What Is India's AI Governance Framework?

The framework is not a law. MeitY officials have stressed repeatedly that the guidelines carry no legal enforceability and are meant to enable innovation while encouraging responsible behavior. ^{PIB 2025} The legal teeth come from existing statutes: the IT Act, the DPDPA, consumer protection law, and sector-specific regulations that are already binding.

This matters because India's 5.95 million tech workers ^{NASSCOM FY26}, 1,800+ Global Capability Centers ^{Zinnov/NASSCOM}, and fast-growing AI startup ecosystem need clarity on what the rules actually are, and where the enforcement comes from.

India's Regulatory Landscape

India's AI governance sits across multiple layers. No single document covers everything. Here is what exists, what is coming, and who enforces what.

MeitY AI Governance Guidelines (Nov 2025)

Released under the India AI Mission, these guidelines establish seven sutras that ground India's governance philosophy. The document has four parts: principles, recommendations across six pillars, an action plan with short/medium/long-term timelines, and practical guidelines for industry and regulators. ^{MeitY PDF}

Three new governance bodies are proposed:

The Bureau of Indian Standards (BIS) has adopted ISO 42001 as an Indian national standard (IS/ISO/IEC 42001:2023), giving organizations a certifiable path to operationalize MeitY's principles. ^{MeitY Annexure 6}

Digital Personal Data Protection Act (DPDPA)

India's first comprehensive data protection law, which received Presidential assent in August 2023. ^MeitY The DPDP Rules were notified on 14 November 2025, with an 18-month phased compliance window. ^PIB

The DPDPA's seven core principles (consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security, accountability) directly affect how AI systems collect, process, and store training data involving Indian citizens. For a deeper look at how these principles map to the full AI data lifecycle, see our data governance hub. Penalties reach up to INR 250 crore. ^{DPDPA Act}

Sector Regulators

India's approach relies on existing regulators to enforce AI governance within their domains. ^{MeitY PDF}

RBIFinance — FREE-AI Committee Report (2025): board-approved AI policies, tiered incident reporting for AI bias and failures, adversarial attack protections SEBISecurities — Consultation paper on AI/ML in Indian Securities Markets (June 2025), covers algorithmic trading ICMRHealthcare — Ethical Guidelines for AI in Biomedical Research: bias audits, independent ethics review, data quality checks IRDAIInsurance — Guidelines covering AI-driven underwriting, claims, and fraud detection TECTelecom — Voluntary Standard for Fairness Assessment and Rating of AI Systems CERT-InCybersecurity — Mandatory 6-hour incident reporting for all body corporates, government entities, and service providers (applies to 20 enumerated cybersecurity incident types, not all AI failures)

AI Ethics & Accountability Bill (Proposed)

Introduced as a Private Member's Bill in the Lok Sabha on 17 December 2025. ^{SCC Online} Proposes a statutory Ethics Committee, mandatory ethical reviews for high-risk AI systems, and penalties up to INR 5 crore. This is not current law. It requires parliamentary debate and approval before enactment.

How India Compares to Global Frameworks

India's approach is distinct from every other major jurisdiction. While the EU AI Act mandates conformity assessments and the NIST AI RMF provides a voluntary US framework, India's guidelines occupy different ground entirely. ^{National Law Review}

India focuses its risk classification on harms specific to its population: caste bias, gendered deepfakes, child safety, and language discrimination. ^NLR ISO 42001, adopted by BIS as an Indian standard, bridges both approaches by giving organizations a certifiable framework that satisfies multiple jurisdictions.

India's AI Market: Why This Matters Now

80% of new GCCs are prioritizing AI/ML capabilities. ^{Gratuityconsulting} These centers, running operations for US and European companies from Bangalore, Hyderabad, Delhi NCR, Pune, and Chennai, must now handle DPDPA, GDPR, and the EU AI Act simultaneously. That three-framework compliance challenge is driving demand for practitioners who understand all three.

AI governance specialists command a 30-40% salary premium over non-AI governance peers. ^{EY India} For US salary benchmarks, see AI governance salary data. Practitioners looking to build credentials should explore IT certifications and the global AI governance careers overview.

ISO 42001 in India

ISO 42001 has been adopted by the Bureau of Indian Standards as IS/ISO/IEC 42001:2023, and MeitY's guidelines reference it directly in Annexure 6. ^{MeitY Annexure 6} This gives Indian organizations a certifiable pathway to demonstrate responsible AI governance.

KPMG India received ISO 42001 certification from SGS in December 2025 (Gurugram and Noida offices). ^{PRNewswire/SGS} Mphasis became the first Indian IT services company to certify. More are following as global clients make certification a procurement requirement.

For organizations already working toward MeitY compliance, ISO 42001 provides the management system structure (PDCA cycle, risk treatment, documented controls) that turns principles into auditable processes. The IAPP AIGP certification complements ISO 42001 by validating individual practitioner knowledge of AI governance principles.

Templates and Tools

India-specific governance templates based on the MeitY guidelines, DPDPA requirements, and cross-jurisdiction compliance needs. These build on our free AI templates and tools collection with India-localized content.

Where to Start

Explore India AI Governance