- with readers working within the Law Firm industries
- within Privacy, Employment and HR and Intellectual Property topic(s)
- with Inhouse Counsel
From Policy Sutras to Sector Mandates: Mapping India's AI Governance
Artificial Intelligence regulation in India is evolving into a principle‑based, techno‑legal framework that balances innovation with safety. For the IndiaAI Mission, the Union Budget 2026-2027 allocated INR 1,000 Crore for developing sovereign foundational AI models, supporting startups, building compute capacity (GPUs), and fostering responsible AI, shifting the focus from new institutions to diffusing AI technology across sectors such as data centres and education.
Yet a foundational question remains open for examination: in the absence of a single, standalone statute dedicated exclusively to AI, how should India conceptualise regulation for a technology that cuts across sectors, industries, and societal functions? Are existing legal and policy instruments sufficiently adaptable to address challenges such as algorithmic accountability, data stewardship, and automated decision-making? And how might India craft a regulatory approach that aligns with its economic ambitions, digital public infrastructure, and constitutional values? In this context, it is both timely and necessary to explore the contours of AI regulation in India, not merely as a legal exercise, but as a strategic question shaping the country's technological and economic future.
Navigating AI regulation in India requires moving beyond the search for a single "AI Law" to mastering a complex quilt of statutory triggers, sector-specific circulars, and evolving liability standards. India does not presently have a standalone, comprehensive statute governing artificial intelligence. Rather, AI systems are regulated through a composite framework comprising existing legislation:
- Information Technology Act, 2000 ("IT Act") and Rules;
- Digital Personal Data Protection Act, 2023 ("DPDP Act") and Rules;
- Consumer Protection Act, 2019 ("CPA") and guidelines issued by the Central Consumer Protection Authority ("CCPA"),
- Patchwork of sector-specific frameworks issued by the Reserve Bank of India ("RBI"), the Securities and Exchange Board of India ("SEBI"), the Telecom Regulatory Authority of India ("TRAI"),
- Domain-specific regulators in healthcare, telecommunications, and e-commerce.1
- Soft-law instruments: Policy advisories and guidelines issued by the Ministry of Electronics and Information Technology ("MeitY") and NITI Aayog, which, whilst non-binding, exert significant influence on regulatory practice and market conduct.
This regulatory architecture of binding laws, supplemented by an evolving corpus of soft-law instruments such as policy advisories and guidelines issued by the Government of India, together constitute the country's de facto AI governance framework.2
India's Decentralised Architecture Framework
The Government has consistently signalled that premature codification risks stifling India's entrepreneurial technology ecosystem, particularly startups and MSMEs. Ministerial statements emphasise that India will not "over-regulate" AI; instead, the regulatory stance remains adaptive, proportionate to actual harm, and calibrated to the maturity of specific AI use cases and sectoral contexts.
Practical implication: Enterprises deploying AI systems across multiple domains must navigate overlapping regulatory regimes. A fintech platform using AI-driven credit scoring, for instance, simultaneously operates as a "computer resource" under the IT Act, a "data fiduciary" under the DPDP Act, a "financial service provider" subject to RBI's prudential norms, and potentially a "service provider" under the CPA's product liability provisions. Compliance obligations may be duplicative, and in some cases, contradictory. Legal certainty remains elusive, necessitating that corporate teams adopt a layered compliance strategy that maps AI deployments to applicable regulatory touchpoints.
