Frontier AI and Cyber Risk: Reading the CERT In Advisory Beyond Compliance

Kailashika Verma
Kailashika Verma
Intern Policy & Advocacy, CyberPeace
PUBLISHED ON
May 5, 2026
10

Introduction

The recent advisory issued by CERT, issued on April 26th, 2026, titled “Defending Against Frontier AI-Driven Cyber Risks”, on AI-driven cyber threats does not merely add to the list of routine cybersecurity warnings. Instead, it marks a shift in how cyber risk itself is understood. The concern, here, is not just that attacks are increasing, but also that their nature is changing. Artificial intelligence is no longer assisting cyber operations- whether legitimate or malicious, in fragments; it is beginning to organise and execute them at scale. 

What is emerging is a situation where capability is no longer tied to human skill alone. Systems can now identify vulnerabilities, generate exploits, and carry out coordinated attacks with limited intervention. This alters the baseline assumption of cybersecurity, that attacks require effort, time, and expertise.

The Essence: Automation and Capability

At the core of the advisory lies the recognition that AI has introduced speed and autonomy into cyber operations. Tasks such as analysing code, identifying vulnerabilities, or crafting phishing content are no longer sequential processes. They can happen almost simultaneously and at scale. 

This is not simply a matter of efficiency. It changes the structure of the threat itself. When attacks can be automated, they become repeatable and less dependent on specialised actors. The advisory also points to the ability of AI systems to conduct multi-stage attacks, moving across networks and adapting strategies in real time. 

In a way, the threat is no longer just external. It is embedded within the logics of the technology being used.

Significance: Lower Barriers, Wider Exposure

One of the more important aspects of the advisory is its emphasis on ‘accessibility’. AI lowers the barrier of complexity in the commission of cybercrimes. Activities that once required coordinated teams can now be performed by individuals with access to advanced tools. 

This has two consequences. First, the number of potential attackers increases. Second, the scale at which attacks can be carried out expands significantly. Systems that were previously considered low risk may become viable targets simply because automated tools can scan, test, and exploit them rapidly.

There is also a broader anxiety reflected in what is being described as “Mythos concerns”, a shorthand for uncertainty around frontier AI systems and their unpredictable capabilities. This signals that the risk is not fully mapped yet and that regulatory responses are still catching up.

Element of Continuous Risk

The advisory outlines impacts such as unauthorised access, data breaches, identity theft, and financial fraud. These are familiar categories. What is less explicit, but more important, is the shift in how these harms occur.

When AI enables rapid and repeated exploitation, risk becomes continuous. Systems are not attacked once and then secured. They are exposed to ongoing attempts. This creates pressure not only on technical infrastructure but also on legal frameworks that are designed around discrete incidents.

For instance, obligations under the Information Technology Act, 2000 or even emerging data protection frameworks often assume identifiable breaches and reportable events. Continuous probing complicates that model!

Response Framework: From Compliance to Vigilance

CERT-In’s recommendations reflect this change in threat perception. There is a clear emphasis on vigilance rather than mere compliance. Organisations are advised to adopt zero-trust approaches, reduce exposure surfaces, and treat vulnerabilities as immediately exploitable.

The insistence on rapid patching within short timeframes is particularly telling. It acknowledges that the window between vulnerability disclosure and exploitation is shrinking.

There is also a noticeable expansion of responsibility. The advisory does not limit itself to large organisations. It extends guidance to the MSMEs and individuals, recognising that cyber risk is now distributed across the entire digital ecosystem.

A Subtle Legal Shift

Although the advisory itself is not binding in law, it operates within the framework of Section 70B of the Information Technology Act, 2000, which empowers CERT-In to issue directions on cybersecurity best practices and guidelines.

So, while the advisory does not create liability directly, it influences what may later be considered ‘reasonable security practice’. In that sense, it serves as soft law, gradually informing standards of due diligence.

At the same time, there remains a gap. The advisory focuses on defensive measures, but it does not fully address attribution and accountability in AI driven attacks. When actions are automated and anonymised, identifying responsibility and imposing liability becomes more complex.

Conclusion

The CERT In advisory is not just a warning about new threats. It is an acknowledgement of a transition. Cyber risk is moving from being occasional and targeted to being constant and scalable. AI is not simply adding to existing threats; it is restructuring and advancing them.

For cyber vigilance frameworks, this suggests a need to rethink priorities. Static compliance measures are no longer sufficient. It has become necessary to adopt continuous monitoring, adaptive responses, and a clearer understanding of how technology is reshaping risk.

While the advisory does not resolve these questions, it does bring them into focus. And that, in itself, is significant.

References

  1. CERT-In issues advisory against AI driven cyber attacks for MSMEs, organisations and individuals, Moneycontrol (Apr. 27, 2026), https://www.moneycontrol.com/technology/cert-in-issues-advisory-against-ai-driven-cyber-attacks-for-msmes-organisations-and-individuals-article-13899942.html.
  2. CERT-In warns of rising AI driven cyber threats amid Mythos concerns, Ommcom News (2026), https://ommcomnews.com/science-tech/cert-in-warns-of-rising-ai-driven-cyber-threats-amid-mythos-concerns/.
  3. Indian Computer Emergency Response Team (CERT-In), Defending Against Frontier AI Driven Cyber Risks, Advisory No. CIAD-2026-0020 (Apr. 26, 2026)
  4. Information Technology Act, 2000, § 70B (India).

