Innovation and regulation have always been locked in a high-stakes dance. Usually, the innovator takes the lead with a burst of creative energy, while the regulator follows along, trying to keep the beat. But in 2026, the tempo has reached a breaking point.
The feverish hum surrounding Anthropic’s Mythos model has changed the game. Mythos isn’t just a smarter chatbot; it has shown an uncanny ability to autonomously hunt for “zero-day” vulnerabilities — microscopic flaws in software that humans haven’t found yet. This isn’t just a technical breakthrough, it’s a wake-up call. As the gap between what code can do and what law can govern widens into a chasm, India faces a dilemma: How do we protect our digital foundations without suffocating the very breakthroughs required to defend them?
The pacing problem: Law in the rearview mirror
The core of the issue is the “pacing problem”. Our legal systems are built for a linear world — they are slow, deliberative, and take years to finalise. AI, however, is exponential. By the time a comprehensive AI Act is debated in Parliament and notified in the gazette, the law is merely staring into the rearview mirror; the technology has already rounded the next bend, leaving the rulebook in the dust.
In India, this lag is a security risk. Over the last decade, we have built a world-leading Digital Public Infrastructure — the invisible backbone of United Payments Interface (UPI), Aadhaar, and Open Network for Digital Commerce that powers our daily lives. This system is a magnificent digital citadel, but agentic AI, like Mythos, represents a new kind of siege engine. It doesn’t just batter the gates; it identifies structural seams and exploits them at a speed that moves faster than any human guardian can blink.
Value of ‘grey edge’
When faced with such threats, the instinctive reaction is to demand a “kill switch” — a blunt, central power to shut down any AI that seems too capable. Yet, history shows that India’s greatest digital leaps didn’t happen because of strict rules, but because of a “regulatory grey edge”.
Consider our own disruptors. When Ola rewired urban mobility and Swiggy transformed hyperlocal delivery, they began in a legal void. There were no ready-made categories for gig-workers or app-based fleets. When Paytm popularised the digital wallet, the RBI hadn’t yet drafted the stringent licensing we see today. Even the IIT Madras online degree was pioneered in a zone of ambiguity, establishing its merit at scale before the regulators could formalise the framework.
In these cases, ambiguity wasn’t a flaw, it was the oxygen that allowed innovation to breathe. If we had demanded total regulatory clarity in 2014, the UPI revolution might have been strangled in its infancy by a preemptive “kill switch”.
Avoiding the sovereignty trap
If we react too harshly to models like Mythos, we risk falling into a “sovereignty trap”. Heavy-handed regulation might offer a temporary illusion of safety, but it will drive our best engineers to build elsewhere.
More importantly, if we cannot innovate on the grey edge, we will eventually be forced to import “safety tools” from Silicon Valley or Beijing. We cannot outsource the protection of our national infrastructure to foreign “black boxes”. To be a digital superpower, India must have the freedom to build and test its own shields.
Solution: The academic sandbox
If laws are too slow and kill switches are too blunt, we need a “middle path” — the university-led regulatory sandbox.
We should treat our premier institutions like IITs as safe harbours for high-risk innovation. In these sandboxes, startups can stress-test frontier models against simulated versions of our national infrastructure. Here, regulators aren’t acting as police officers but as “embedded observers”.
They get a front-row seat to observe emergent behaviours — like the vulnerabilities found by Mythos — without the immediate pressure to prohibit or penalise. This allows the government to write smart, evidence-based rules that reflect how the technology actually behaves, rather than what we fear it might do.
The lesson of the last decade is clear — a market that does not yet exist cannot be regulated. To protect our digital future, we must move beyond the binary choice of “unregulated chaos” versus “total prohibition”.
India’s strength has always been its ability to leapfrog the old world by embracing the new. To lead the global AI dance, we must have the courage to inhabit the grey zone, housing our most daring experiments within the safety of our academic labs. Regulation should not be the curtain that falls before the performance begins, it must be the stage that gives innovation its structure and the spotlight that makes its risks visible.
The author is the Director at the School of Technology, Dhirubhai Ambani University, Gandhinagar
Disclaimer: The views expressed are the author’s own and do not reflect the official policy or position of Financial Express.