What Even Counts as AI? Definition and Scope of Artificial Intelligence
Notwithstanding the absence of statutory codification, working definitions of AI have emerged through policy instruments and official reports. NITI Aayog's National Strategy for Artificial Intelligence, published in June 2018, describes AI as encompassing "systems that display intelligent behaviour by analysing their environment and taking actions with some degree of autonomy to achieve specific goals".3
This approach mirrors the Organisation for Economic Co-operation and Development ("OECD") AI Principles, which define an AI system as "a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments".4
The India AI Governance Guidelines issued by MeitY, released in November 2025, adopt a similarly broad understanding, describing AI as systems capable of processing data to generate outputs such as predictions, recommendations, content, or decisions, and exhibiting learning, adaptation, or autonomous operation.5
Policy Framework and Government Initiatives
India's AI ecosystem is guided by a sequenced policy evolution, beginning with strategic vision-setting byNITI Aayog, followed bycapacity-building initiatives, and culminating ingovernance guidelinesanchored by MeitY.
|
Authority |
Instrument / Initiative |
Core Focus Area |
Key Features / Implications |
|
2018: NITI Aayog |
National Strategy for Artificial Intelligence – "AI for All"[6] |
Foundational strategy for responsible and inclusive AI development |
Identified five priority sectors — healthcare, agriculture, education, smart cities, and mobility. Advocated proof-of-concept pilots, scalability post-validation, and alignment with SDGs. |
|
2021: NITI Aayog |
Responsible AI for All[7] |
Ethical and governance principles for AI systems |
Set out seven "Sutras": safety, reliability, equality, inclusivity, privacy, transparency, accountability, and human values. Introduced risk-proportionate regulation for high-impact AI applications. |
|
2024: MeitY / NITI Aayog |
IndiaAI Mission(Budget: INR 10,372 crore / USD ~1.25 bn)8 |
National infrastructure and ecosystem development |
Organised under seven pillars: Compute (shared GPU resources), Innovation Centre (MSME/start-up support), Datasets Platform (curation of anonymised data), Sectoral Applications, FutureSkills (capacity building), Start-up Financing, and Safe & Trusted AI (evaluation and certification). |
|
2025: MeitY |
India AI Governance Guidelines[9] |
Comprehensive governance and regulatory coordination |
Embeds the "Do No Harm" principle and human-centric AI. Framework structured around guiding principles (fairness, accountability, safety, inclusivity, transparency), six governance pillars (data/model/application governance, stakeholder engagement, regulatory alignment), and phased action timelines. Introduces regulatory sandboxes, algorithmic impact assessments, and sectoral Centres of Excellence. |
Regulatory Authorities and Institutional Framework
MeitY anchors India's institutional framework for artificial intelligence, supported by advisory and expert bodies that integrate technical, policy, and strategic expertise. Together, they shape how AI is governed, deployed, and supervised across sectors in India.
- India's Nodal Ministry for AI Policy and Governance
The MeitY functions as the primary nodal authority for AI in India. It is responsible for overall policy direction on AI, issuing governance guidelines, and steering national missions and programmes related to digital technologies. MeitY's remit includes drafting and notifying AI-related policies, coordinating with other ministries and regulators, and proposing amendments to core digital and technology laws, such as the Information Technology framework and data protection rules, to address emerging AI use cases and risks.
- Key Advisory Bodies Guiding National AI Governance
India's AI advisory bodies provide specialised expertise to support MeitY's oversight. Below is a concise tabular summary of their roles.
|
Body |
Core Role |
Key Functions |
|
Office of Principal Scientific Advisor (PSA) |
Scientific and strategic guidance. |
Aligns R&D, funding, missions with science/security; advises on frontier research, compute, talent, industry-lab coordination; ensures evidence-based governance. |
|
NITI Aayog |
Strategic vision and development. |
Articulates AI for All; priority sectors, pilots, policy research; bridges economic planning, DPI, governance reforms for AI mainstreaming. |
|
Technology & Policy Expert Committee (TPEC) |
Translates tech into policy. |
It is a wing under the MeitY. Interdisciplinary advice on risk taxonomies, impact assessments, sandboxes; reviews regulations for transparency, accountability, human oversight; balances innovation and risk. |
- Role of Sectoral Regulators in India's AI Governance Framework
India's regulatory landscape for AI is shaped by a diverse set of sectoral regulators, each issuing frameworks, guidelines, and compliance requirements tailored to the unique risks of AI within their respective domains. From financial services and securities markets to healthcare, telecom, insurance, consumer protection, and cybersecurity, these authorities are progressively embedding AI‑specific obligations into existing regulatory structures.
