RBI’s AI Risk Mandate: What Every Indian Bank Must Know Before June 30

If your bank has not yet started this process, the window to act is closing fast. This post explains exactly what the RBI has mandated, why it was triggered, and what non-compliance means for your institution.

Why RBI Issued This Directive?

The Reserve Bank of India’s directive is a direct response to the growing capability of frontier AI models — advanced systems that can analyse code at scale, generate exploits, and identify software vulnerabilities that human analysts would take months to find.

Finance Minister Nirmala Sitharaman explicitly flagged Anthropic’s Mythos model in April 2026 as a specific threat example. Mythos is capable of detecting zero-day vulnerabilities – previously unknown software flaws that have not yet been patched — and is now accessible in over 15 countries including India.

The concern is not hypothetical. These models can be weaponised to probe banking infrastructure, discover exploitable gaps in core banking systems, payment gateways, and API layers, and facilitate targeted attacks on financial institutions before defences are in place.

The RBI stated at its latest Monetary Policy Committee meeting that it remains fully prepared to address cybersecurity threats from advanced AI, and has already issued advisories to regulated entities on preparedness. This mandate is the formal follow-through.

What the RBI Has Mandated — In Plain Terms

The directive applies to all RBI-regulated entities: scheduled commercial banks, private sector banks, cooperative banks, NBFCs, payment system operators, and other financial institutions under RBI supervision.

Five obligations under the mandate:

• Conduct a board-approved AI gap assessment — a structured evaluation of the institution’s current AI preparedness, governance, and security posture against the risks posed by advanced AI systems.
• Establish a structured cybersecurity framework — or demonstrate that the existing framework has been reviewed and updated to address AI-specific threat vectors.
• Conduct an AI-focused risk assessment — identifying where AI systems are deployed, what risks they introduce, and where vulnerabilities exist.
• Identify and document system vulnerabilities — specifically in the context of how frontier AI models could exploit them.
• Submit a time-bound corrective action plan — a prioritised remediation roadmap, approved at board level, to be submitted to the regulator by 30 June 2026.

Key Point: Board Approval is Non-Negotiable

The RBI has explicitly required board-level approval on both the gap assessment and the action plan. This is not an IT department deliverable. It requires formal governance sign-off and board-ready documentation.

What ‘AI Gap Assessment’ Actually Means?

Many institutions are asking: what exactly should this assessment cover? Based on the mandate’s intent and global best practices, a complete AI gap assessment for an RBI-regulated entity should address:

1. AI Governance & Policy Readiness

• Does the institution have an AI governance policy?
• Are there defined roles for AI risk ownership?
• Has the board received any AI risk briefing in the last 12 months?

2. AI Inventory & System Mapping

• What AI systems are currently deployed or under evaluation?
• Are third-party AI tools and vendor-supplied AI components documented?
• Is there visibility into AI use in fraud detection, credit decisioning, and customer-facing systems?

3. Cybersecurity Exposure to AI-Enabled Threats

• Are systems assessed against AI-augmented attack scenarios?
• Are zero-day vulnerability management processes in place?
• Are API interfaces and cloud infrastructure reviewed for AI-specific risk?

4. Data Protection & Localisation Compliance

• Do AI tools deployed in the organisation comply with India’s data localisation requirements?
• Is customer data being processed by AI systems hosted outside India?

5. Operational & Third-Party AI Risk

• What AI tools are vendors and technology partners using on behalf of the institution?
• Are third-party AI risk assessments being conducted?

Why This Matters Beyond the Deadline?

Banks that treat this as a checkbox compliance exercise will miss the point — and the opportunity. The RBI’s mandate signals a structural shift in how Indian regulators will assess AI risk going forward. Institutions that establish a mature AI risk posture now will be ahead of the regulatory curve when formal AI governance guidelines follow — which they will.

The risks are also commercial. A bank that cannot demonstrate AI security governance to its board, regulators, and counterparties faces reputational exposure, potential supervisory scrutiny, and operational vulnerability to the exact threats the RBI has flagged.

What Happens Next?

The RBI has already stated it is coordinating with CERT-In and other agencies on AI-related cyber threats. Regulated entities that submit incomplete or superficial action plans should expect follow-up scrutiny. The mandate is a starting point, not a finish line.

Institutions that move fast, engage the right expertise, and produce rigorous documentation will be in the strongest position both with the regulator and with their boards.

ValueMentor is a specialist AI Security & Assurance practice with deep expertise in AI Governance, AI Risk Management, and AI Security. We work exclusively with regulated financial institutions helping banks, NBFCs, and payment operators build defensible AI governance frameworks, conduct rigorous AI risk assessments, and produce board-ready reporting that meets regulatory expectations.

If your institution needs to comply by June 30, contact us today. We can mobilise immediately.