By Larabella Myers – Engagement Manager, Cyber Solutions, Asia Pacific, Aon and Apurva Gopinath, Cyber Leader and Vice President, Financial Services & Professional Group, India, Aon
Artificial intelligence is transforming the cyber risk landscape at unprecedented speed. For Indian organisations, AI represents a powerful duality: it accelerates productivity, customer engagement, and operational efficiency, while simultaneously enabling faster, more scalable, and more convincing cyberattacks. As India advances toward its USD 5 trillion economic ambition and solidifies its position as a global digital leader, understanding and managing AI enabled cyber risk has become a critical boardlevel priority.
How AI Is Transforming the Threat Landscape
AI has dramatically lowered the skill required to execute cyberattacks and amplified what sophisticated threat actors can achieve. The result is a threat environment that is broader, faster, and more difficult to defend.
Artificial intelligence is significantly widening the attack surface and multiplying the number of credible adversaries.
It lowers the skill threshold required to launch attacks, accelerates execution speed, and enhances the realism of socialengineering content.
Generative AI enables attackers to craft fluent, localized phishing emails, WhatsApp messages, and highly convincing voice or video deepfakes that imitate senior leaders or trusted brands. This sharply increases the likelihood of business email compromise and payment fraud, especially within hierarchical organisations where instructions from authority figures are rarely questioned.
Machine learning automates reconnaissance, vulnerability discovery, and credential testing, shrinking activities that once required days into minutes. This allows even lowskilled actors to operate with nearprofessional velocity. Meanwhile, AI models and training data have become highvalue targets—susceptible to prompt injection, model theft, and data poisoning—shifting exposure from the perimeter to the integrity of automated decisionmaking systems.
Shadow AI — the unapproved use of external AI tools — expands blind spots in governance, data handling, and monitoring. Simultaneously, the cyber and physical domains are converging as AI is used to spoof identities, bypass access controls, and manipulate smart buildings or industrial systems, increasing both operational disruption and potential property damage.
The net effect is a peoplescaled threat landscape where speed, realism, and accessibility push cyber risk firmly into the realm of strategic, financial, and operational decisionmaking for Indian boards.
An Evolving Indian Regulatory Landscape
India’s regulatory expectations around cybersecurity and data protection have risen sharply. The Digital Personal Data Protection Act (DPDPA), paired with requirements from RBI, IRDAI, SEBI, and sectoral regulators, demands more structured approaches to governance, thirdparty oversight, and incident reporting.
At the same time, rapid cloud and AI adoption across sectors — including BFSI, healthcare, manufacturing, telecom, and retail — have created deeply interconnected digital ecosystems. This is prompting boards to ask:
How exposed are we to AI enabled attacks?
Are our detection and response capabilities equipped for machinespeed threats?
Could a single incident materially impact our financials, operations, or reputation?
How Indian Organisations Are Responding
Recent industry surveys indicate that nearly all Indian organisations have already integrated AI into their cybersecurity environments, marking a decisive shift toward AI-driven defense. This trend highlights how businesses are increasingly prioritizing resilience and advanced risk management in the face of evolving threats.
Organisations are increasingly focusing on :
1. Embedding AI into Security Operations
2. Strengthening Identity, Access, and Data Controls
3. Reducing the Human Attack Surface
4. Managing ThirdParty and Supply Chain Exposure
The Way Forward for Indian Organisations
1. Risk Quantification : Begin with quantification, then strengthen controls where they most effectively reduce loss, ensuring alignment with the DPDPA and sectorspecific expectations from RBI, IRDAI, and SEBI.
2. AI inventory Build a complete inventory of AI use across business units and vendors — including shadow AI — and create Indiaspecific scenarios that attach financial impact to events such as deepfakedriven payment fraud, prompt injection attacks, data leakage in customer channels, model compromise affecting fraud or credit decisions, outages in thirdparty AI services, and cyberphysical disruptions.
3. Model Financial Exposure : Quantify loss ranges and plausible maximum losses across both firstparty and thirdparty harms. Express results as P10–P90 distributions with clear assumptions, and map these against risk appetite, capital buffers, and insurance limits to support informed boardlevel tradeoffs.
4. Prioritize High Impact Controls : Prioritize controls that bend the loss curve most effectively: MFA with phishingresistant methods, outofband verification for payments and vendor changes, leastprivilege access, strong encryption, immutable backups, versioncontrolled models with audit logs, continuous redteaming for promptinjection abuse, and human review for consequential decisions.
5. Strengthen Vendor Oversight & Readiness Tests: Extend thirdparty due diligence to address training data, model provenance, safety testing, incident transparency, audit logs, kill switches, and recovery objectives. Conduct tabletop exercises using vernacular deepfakes and real payment workflows across finance, legal, PR, IT, and OT.
6. Risk Transfer : Finally, calibrate cyber insurance to residual exposure so that coverage accounts for AIenabled business interruption, privacy and media liability, and model failure. Use claims analytics to optimize limits and retentions.
This structured approach converts AI risk into quantified exposure, directs investment toward the controls with the highest impact, and strengthens resilience even as the number of potential attackers grows.
AI driven cyber threats are reshaping how Indian organisations think about risk, forcing leaders to confront a landscape where attacks are faster, more convincing, and far harder to predict. As businesses deepen their digital and AI adoption, the very technologies that fuel growth are also expanding exposure—blurring the line between technical vulnerabilities and strategic, financial, and reputational risk. Indian companies are strengthening controls, investing in AI enabled defense, and reassessing thirdparty dependencies, but longterm resilience will depend on quantifying AI related exposure, prioritizing highimpact safeguards, and treating cyber insurance as a critical buffer in an increasingly complex threat environment.