Artificial intelligence has moved beyond chatbots and productivity tools. The stronger models can write code, scan systems, generate convincing messages and run sequences of tasks with little human prompting. That changes the cyber-security problem for governments.
The government’s reported proposal to set up an AI command centre should be read in this context. India’s AI debate has so far been led by questions of compute capacity, datasets, startups, skilling and sectoral use cases. That was appropriate for the first phase of adoption. It is no longer enough.
READ | Artificial intelligence needs real leadership — not just loud voices
A cyberattack on a bank, a telecom network or a hospital is already hard to contain. AI-assisted attacks can move across these boundaries. A model used to probe hospital systems can also expose financial records, generate malicious code, amplify rumours on social media and test weaknesses in power networks. The same attack can pull in the Finance Ministry, RBI, CERT-In, the health ministry, state police, telecom operators and electricity regulators within minutes. File movement between departments is not a response plan.
AI command centre and critical infrastructure
The case for a central AI command centre rests on speed and jurisdiction. India already has CERT-In for incident response, the National Critical Information Infrastructure Protection Centre for critical infrastructure, and the Indian Cyber Crime Coordination Centre under the Home Ministry for cybercrime coordination. These institutions matter. They do not remove the coordination gap created by general-purpose AI.
Consider a serious disruption in a state power grid. An AI system can identify vulnerabilities, write exploit code, spread false information about the outage, target payment systems in the affected region and impersonate officials. Each part of the incident may fall under a different agency. The attacker will not wait for institutional clarity.
READ | Cybersecurity: US, India join forces for a safer digital world
A command centre should not become another control room with screens and acronyms. Its value would lie in binding protocols before a crisis begins. Who alerts whom? Which agency leads when an AI system affects power, payments and public order at the same time? What information must private firms share? When can a model, service or dataset be restricted? Which state agency receives the first operational instruction? These questions cannot be settled during an attack.
India AI governance moves from growth to risk
The IndiaAI Mission gave the first phase of policy a clear economic direction. It focused on compute infrastructure, language datasets, application development, startups and skills. That approach helped avoid premature regulation. It also reflected India’s need to participate in the AI economy rather than merely police it.
Frontier models have changed the policy setting. The latest foundation models can write software, automate workflows, analyse large information pools and perform tasks across domains. The same features that make them useful to firms and governments also make them useful to attackers. They reduce the skill needed to find vulnerabilities, write phishing messages, generate malware and coordinate multi-stage attacks.
This is why AI governance cannot remain a MeitY discussion alone. RBI has already begun asking financial firms to treat AI and machine-learning models as risk-bearing systems. SEBI, health authorities, telecom regulators and state governments will face their own versions of the same problem. A central AI body will have to work through these regulators, not above them.
READ | Digital governance: Lessons from Estonia to India, rest of the world
The India AI Governance Guidelines have already pointed towards an AI Governance Group, a Technology & Policy Expert Committee and an AI Safety Institute. That architecture is useful, but it will need operational teeth. Research, standards and voluntary guidance will not be enough when an AI-assisted attack crosses from software into electricity, banking or public order.
AI cyberattacks need faster state capacity
Other governments are also experimenting. Britain created an AI Safety Institute after the Bletchley Park summit to test advanced models and study frontier risks. The European Union has chosen a legal route through the AI Act, with obligations linked to risk. The United States has relied more on agency action, model evaluations and commitments from large AI firms.
India should not copy any of these models whole. The country’s vulnerabilities are different. A large share of public service delivery now runs through digital systems. Payments, identity, welfare transfers, health records, railways, power distribution and police systems are increasingly networked. A failure in one system can spill quickly into another, especially when misinformation travels faster than official clarification.
A command centre can help only if it has three capabilities. It must receive timely information from public and private systems. It must have technical capacity to evaluate model behaviour and cyber risk. It must have the authority to coordinate responses across ministries, regulators and state governments. Without these, it will add bureaucracy to a problem that already moves too fast for bureaucracy.
The harder issue is institutional design. Banking, health, telecom, transport and energy have their own regulators and technical teams. A central AI command centre cannot replace them. Nor should it become a clearance office for every AI deployment. Its proper role is narrower: identify systemic AI risks, run exercises, maintain incident protocols, coordinate crisis response and test high-risk models or uses before damage spreads.
AI regulation cannot wait for a perfect law
India does not need to wait for a full AI law before building this capacity. A law may later define duties, penalties, reporting obligations and liability. The first task is administrative. Ministries and regulators need a common incident language, common escalation rules and a shared view of AI risks in critical systems.
The proposal will fail if it is treated as a symbolic national-security upgrade. It will also fail if it becomes a turf battle between MeitY, the Home Ministry, sectoral regulators and state governments. AI risk will rarely arrive in the neat categories through which government departments work. That is the central point.
India’s first AI phase was about adoption. The next phase will be about resilience. The country has built large digital systems at speed. It now needs the institutional reflexes to defend them at speed.