PUBLISHED ON
May 5, 2026
Category
TAGS
No items found.

Related Blogs

#FactCheck: Old clip of Greenland tsunami depicts as tsunami in Japan
#FactCheck: Old clip of Greenland tsunami depicts as tsunami in Japan
#FactCheck: Old clip of Greenland tsunami depicts as tsunami in Japan
10
August 6, 2025

Executive Summary:


A viral video depicting a powerful tsunami wave destroying coastal infrastructure is being falsely associated with the recent tsunami warning in Japan following an earthquake in Russia. Fact-checking through reverse image search reveals that the footage is from a 2017 tsunami in Greenland, triggered by a massive landslide in the Karrat Fjord.

Claim:


A viral video circulating on social media shows a massive tsunami wave crashing into the coastline, destroying boats and surrounding infrastructure. The footage is being falsely linked to the recent tsunami warning issued in Japan following an earthquake in Russia. However, initial verification suggests that the video is unrelated to the current event and may be from a previous incident.

Fact Check:


The video, which shows water forcefully inundating a coastal area, is neither recent nor related to the current tsunami event in Japan. A reverse image search conducted using keyframes extracted from the viral footage confirms that it is being misrepresented. The video actually originates from a tsunami that struck Greenland in 2017. The original footage is available on YouTube and has no connection to the recent earthquake-induced tsunami warning in Japan


The American Geophysical Union (AGU) confirmed in a blog post on June 19, 2017, that the deadly Greenland tsunami on June 17, 2017, was caused by a massive landslide. Millions of cubic meters of rock were dumped into the Karrat Fjord by the landslide, creating a wave that was more than 90 meters high and destroying the village of Nuugaatsiaq. A similar news article from The Guardian can be found. 

Conclusion:


Videos purporting to depict the effects of a recent tsunami  in Japan are deceptive and repurposed from unrelated incidents. Users of social media are urged to confirm the legitimacy of such content before sharing it, particularly during natural disasters when false information can exacerbate public anxiety and confusion.

  • Claim: Recent natural disasters in Russia are being censored
  • Claimed On: Social Media
  • Fact Check: False and Misleading

Fairness as a Non-Negotiable in Public Administration - Case Brief: Karthick Theodore vs. Registrar General and Ors.
Fairness as a Non-Negotiable in Public Administration - Case Brief: Karthick Theodore vs. Registrar General and Ors. (W.A.(MD)No.1901 of 2021)
Fairness as a Non-Negotiable in Public Administration - Case Brief: Karthick Theodore vs. Registrar General and Ors. (W.A.(MD)No.1901 of 2021)
10
December 19, 2025

Procedural History: 

The case started with a 2011 Madras High Court ruling that included the appellant’s personal information. In the case discussed, the court decided in 2024, the appellant went to the Madurai Bench of the Madras High Court to request that his name and other identifying information from that previous ruling be redacted. He argued that his right to privacy under Article 21 of the Indian Constitution was violated by the ongoing release of such private information into the public arena. He claimed that the revelation had hurt him in real ways, such as having his application for an Australian visa denied. Therefore, without compromising the ideals of open justice, the current procedures aimed to have the court recognize a person’s “Right to be Forgotten” within a broader framework of privacy and data protection.

Background and Factual Matrix

The appellant was charged under Sections 417 and 376 of the IPC. The trial court convicted him in 201, but later, the High Court in 2014 fully, completely and unconditionally acquitted him, which was not based on the benefit of doubt. Following the acquittal, he remarried and has three children. The judgment of both the High Court and the Trial Court has personal and intimate details about him. Being available in the public domain has caused him significant repercussions, as he was denied a visa to travel to Australia by authorities, citing the criminal cases. The appellant has filed a plea seeking a mandamus directing the Registrar General, Additional Registrar General, and Registrar (IT-Statistics) as R1, R2, R3 to redact his name and other identities from the acquittal judgment. He has sought a direction from Ikanoon Software Development Private Limited (R4) to reflect the redaction in its publication. 

Issue 

  1. Whether a writ of mandamus can lie against a High Court for redaction of personal details from its own judgment, or does such a prayer tantamount to a High Court issuing a writ against itself?
  2. Whether the High Court, being a Court of Record under Article 215 of the Indian Constitution, is entitled to preserve its record for perpetuity in its original form without any modification or redaction?
  3. Whether the ‘Right to be Forgotten' can be recognised and enforced in the absence of a specific statutory provision or Supreme Court direction, given that it constitutes an exception to the fundamental principle of open courts and open justice?

Adjudication and Reasoning

The division bench has allowed the Writ appeal and granted the following relief:

  1. R4 directed to take down the judgment in Crl.A. (MD) No.321 of 2011 dated 30.04.2014 forthwith.
  2. R1 to R3 directed to redact the name and other details of the Writ Petitioner relating to his identity from the judgment dated 30.04.2014 in Crl.A.(MD) No. 321 of 2011 and ensure that only the redacted judgment is available for publication or for uploading.

