ARTICLE
4 June 2026

CERT-In's AI Cybersecurity Blueprint

KC
Khaitan & Co LLP

Contributor

Khaitan & Co LLP logo
  • A leading full-service law firm with over 560 professionals with Pan-India coverage through offices in Mumbai, Delhi, Bengaluru and Kolkata
  • Lawyers and trusted advisors to leading business houses, multinational corporations, global investors, financial institutions, governments and international law firms
  • Responsive and relationship driven approach to client service on critical issues and along the business life cycle
  • Specialists with deep sector, domain and jurisdictional knowledge to provide effective business solutions
Explore Firm Details
On 25 May 2026, the Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology (MeitY), released its “Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure” (Blueprint).
India Technology
Harsh Walia,Shobhit Chandra, and Aadarsh Prakash
Your Author LinkedIn Connections
Harsh Walia’s articles from Khaitan & Co LLP are most popular:
  • within Technology topic(s)
  • with readers working within the Chemicals industries
Khaitan & Co LLP are most popular:
  • within Technology, Real Estate and Construction and Energy and Natural Resources topic(s)

Introduction:

On 25 May 2026, the Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology (MeitY), released its “Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure” (Blueprint).  

The Blueprint indicates that the Government’s concern appears to extend beyond organisations directly deploying AI systems. The document recognises that advanced AI platforms may fundamentally transform the cyber threat landscape across digital infrastructure. Organisations may face heightened cybersecurity exposure because threat actors can leverage sophisticated AI systems to automate reconnaissance, identify software vulnerabilities, generate exploits, conduct large-scale phishing campaigns, and accelerate cyberattacks against conventional applications, APIs, cloud environments, and interconnected digital systems.  

For instance, recent AI models are reportedly capable of identifying undetected software vulnerabilities, thereby significantly accelerating exploit discovery. This development reportedly prompted recent highlevel discussions involving the Ministry of Finance and banking institutions in the country to assess potential risks to financial systems.  

Key takeaways from the Blueprint:

Although not backed by a statutory rule-making provision, the Blueprint provides several significant suggestions for organisations. Some of the key takeaways are as follows:

  • Continuous’ over ‘Periodic’ Security: The Blueprint emphasizes that organisations should prioritise ‘continuous exposure management’, ‘continuous monitoring’, ‘rapid remediation’, ‘continuous vulnerability scanning’ and ‘continuous audit’. In other words, reactive assessments may no longer serve the purpose.
  • Aggressive remediation timeline: The Blueprint sets out specific risk-based remediation timelines. For example, ‘known exploited vulnerabilities affecting internet-facing systems’ should be patched or mitigated within 12 (twelve) hours, ‘critical externally exposed vulnerabilities’ should be addressed within 1 (one) day, ‘high severity vulnerabilities’ should be patched or mitigated within 5 (five) days, etc. These timelines, if eventually codified into regulation, would require organisations to significantly improve their cybersecurity vulnerability management workflows. Where immediate remediation is not possible, organisations should consider interim mitigation such as ‘isolation’, ‘access restriction’, Web Application Firewall and Application Programming Interface protection, or ‘enhanced monitoring’. 
  • AI Governance framework: Organisations are advised to define AI usage policies, establish approval and review mechanisms for AI integrations, maintain inventories of AI systems and monitor and identify shadow or unauthorised AI usage. Notably, the Blueprint addresses risks from public AI platform usage by employees and suggests incorporation of approval-based mechanism usage to restrict upload of sensitive information. Additionally, the Blueprint advises governance of agentic AI systems, including defining operational boundaries, maintaining continuous monitoring, audit logging and incorporating emergency shutdown mechanisms.
  • Strengthening Identity and Access Security: The Blueprint recommends organisations to implement stronger identity and access security measures, including Multi-Factor Authentication (MFA), Privileged Access Management (PAM), least-privilege architecture, adaptive authentication mechanisms, service account governance, etc. The Blueprint specifically identifies ‘Zero Trust Security’ and ‘Identity and Access Security’ as core defensive principles and recommends continuous verification, session monitoring and conditional access controls to reduce exposure arising from credential compromise, privilege escalation, and unauthorised access.
  • Supply chain and Third-Party risk management: The Blueprint advises that organisations to strengthen supply chain visibility through the adoption of Software Bill of Materials (SBOM), AI Bill of Materials (AIBOM) mechanisms etc. These mechanisms are intended to support component visibility, dependency tracking, provenance validation, vulnerability impact assessment and rapid exposure identification. Reference has been made to CERT-In’s Technical Guidelines on SBOM, QBOM, CBOM, AIBOM and HBOM Version 2.0 and recommends third-party and supply chain governance framework, requiring vendor assessments, contractual controls, dependency visibility and supplier reassessment.
  • Mandatory Incident Reporting: The Blueprint reiterates that entities should ensure timely reporting of cyber incidents to CERT-In in accordance with CERT-In’s 2022 Directions, which mandates a reporting within 6 hours from noticing (or being brought to notice) of prescribed cybersecurity incidents / cyber incidents.
  • Workforce and Deepfakes preparedness: Organisations are advised to conduct awareness programmes addressing AI-enabled phishing, Deepfake-based impersonation and social engineering. The Blueprint highlights the need for Deepfakes detection given the threat to executives and financial institutions.

Comment:

The Blueprint is released at an interesting juncture, where AI needs to be given the right amount of push, but sufficient guardrails also need to be introduced. Although the Blueprint is not a binding document, it should be treated as an indicator of evolving regulatory expectations rather than a purely advisory and technical document, particularly because CERT-In repeatedly emphasises “continuous governance”, “continuous monitoring”, “operational readiness”, and “continuous assessment” as foundational cybersecurity expectations for organisations facing AI-assisted cyber threats. Additionally, the threat of an AI-enabled cybersecurity incident may compel regulatory intervention from the Government in the near term.

The content of this document does not necessarily reflect the views / position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up, please contact Khaitan & Co at editors@khaitanco.com.

Authors
Photo of Harsh Walia
Harsh Walia
Photo of Shobhit Chandra
Shobhit Chandra
Photo of Aadarsh Prakash
Aadarsh Prakash
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More