Last updated: April 26, 2026
AI compliance for Indian organisations in 2026 sits at the intersection of DPDP Act 2023, sectoral regulators, the draft Digital India Bill (DIB), and emerging international frameworks (EU AI Act). This article covers the current Indian regulatory landscape for AI, the obligations that already apply, and what to expect.
The regulatory layers
DPDP Act 2023 (in force, Rules being notified)
Applies whenever AI processes personal data. Key obligations:
- Lawful basis for processing — consent or §7 legitimate use
- Data Principal rights apply — access, correction, erasure, withdraw consent
- Significant Data Fiduciary obligations if classified as such — DPIA mandatory, DPO required
- Reasonable security obligation §8(5) — applies to AI models that process personal data
Sectoral regulators
- RBI — guidelines on AI/ML use in regulated entities (credit, fraud detection, KYC)
- SEBI — AI use disclosure for market intermediaries; algorithmic trading rules
- IRDAI — AI in insurance underwriting, claims processing
- MOHFW / CDSCO — AI in healthcare requires regulatory pathway
- NCERT / UGC — AI use in education emerging guidelines
Digital India Bill (in development)
Expected to formalise AI accountability. Likely to include:
- Risk-based classification of AI systems
- Mandatory transparency for high-risk systems
- Audit / assurance requirements
- Liability framework for AI-caused harm
International overlays
- EU AI Act — applies extra-territorially if AI system serves EU residents
- NIST AI RMF — referenced by Indian regulators as best practice
- ISO/IEC 42001 — AI management system standard, certifiable
Practical compliance for AI deployments
1. Classification
Determine risk level of your AI system:
- Low — content recommendation, productivity tools
- Medium — customer service, document processing
- High — credit decisions, hiring, healthcare diagnostics, financial advice
2. Documentation
- Model card describing capability, limitations, training data
- DPIA (Data Protection Impact Assessment) if personal data processed
- Risk assessment per NIST AI RMF
- Audit trail of decisions for explainability
3. Governance
- AI governance committee with cross-functional representation
- Pre-deployment review for material AI systems
- Monitoring of production AI behaviour
- Incident response process for AI-caused harm
4. Technical controls
- Red-teaming pre-deployment (per OWASP LLM Top 10)
- Adversarial robustness evaluation
- Privacy-preserving techniques where applicable (differential privacy, federated learning)
- Bias / fairness testing on representative populations
5. User-facing
- Clear notice when interacting with AI
- Right to human review for consequential decisions
- Channels for users to challenge AI decisions
- Transparency about training data sources where relevant
The sector-specific call-outs
BFSI
- RBI guidance on responsible AI use (issued through 2024-25 advisories)
- Algorithmic credit decisions — explainability requirements
- Fraud-detection AI — accuracy and false-positive rate disclosure
Healthcare
- CDSCO regulatory pathway for AI medical devices (Software as Medical Device — SaMD)
- NHA / NDHM frameworks for AI in healthcare delivery
- HIPAA-equivalent considerations for international service
Recruitment / HR
- Equal Opportunity considerations in AI-driven hiring
- Disclosure obligations to candidates
The takeaway
Indian AI compliance is currently a layered framework — DPDP for data, sectoral regulators for use cases, DIB on the way for cross-cutting governance. Organisations deploying AI should classify risk, document accordingly, govern proactively, and apply technical controls (red-teaming, monitoring). The compliance bar is rising; building the governance now is cheaper than retrofitting later.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.