India AI Rules 2026: Deepfake Labelling, DPDP and What Compliance Now Demands

The shape of India AI rules 2026 is now clear enough to plan around, even though the country has no single, dedicated AI statute. As of February 2026, artificial intelligence in India is governed through a patchwork: the Information Technology Act 2000, the Digital Personal Data Protection (DPDP) Act 2023 whose rules are being phased in reportedly through May 2027, and sector regulators such as the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI). The most consequential recent move is a February 2026 amendment to the IT Intermediary Rules aimed squarely at synthetically generated content.

The deepfake amendment: labelling and traceability

In February 2026 India amended its IT Intermediary Rules to target synthetically generated content, introducing labelling and traceability expectations for platforms. The framework has been described as a global precedent for how a large jurisdiction approaches deepfakes through intermediary law rather than a standalone AI act. The practical thrust is straightforward: platforms that host or distribute synthetic media are expected to identify it as such, and to retain enough provenance information that synthetic content can be traced.

This is India deepfake regulation arriving through the route the country already knows well: the intermediary liability framework that has governed user content for two decades. For security and compliance teams, the labelling obligation is not merely a content-moderation problem; it is a data and engineering problem. Synthetic content labelling means tooling to detect, tag and log AI-generated material, and it means thinking about how labels survive re-uploads, transcoding and adversarial stripping. Anyone building or integrating generative models into a consumer product should assume that “we generated this” metadata will need to be both present and durable.

How the DPDP Act applies to AI under the India AI rules 2026

The DPDP Act is where AI governance gets teeth for most businesses, because almost every meaningful AI system touches personal data somewhere. The Act’s core principles – lawful basis and consent, purpose limitation, and data minimisation – apply to personal data used in both training and inference. That has several concrete implications under the heading of DPDP Act AI obligations.

• Lawful basis for training data. Scraping or reusing personal data to train a model is not automatically permitted; you need a lawful basis, and in many cases that means consent obtained for a clearly stated purpose.
• Purpose limitation. Data collected to deliver one service cannot be quietly repurposed to train an unrelated model. “We already have the data” is not a lawful basis on its own.
• Data minimisation. Models that ingest more personal data than they need create exposure that the Act treats as a liability, not an asset.
• Inference-time risks. Prompts, retrieval contexts and logs frequently carry personal data, so the obligations follow the system into production, not just into the training pipeline.

Breaches of these obligations carry significant penalties, which is why DPDP is the part of the 2026 picture that most directly changes board-level risk calculus. RingSafe’s DPDP compliance work and its AI compliance guidance for India exist precisely because the gap between “we deployed an AI feature” and “we can demonstrate a lawful basis for the data behind it” is where most organisations are currently exposed.

What this means for Indian businesses

The absence of a single AI law is sometimes read as the absence of obligation. That reading is wrong. The combination of the IT Act, the amended Intermediary Rules, the DPDP Act and sectoral expectations from RBI and SEBI already constitutes a working regulatory surface. A fintech using a model to score creditworthiness answers to RBI expectations and DPDP simultaneously; a brokerage deploying an AI assistant answers to SEBI and DPDP. The 2026 environment rewards organisations that map these overlapping demands rather than waiting for one consolidated statute that may not arrive for years.

It also raises the security stakes. Generative systems introduce attack surfaces that traditional application security misses, and a model that leaks training data or follows an injected instruction can convert a compliance gap into a breach. Teams new to this should treat AI features as part of the attack surface and lean on a structured reference; RingSafe’s AI Security Center collects the OWASP LLM Top 10, red-teaming guidance and India-specific compliance notes in one place. Unsanctioned, undocumented deployments are a particular hazard, because shadow model use quietly creates the very DPDP exposures described above.

A practical compliance checklist for the India AI rules 2026

The following steps translate the 2026 framework into actions a security or compliance lead can start this quarter. None of them require a final AI statute to be in place; they map directly onto obligations that already exist.

• Inventory AI systems and data flows. You cannot govern what you have not enumerated. Catalogue every model, vendor API and embedded AI feature, and trace what personal data flows into each, in both training and inference.
• Run a data-protection assessment. For each system, document the lawful basis, the purpose, what data is minimised or excluded, and what happens to prompts and logs.
• Label synthetic and AI-generated content. Build the tagging and provenance pipeline now; align it with the IT Intermediary Rules’ traceability expectations rather than retrofitting later.
• Perform vendor due diligence. Third-party model providers inherit your DPDP obligations through your contract. Confirm where data is processed, how it is retained, and whether your inputs are used to train their models.
• Align with RBI and SEBI sectoral expectations. Regulated entities must reconcile data-protection duties with sector rules, which can be stricter than the baseline.
• Red-team the models themselves. Treat AI systems as software that can be attacked, testing for prompt injection, data exfiltration and unsafe tool use before they reach production.

The EU AI Act as a parallel signal

Indian businesses that serve or process data from the EU face a second clock running in parallel. The phased nature of the EU AI Act’s 2026 compliance deadlines means some organisations will need to satisfy both regimes, and the disciplines overlap heavily: documented data provenance, risk assessment and transparency about AI-generated content recur in both. Building one rigorous governance baseline tends to serve both jurisdictions, which is the efficient way to approach an environment where the India AI rules 2026 and EU obligations are maturing at the same time.

The takeaway

India has not waited for a comprehensive AI law to start regulating AI. Through the IT Act, the February 2026 deepfake-focused Intermediary Rules amendment, a phased DPDP Act and active sector regulators, the obligations are already here, distributed across instruments and reinforced by significant penalties. Organisations that inventory their systems, establish lawful bases, label synthetic content and red-team their models are not getting ahead of the law; they are meeting it as it stands in 2026.

If your organisation is deploying AI and is unsure where DPDP, the deepfake rules and sectoral expectations leave you exposed, RingSafe’s AI compliance guidance for India can map your obligations and the testing behind them. Book a scoping call to start with an AI and data-flow inventory.