<h2>Executive Summary</h2><ul><li><p>Converging AI, geopolitical, regulatory and supply-chain exposures have moved cybersecurity from an IT risk to <strong>a boardroom priority</strong> </p></li><li><p>9 in 10 attacks today are AI-enabled, with evolving frontier models <strong>compressing breach timelines</strong> from weeks to minutes.</p></li><li><p>Attack infrastructure is cheap and available on rent, putting <strong>sophisticated capability within reach</strong> of any actor with intent</p></li><li><p>The RBI mandates a cybersecurity expert on every regulated boards, with CERT-In, SEBI and the DPDP Act <strong>tightening enforcement</strong> and pinning accountability directly on boards</p></li><li><p><strong>Boards must prioritise</strong> identity, endpoints and data, treating MFA, zero trust and frameworks like ISO/IEC 42001 as funded disciplines</p></li><li><p><strong>Preparedness means</strong> treating cybersecurity, AI governance and data protection as a single, board-owned agenda item</p></li></ul>.<p>Cybersecurity has moved from an IT risk to a boardroom priority. As geopolitical tensions, AI-driven cyberattacks and regulatory and supply-chain exposures converge, the threat environment has evolved faster than corporate governance structures. AI-enabled attackers can compress breach timelines into minutes, cyber activity increasingly precedes physical conflict rather than following it, and regulators are moving to pin accountability not just on tech functions, but directly on boards. Mandar Kulkarni examined how AI is reshaping the threat landscape. Drawing on his direct engagement with regulators, enterprises and government institutions across India on cyber resilience and responsible AI adoption, as well as on insights from a CISO community survey, he identified strategic questions the board and executive leadership must consider if they are to be prepared for the new normal. </p>.<h2><strong>Cybersecurity's Boardroom Moment</strong></h2><p>A 2025 survey of 50 organisations found that cybersecurity now features in roughly 80% of board meetings, with most reporting some form of standing committee or oversight. In other words, most boards today treat cybersecurity as a stated priority. While Chief Information Security Officers (CISO) claim they have the needed resources, they struggle to express security investments in terms a board can act on. This results in oversight that looks substantive on paper without necessarily translating into preparedness. </p><p>The RBI expects regulated entities to have a cybersecurity expert or an external consultant on the board itself, and its requirements for financial institutions leave little room for interpretation. SEBI imposes an additional layer of obligation on listed entities. CERT-In mandates a 6-hour breach-notification requirement but this rule is enforced only patchily, partly because the agency’s resources are stretched, and partly because of genuine ambiguity over when a system outage becomes a reportable cyber incident. The DPDP Act will further tighten this requirement once its dedicated authority is operational, leaving boards less room to treat compliance as a paperwork exercise.</p>.<h2><strong>The Economics of an AI-Native Threat</strong></h2><p>Once viewed as a contained technical risk, cybersecurity is increasingly being treated as an instrument of pressure, including by state agencies. Across the ~1,500 threat actors that Microsoft tracks, half of them nation-state-linked, a pattern emerges: one of intensifying cyber activity ahead of physical conflict. Last year, India entered the global top-ten most cyber-attacked nations for the first time, with an estimated 15 million attack attempts coinciding with Operation Sindoor. A meaningful share of these were aimed at operations shaping narratives around government and corporate targets. </p><p>Economics is also driving this shift. Cybercrime has scaled into a multi-trillion economy, growing at 15-16% annually. Moreover, the ‘attack infrastructure’ no longer requires independent development, but can be rented cheaply. For instance, compromised credentials cost less than a dollar per thousand, and ransomware kits – which can potentially generate huge pay-offs – cost a few thousand dollars. Where a defensible 80% of attacks once left a harder 20% concentrated on banks and critical infrastructure, the rental model has erased that distinction and sophisticated attack capability is available for anyone with intent.</p>.<h2><strong>AI and the Expanded Attack Surface</strong></h2><p>Threat actors moved to full AI adoption well ahead of the enterprises they target. Roughly 9 in 10 attacks today involve AI-enabled adversaries, with the fastest recorded breach completed in 27 seconds – quicker than most organisations can generate an incident ticket. The two common ways into a system (social engineering and malware) remain the same, but AI has made both unrecognisable from their earlier forms. Phishing has moved from generic, easily-dismissed lures to messages that mimic a colleague's writing style and location closely enough to make a request for folder access more dangerous than a request for money.</p><p>Anthropic's Mythos Preview, released in April, demonstrated the ability to chain minor, individually low-risk vulnerabilities into a single working exploit, write the accompanying code and complete the process end-to-end without human intervention. OpenAI was forced to released a cyber-focused version of GPT-5 within a week. Every major model provider is now building for both sides of the cybersecurity equation, and the same capability will inevitably be repurposed by attackers.