Rule 

  1. Courts have a wide discretion in deciding whether to allow redaction or not. Such discretion can either be granted at the request of the party seeking redaction or, in appropriate cases, even suo moto by the court.
  2. The accused who have earned full, complete and unconditional acquittal without any benefit of doubt have a legitimate claim to move forward for redaction of personal information.
  3. The open Court doesn’t require absolute disclosure of all personal information, and the courts, while deciding the concern of privacy and the right to ensure that in litigations to leave behind parts of their past which are no longer relevant, have to balance the concept of open Court on the one hand and privacy concerns of a citizen on the other.
  4. As the High Court is the repository of a wide range of information and is entitled to preserve the original record in perpetuity. However, without diluting the sanctity of the original record, the public reflection of that record can be moderated to preserve the privacy of the person to whom that record pertains.

Reasoning 

  1. Drawing on the judgment K.S. Puttaswamy v. Union of India, the court found Article 21 to protect not only informational privacy but also the "right to be forgotten," which gives individuals the right to request the deletion of any personal data when there is no longer any legitimate public interest in retaining such information. Such irreparable reputational damage is thus an infringement on constitutional privacy that demands judicial redaction. 
  2. The court rejected the argument that a writ against its own order is impermissible, drawing a distinction between challenging the legal correctness of a judgment and seeking redaction of personal information. Allowing redaction will not question the validity of the judgment; rather, it will simply change its public appearance to ensure privacy.
  3. Since a High Court is a Court of Record with an obligation to preserve its judgments in their unaltered form forever, the court held here that such internal maintenance of complete records was not incompatible with the issuance of a redacted public version. Institutional integrity is maintained when the original kept in the archives is supplemented with a public version that masks the privacy areas.
  4. Open justice principles work to establish transparency, accountability, and public confidence, but these are not absolute. The court took a proportionality stance: personal identifiers, where they neither educate nor have precedential value and continue to inflict harm, may be expunged without affecting the established legal principles of judgment.
  5. Although the DPDP Act exempts courts from several statutory obligations, the court held that it can, by virtue of its inherent discretion, protect personal data, and in so doing, exercise that power without the need for any legislative command. Traditionally the Madras High Court rules provide for the possibility of restriction of certified copies, thus establishing redaction as feasible both legally and administratively.

#FactCheck:AI-Generated War Video Falsely Linked to Israel-Iran Tensions Goes Viral
#FactCheck:AI-Generated War Video Falsely Linked to Israel-Iran Tensions Goes Viral
#FactCheck:AI-Generated War Video Falsely Linked to Israel-Iran Tensions Goes Viral
10
March 2, 2026

Executive Summary

A video is being widely shared on social media linking it to the ongoing tensions between Israel and Iran. The clip shows multiple fighter jets flying across the sky, while massive flames appear to be rising from tall buildings below. The visuals are dramatic and alarming, creating the impression of a large-scale military strike. Users sharing the video claim that after Israel carried out an attack, Iran launched a retaliatory strike on Israel, and that the viral footage captures the aftermath of this counterattack. However, research conducted by the CyberPeace found the claim to be misleading. Our research  revealed that the viral video is not authentic but AI-generated.

Claim

On the social media platform Facebook, a user shared the viral video with the caption: “Iran has also carried out a retaliatory attack on Israel.”

(Post link and archive link provided above.)

Factcheck

Upon closely examining the video, we noticed several irregularities in the visuals and motion patterns, which raised suspicion that the footage may have been generated using artificial intelligence. To verify this, we analyzed the video using the AI detection tool developed by Hive Moderation. According to the analysis report, there is a 62 percent likelihood that the viral video is AI-generated.

As part of further verification, we also scanned the video using Sightengine. The results indicated an even stronger probability, suggesting that the video is 99 percent AI-generated.

Conclusion

Our research  confirms that the viral video does not depict a real military attack. It is AI-generated content being falsely shared in the context of Israel-Iran tensions.

Become a part of our vision to make the digital world safe for all!

Numerous avenues exist for individuals to unite with us and our collaborators in fostering  global cyber security

Awareness

Stay Informed: Elevate Your Awareness with Our Latest Events and News Articles Promoting Cyber Peace and Security.

CyberPeace Corps Induction Workshop
The Missing Link Trust to combat online child trafficking
Cyber Safety Carnival
Safer Internet Day 2023
Indian schools and colleges under digital siege: Massive cyber breach crisis exposed
Over 2 lack cyberattacks, 4 lakh data breaches hit Indian educational institutions in 9 months
Lessons in Cybersecurity Required: 2 Lakh Cyberattacks Shake Indian Education Sector in Just Nine Months
2 lakh cyberattacks, 4 lakh data breaches in Indian educational sector in 9 months

Engagement

Your institution or organization can partner with us in any one of our initiatives or policy research activities and complement the region-specific resources and talent we need.

Discover ways to collaborate
Request for Proposals

Play your part for CyberPeace

Donate to us directly to help us build more pioneering initiatives.

Donate Now