|
Regulator |
Key Function |
|
Reserve Bank of India |
RBI has issued a comprehensive framework titled Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in August 2025, which applies to banks, non-banking financial companies, and fintech entities.10 The FREE-AI framework articulates seven guiding principles and 26 actionable recommendations addressing data governance, model risk management, algorithmic accountability, and human oversight. |
|
Securities and Exchange Board of India (SEBI) |
SEBI has issued consultation papers and draft regulations addressing the use of AI tools by registered intermediaries, including investment advisers, research analysts, and stock brokers.11 SEBI's framework requires the disclosure of AI use to clients, the maintenance of technical documentation, and the implementation of controls to ensure that algorithmic outputs comply with SEBI's conduct-of-business rules and investor protection standards. |
|
Insurance Regulatory and Development Authority of India (IRDAI) |
The IRDAI mandates that insurers and intermediaries comply with its Guidelines on Information and Cyber Security for Insurers, with direct implications for AI-driven underwriting, claims management, and fraud detection. |
|
Telecom Regulatory Authority of India |
The TRAI has released recommendations in July 2023 on "Leveraging Artificial Intelligence and Big Data in the Telecommunication Sector", proposing the establishment of an independent statutory body called the "Artificial Intelligence and Data Authority of India" to oversee AI governance across sectors.12 |
|
Indian Council of Medical |
The Ethical Guidelines for using AI in biomedical research and healthcare outline essential standards such as safety, openness, accountability, fairness, and maintaining human control. They call for conducting bias assessments, obtaining independent ethical evaluations, ensuring high‑quality data, and clearly defining the responsibilities of both AI developers and healthcare practitioners. |
|
Central Consumer Protection Authority (CCPA) |
Section 10 of the Consumer Protection Act, 2019 (CPA) regulates e-commerce platforms for unfair trade practices, including AI-driven "dark patterns," as per the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (notified on 30 November 2023). 13 14 Examples of of AI dark patterns: - AI-powered bait-and-switch: AI dynamically shows an item at a low price, then switches it to a higher-priced alternative when the user clicks, tailored to their perceived preferences. - Personalised 'confirmshaming': AI crafts guilt-tripping messages using a user's specific data and past behaviour (e.g., "No thanks, I don't like saving money on this specific brand you love"). - Dynamic privacy Zukering: AI subtly adjusts privacy settings or consent prompts to nudge users into sharing more data, learning what types of nudges work best for them. - Deepfake sales agents: AI-generated avatars or voices that mimic trusted figures (like a bank manager) to pressure users into transactions. |
|
CERT-In and NCIIPC (cross-sectoral cybersecurity) |
Under the IT Act, 2000, the 2022 CERT-In Directions require organisations to report cybersecurity incidents within six hours, maintain logs for 180 days, and support audit processes. These obligations extend to AI systems used in cloud services, financial technologies, and critical infrastructure. Likewise, the NCIIPC Rules (2014) identify critical information infrastructure sectors and impose mandatory security controls, continuous monitoring, and incident‑response measures requirements that are directly applicable to AI deployed in sectors such as energy, telecommunications, and transportation. |
|
Bureau of Indian Standards (BIS) |
BIS's Technical Committee LITD 30 is responsible for formulating India's standards related to artificial intelligence, listed in Annexure 6. The committee also helps shape global AI standards by participating in international standard‑setting efforts, such as ISO/IEC JTC 1/SC 42 on Artificial Intelligence. |
From Principles to Practice: What Comes Next for India's AI Governance?
