AI Cyber Risk Puts Indian Boards Under CERT-In’s Clock

AI cyber risk, the cybersecurity pressure created by artificial intelligence, has become a board-speed problem in India. The Indian Computer Emergency Response Team (CERT-In, India’s national cyber agency) now urges organisations to contain known exploited vulnerabilities on internet-facing and crown-jewel systems within a half-day window where feasible in CERT-In’s AI-assisted exploitation blueprint, while attackers are using automation to find, test, and scale flaws faster than manual patching programs can answer.

The board question is blunt: can management name every exposed system, owner, dependency, exception, and recovery path before an attacker turns a public weakness into a live intrusion? That moves cyber oversight from quarterly dashboards to operational evidence.

The Half-Day Clock Reaches the Boardroom

CERT-In published its blueprint on May 25, 2026. The most important part for directors is buried in the vulnerability and patch management section: a known exploited vulnerability affecting internet-facing and crown-jewel systems calls for immediate containment, with patching, mitigation, or exposure removal within 12 hours where feasible.

That is a half-day governance test, not a standard patch ticket. A chief information security officer can buy tools and write procedures, but only the board can force business owners to accept emergency downtime, temporary isolation, customer-impact trade-offs, and vendor escalation when a live exploit is moving faster than a change-control calendar.

CERT-In also ties response to reporting. Its earlier cyber directions require severe cyber incidents, data breaches, large-scale intrusions, ransomware spread, and incidents affecting human safety to be reported within six hours of being noticed. The new blueprint keeps that reporting clock in the same conversation as rapid containment. For boards, those two clocks should sit on the same dashboard: how fast the firm knows, and how fast it acts.

Exploit Economics Have Moved Against Slow Firms

Google Threat Intelligence Group (GTIG, Google’s threat research unit) reported that its 2025 zero-day review tracked 90 zero-day vulnerabilities exploited in the wild. It also found that 43 of them, or 48 percent, hit enterprise technologies such as security appliances, networking gear, and business software.

Mandiant, Google Cloud’s incident-response arm, added another timing signal in the M-Trends 2026 frontline report. It said exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32 percent of intrusions in its investigations. It also said the handoff from initial access to a secondary threat group collapsed from more than eight hours in 2022 to 22 seconds in 2025.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities catalog for flaws already abused in the wild. Its official data file showed 1,607 entries in the May 29, 2026 catalog version. That list should matter to Indian boards even when CISA is not their regulator, because vendors, insurers, cloud platforms, and global customers increasingly use it as a shared shorthand for exploit urgency.

India’s Exposure Sits in Dependencies

India’s risk is larger than the servers a company owns. Banks, insurers, hospitals, IT services firms, public platforms, manufacturers, and retailers sit on layers of software-as-a-service tools, cloud workloads, open-source packages, application programming interfaces (APIs, software gateways that let systems exchange data), managed service providers, and outsourced operations.

That dependency map is where AI-speed attacks become commercial pressure. If a customer can prove its environment continuously and a vendor can only offer a monthly scan report, the gap turns into a contract issue. If a third-party platform is breached, the Indian firm still faces questions about supplier due diligence, identity controls, data exposure, and incident reporting.

The Digital Personal Data Protection Act, 2023 adds another board layer. The official DPDP Act text requires data fiduciaries to protect personal data with reasonable security safeguards, notify the Data Protection Board of India and affected data principals after a breach, and face inquiry or penalties when obligations are breached. That makes vendor visibility a legal-risk input, not just a procurement preference.

One weak supplier can now create three parallel problems: an operational outage, a cyber incident report, and a data-protection inquiry. Boards that still review cyber risk only through enterprise-wide heat maps will miss the route attackers prefer, which is often the least governed seam between two organisations.

Board Metrics Need a Faster Clock

The useful board pack is changing. Directors do not need a live console of every alert, and most should not pretend to run a security operations centre (SOC, the team that monitors and responds to cyber events). They need a small set of evidence that proves the organisation can find exposure, decide under stress, and act without waiting for a quarterly forum.

The board metric that deserves more attention is exception age. Every organisation has systems that cannot be patched immediately: core banking links, hospital devices, factory systems, legacy enterprise applications, and fragile vendor integrations. The governance failure starts when exceptions have no owner, expiry date, or compensating control.

A better pack shows the number of crown-jewel assets, the share with verified owners, the known exploited vulnerabilities open against them, the median time to contain, and the oldest unresolved exception. That turns cyber talk into a record directors can challenge.

The New Security Stack Is Governance First

The U.S. National Institute of Standards and Technology (NIST) made the same broad point when it added Govern as a core function in the NIST Cybersecurity Framework 2.0. The signal is simple: cybersecurity risk strategy, roles, policy, oversight, and supply-chain risk sit beside technical functions such as identify, protect, detect, respond, and recover.

That fits the Indian moment. CERT-In’s blueprint asks organisations to move toward continuous exposure management, rapid remediation, AI-aware security operations, supply-chain assurance, incident response, and recurring validation. The practical question is how boards turn that language into working authority.

• Governance has to move upstream – name one executive owner for exposure, one for remediation, and one for accepting exceptions.
• Pre-approve containment choices – isolate public access, disable a feature, rotate credentials, or shift traffic when exploitation is confirmed.
• Put suppliers on the same clock – require notice of known exploited exposure, patch status, and incident evidence within agreed hours.
• Test recovery in hostile conditions – assume identity compromise, backup targeting, cloud control-plane abuse, and loss of a core vendor.
• Measure response as a business process – track decision time, containment time, recovery time, and exception age by system owner.

Artificial intelligence will also help defenders. GTIG’s May 2026 threat tracker says attackers are using large language models (LLMs, AI systems trained to generate and analyze language and code) for research, exploit development, obfuscation, and agentic workflows. The same class of tools can help defenders triage alerts, review code, find exposed assets, and draft response playbooks, provided humans set authority limits and audit trails.

If Indian boards can turn policy into tested authority, the new attack speed becomes manageable. If they cannot, every unowned exception becomes a waiting room for the next exploit.

Frequently Asked Questions

How Is AI Cyber Risk Different From Conventional Cyber Risk?

AI cyber risk is different because it compresses time. Attackers can use AI systems to speed reconnaissance, code analysis, phishing, exploit testing, malware changes, and attack coordination, which reduces the delay between a known weakness and active exploitation.

Does CERT-In’s Half-Day Guidance Apply to Every Vulnerability?

No. CERT-In’s fastest indicative remediation expectation applies to known exploited vulnerabilities affecting internet-facing and crown-jewel systems, where immediate containment and patching, mitigation, or exposure removal are feasible. Other categories in the blueprint carry longer indicative windows.

What Should Indian Boards Ask Management First?

Boards should first ask whether management can list all internet-facing and crown-jewel systems, assign owners, show known exploited vulnerabilities affecting them, and prove the time needed to contain exposure if exploitation is confirmed.

How Does the DPDP Act Change Breach Oversight?

The DPDP Act makes breach oversight a board issue because data fiduciaries must use reasonable security safeguards and notify the Data Protection Board of India and affected individuals after a personal data breach in the prescribed manner.

Should Companies Use AI for Cyber Defense?

Yes, but under controls. AI tools can help security teams triage alerts, review code, correlate events, and draft playbooks, but they need logging, access limits, human approval for high-impact actions, and testing against prompt injection or unsafe automation.

Disclaimer: This article is for informational purposes only and does not provide legal, compliance, cybersecurity, or risk-management advice. Organisations should consult qualified legal, security, and governance professionals before acting on regulatory or technical requirements. Figures and regulatory references are accurate as of publication.