</p><p> The attack surface has expanded on three other fronts. Supply chain and third-party software remain largely outside organisations’ direct control, and a single compromised vendor can expose every downstream client at once. Devices outside formal management, such as personal laptops, smart home access, IoT and OT equipment, have grown faster than most security teams can inventory them. Every organisation now falls into one of two categories: those whose employees use sanctioned, secured AI tools; and those whose employees use AI tools unofficially because no alternative was provided. An employee converting a sensitive document into a presentation through a consumer AI tool is enabling a data leak the organisation may never detect.</p>.<h2><strong>Governance Response</strong></h2><p>The discipline boards should expect from their CIOs and CISOs is narrower than the threat list suggests: <strong>Protect identity, endpoints and data, in that order</strong>. Multi-factor authentication (MFA) and password-less access should be the baseline. The gaps are frequently at the top of the organisation rather than the bottom, because boards and senior executives who exempt themselves from MFA for the sake of convenience concentrate exposure exactly where it may be most damaging.</p><p>Zero-trust architecture has moved into implementation in the last two years. It represents a financial and cultural investment that boards should expect to fund and explain, not defer. In practice, this means data should be classified and protected by default rather than by exception. A document containing sensitive information must automatically be treated as confidential, and sharing it externally should require a deliberate, logged decision to reclassify it.</p><p>On AI specifically, India's regulatory direction is taking shape primarily through the RBI, whose emerging framework sorts AI systems into four risk tiers based on the EU’s AI Act.</p>.<p>Moving ahead, accountability will run across the entire value chain. The provider, deployer, distributor and importer are all independently liable and cannot defer responsibility by pointing to another link in the chain. A practical starting point recommended for boards is the AI management systems standard ISO/IEC 42001, since most emerging regulatory frameworks, including the RBI's, are expected to map back to it.</p>.<h2><strong>Building Resilience </strong></h2><p>A recent IBM report found that the average cost of a data breach in India in 2025 stood at ~Rs 220 mn, and rising roughly 13% annually. The averages run higher across manufacturing, transportation and industrial organisations. Following a ransomware attack last year, a global automotive major suffered a production halt that left its wholesale volumes down by a quarter. There is no starker reminder that a cyberattack is now a balance-sheet event with board-level consequences, and not just an incident contained within a single function.</p><p>Preparedness, in this environment, is not about claiming to be breach-proof. No organisation can credibly do so. It is about treating cybersecurity, AI governance and data protection as one board-owned resilience agenda rather than three separate compliance exercises, each reviewed on its own schedule by its own function. </p>
<h2>Executive Summary</h2><ul><li><p>Converging AI, geopolitical, regulatory and supply-chain exposures have moved cybersecurity from an IT risk to <strong>a boardroom priority</strong> </p></li><li><p>9 in 10 attacks today are AI-enabled, with evolving frontier models <strong>compressing breach timelines</strong> from weeks to minutes.</p></li><li><p>Attack infrastructure is cheap and available on rent, putting <strong>sophisticated capability within reach</strong> of any actor with intent</p></li><li><p>The RBI mandates a cybersecurity expert on every regulated boards, with CERT-In, SEBI and the DPDP Act <strong>tightening enforcement</strong> and pinning accountability directly on boards</p></li><li><p><strong>Boards must prioritise</strong> identity, endpoints and data, treating MFA, zero trust and frameworks like ISO/IEC 42001 as funded disciplines</p></li><li><p><strong>Preparedness means</strong> treating cybersecurity, AI governance and data protection as a single, board-owned agenda item</p></li></ul>.<p>Cybersecurity has moved from an IT risk to a boardroom priority. As geopolitical tensions, AI-driven cyberattacks and regulatory and supply-chain exposures converge, the threat environment has evolved faster than corporate governance structures. AI-enabled attackers can compress breach timelines into minutes, cyber activity increasingly precedes physical conflict rather than following it, and regulators are moving to pin accountability not just on tech functions, but directly on boards. Mandar Kulkarni examined how AI is reshaping the threat landscape. Drawing on his direct engagement with regulators, enterprises and government institutions across India on cyber resilience and responsible AI adoption, as well as on insights from a CISO community survey, he identified strategic questions the board and executive leadership must consider if they are to be prepared for the new normal. </p>.<h2><strong>Cybersecurity's Boardroom Moment</strong></h2><p>A 2025 survey of 50 organisations found that cybersecurity now features in roughly 80% of board meetings, with most reporting some form of standing committee or oversight. In other words, most boards today treat cybersecurity as a stated priority. While Chief Information Security Officers (CISO) claim they have the needed resources, they struggle to express security investments in terms a board can act on. This results in oversight that looks substantive on paper without necessarily translating into preparedness. </p><p>The RBI expects regulated entities to have a cybersecurity expert or an external consultant on the board itself, and its requirements for financial institutions leave little room for interpretation. SEBI imposes an additional layer of obligation on listed entities. CERT-In mandates a 6-hour breach-notification requirement but this rule is enforced only patchily, partly because the agency’s resources are stretched, and partly because of genuine ambiguity over when a system outage becomes a reportable cyber incident. The DPDP Act will further tighten this requirement once its dedicated authority is operational, leaving boards less room to treat compliance as a paperwork exercise.