India's AI governance landscape is steadily coalescing into a multi‑layered, principle‑driven framework that blends statutory mandates, sectoral regulation, and soft‑law guidance. Rather than adopting a single comprehensive AI statute, India has opted for a decentralised model that enables agility anchored by MeitY's governance guidelines and reinforced by the interventions of regulators across finance, healthcare, telecom, insurance, cybersecurity, and consumer protection. This ecosystem aims to foster innovation while embedding guardrails around transparency, accountability, fairness, and safety.
As AI systems become more deeply intertwined with digital public infrastructure, financial markets, healthcare delivery, and core governance functions, the interplay between existing laws and emerging regulatory expectations will grow even more complex. Organisations will increasingly have to manage overlapping compliance layers, shifting liability standards, and context‑specific operational obligations. At the same time, India's strategic ambitions spanning sovereign AI models, compute infrastructure, and safe‑and‑trusted AI programmes signal a future where AI governance is not merely about risk mitigation but about shaping national competitiveness and public trust.
This brings us to the next stage of the series: as AI becomes more autonomous, adaptive, and embedded across sectors, are India's existing laws—ranging from the IT Act and DPDP Act to sectoral statutes truly equipped to regulate contemporary and next‑generation AI systems?
Stay tuned for Part 2, which will unpack the current status of India's applicable laws and examine where they excel and where critical gaps remain.
Footnotes
1. Ministry of Electronics and Information Technology. India AI Governance Guidelines. Government of India, 2025, https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc2025115685601.pdf
2. NITI Aayog. National Strategy for Artificial Intelligence. Government of India, 2018, https://www.niti.gov.in/sites/default/files/2023-03/National-Strategy-for-Artificial-Intelligence.pdf.
3. NITI Aayog. National Strategy for Artificial Intelligence.
4. Organisation for Economic Co-operation and Development. "AI Principles."
5. Ministry of Electronics and Information Technology. India AI Governance Guidelines.
6. NITI Aayog.National Strategy for Artificial Intelligence: #AIforAll. NITI Aayog, Government of India, June 2018,(Available at www.niti.gov.in/sites/default/files/2023-03/National-Strategy-for-Artificial-Intelligence.pdf)
7. NITI Aayog.Part II: Responsible AI for All: Principles for Responsible AI. NITI Aayog, Government of India, 12 Aug. 2021,(Available at www.niti.gov.in/sites/default/files/2021-08/Part2-Responsible-AI-12082021.pdf)
8. Ministry of Electronics and Information Technology. "IndiaAI Mission: Approved Initiatives and Pillars."(Available at https://indiaai.gov.in/)
9. Ministry of Electronics and Information Technology.India AI Governance Guidelines. MeitY, Government of India, Nov. 2025,www.meity.gov.in/content/india-ai-governance-guidelines. Accessed 11 Feb. 2026.
10. Grant Thornton India. "Guardrails for Responsible AI in India's Financial Sector." 13 Aug. 2025, https://www.grantthornton.in/insights/thought-leadership/guardrails-for-ai/.
11. Securities and Exchange Board of India. Consultation Paper on Guidelines for Responsible Usage of AI/ML. Government of India, 2025, https://www.sebi.gov.in/reports-and-statistics/reports/jun-2025/consultation-paper-on-gidelines-for-responsible-usage-of-ai-ml.
12. Telecom Regulatory Authority of India. Recommendations on Leveraging Artificial Intelligence and Big Data.
13. "Navigating the AI Horizon: Safeguarding Consumer Rights in the Digital Era." INDIAai, 28 July 2024, https://indiaai.gov.in/article/navigating-the-ai-horizon-safeguarding-consumer-rights-in-the-digital-era.
14. India, Central Consumer Protection Authority. "The Guidelines for Prevention and Regulation of Dark Patterns, 2023."The Gazette of India, Extraordinary, Part II, Section 3, Sub‑section (i), no. CG‑DL‑E‑30112023‑250339, Ministry of Law and Justice, Legislative Department, 30 Nov. 2023, egazette.gov.in.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
