. India has built one of the most advanced digital financial ecosystems in the world, with real-time payments, open APIs, and deep integration across platforms.
On the contrary from a security lens, that same architecture creates a very different picture. Each connection adds value, but it also adds a layer of dependency. Not all of those layers are equally secure, and not all vulnerabilities are visible in isolation.
The reality is that modern fintech systems are built on top of legacy banking infrastructure. These are complex, interconnected environments, and complexity is exactly where intrusive intelligent systems thrive when looking for weak points.
But the biggest concern is something simpler: speed. AI can scan, analyse, and identify vulnerabilities in hours. In contrast, most enterprise remediation cycles still take days, sometimes weeks. That gap creates an exposure window that is not just risky but vulnerable.
Rethinking Security, Fundamentally
We can't continue to treat cybersecurity as a periodic activity. Security has to become continuous. It has to become predictive and autonomous. This means moving beyond traditional approaches and embracing systems that can constantly scan codebases, simulate attack scenarios, prioritise risks, and even trigger remediation with human intervention at every step. In simple terms, we are moving toward a world where AI will be defending against AI. And the organisations that accept this early will be far better positioned than those that don't.
The Role of Regulation
MeitY has already been in engagement with authorities and governments globally, and FM has also directed the Indian Banking Association to work together with banks and their technology partners on these concerns. It is encouraging to see that conversations are already starting at the regulatory level, both globally and in India. We will need to go further; build strict frameworks that specifically address AI in cybersecurity, how these systems are governed, how their decisions are audited, and how access to high-capability models is controlled. India has a real opportunity here to lead, not follow.
India is shifting its focus on identifying and assessing risks emerging from AI, alongside diving into the innovation and application of it in various sectors, this is creating a strong foundation to build a more resilient growth trajectory. It’s important to monitor AI’s capabilities and expose vulnerabilities, to eliminate them faster and more effectively than ever before.
Fintech firms are already exploring how they can use such remedial systems internally, not to break systems, but to strengthen their core systems to combat risks. That moves us from reacting to threats to anticipating and addressing them real-time.
Where We Go from Here
This is not an incremental change. It's a reset. Security can no longer sit on the side as a compliance requirement, it has to be embedded into core architecture, powered by the same intelligence that is reshaping the threat landscape.
Because in the end, this won't be about who has the strongest systems on paper. It will come down to something much simpler: who can adapt faster. And in a world where AI is part of both the problem and the solution, that speed of adaptation will define everything.