</p>.<h2><strong>The Economics of an AI-Native Threat</strong></h2><p>Once viewed as a contained technical risk, cybersecurity is increasingly being treated as an instrument of pressure, including by state agencies. Across the ~1,500 threat actors that Microsoft tracks, half of them nation-state-linked, a pattern emerges: one of intensifying cyber activity ahead of physical conflict. Last year, India entered the global top-ten most cyber-attacked nations for the first time, with an estimated 15 million attack attempts coinciding with Operation Sindoor. A meaningful share of these were aimed at operations shaping narratives around government and corporate targets. </p><p>Economics is also driving this shift. Cybercrime has scaled into a multi-trillion economy, growing at 15-16% annually. Moreover, the ‘attack infrastructure’ no longer requires independent development, but can be rented cheaply. For instance, compromised credentials cost less than a dollar per thousand, and ransomware kits – which can potentially generate huge pay-offs – cost a few thousand dollars. Where a defensible 80% of attacks once left a harder 20% concentrated on banks and critical infrastructure, the rental model has erased that distinction and sophisticated attack capability is available for anyone with intent.</p>.<h2><strong>AI and the Expanded Attack Surface</strong></h2><p>Threat actors moved to full AI adoption well ahead of the enterprises they target. Roughly 9 in 10 attacks today involve AI-enabled adversaries, with the fastest recorded breach completed in 27 seconds – quicker than most organisations can generate an incident ticket. The two common ways into a system (social engineering and malware) remain the same, but AI has made both unrecognisable from their earlier forms. Phishing has moved from generic, easily-dismissed lures to messages that mimic a colleague's writing style and location closely enough to make a request for folder access more dangerous than a request for money.</p><p>Anthropic's Mythos Preview, released in April, demonstrated the ability to chain minor, individually low-risk vulnerabilities into a single working exploit, write the accompanying code and complete the process end-to-end without human intervention. OpenAI was forced to released a cyber-focused version of GPT-5 within a week. Every major model provider is now building for both sides of the cybersecurity equation, and the same capability will inevitably be repurposed by attackers.</p><p> The attack surface has expanded on three other fronts. Supply chain and third-party software remain largely outside organisations’ direct control, and a single compromised vendor can expose every downstream client at once. Devices outside formal management, such as personal laptops, smart home access, IoT and OT equipment, have grown faster than most security teams can inventory them. Every organisation now falls into one of two categories: those whose employees use sanctioned, secured AI tools; and those whose employees use AI tools unofficially because no alternative was provided. An employee converting a sensitive document into a presentation through a consumer AI tool is enabling a data leak the organisation may never detect.</p>.<h2><strong>Governance Response</strong></h2><p>The discipline boards should expect from their CIOs and CISOs is narrower than the threat list suggests: <strong>Protect identity, endpoints and data, in that order</strong>. Multi-factor authentication (MFA) and password-less access should be the baseline. The gaps are frequently at the top of the organisation rather than the bottom, because boards and senior executives who exempt themselves from MFA for the sake of convenience concentrate exposure exactly where it may be most damaging.</p><p>Zero-trust architecture has moved into implementation in the last two years. It represents a financial and cultural investment that boards should expect to fund and explain, not defer. In practice, this means data should be classified and protected by default rather than by exception. A document containing sensitive information must automatically be treated as confidential, and sharing it externally should require a deliberate, logged decision to reclassify it.</p><p>On AI specifically, India's regulatory direction is taking shape primarily through the RBI, whose emerging framework sorts AI systems into four risk tiers based on the EU’s AI Act.</p>.<p>Moving ahead, accountability will run across the entire value chain. The provider, deployer, distributor and importer are all independently liable and cannot defer responsibility by pointing to another link in the chain. A practical starting point recommended for boards is the AI management systems standard ISO/IEC 42001, since most emerging regulatory frameworks, including the RBI's, are expected to map back to it.</p>.<h2><strong>Building Resilience </strong></h2><p>A recent IBM report found that the average cost of a data breach in India in 2025 stood at ~Rs 220 mn, and rising roughly 13% annually. The averages run higher across manufacturing, transportation and industrial organisations. Following a ransomware attack last year, a global automotive major suffered a production halt that left its wholesale volumes down by a quarter. There is no starker reminder that a cyberattack is now a balance-sheet event with board-level consequences, and not just an incident contained within a single function.</p><p>Preparedness, in this environment, is not about claiming to be breach-proof. No organisation can credibly do so. It is about treating cybersecurity, AI governance and data protection as one board-owned resilience agenda rather than three separate compliance exercises, each reviewed on its own schedule by its own function. </p>
