Enterprise AI Compliance in India: DPDP Act, RBI, SEBI, IRDAI, and the Governance Framework

The enterprise AI governance landscape in India

Enterprise AI governance in India requires navigating three overlapping regulatory layers. The DPDP Act 2023 creates the framework for personal data protection across all sectors. Sector-specific regulators — RBI for banking and NBFCs, SEBI for capital markets, IRDAI for insurance — apply their own AI governance expectations within their domains. And the IT Act and SPDI Rules create cybersecurity and data security obligations that apply to AI systems processing sensitive data.

Unlike the EU AI Act, India has not created a single comprehensive AI framework. The result is a patchwork where enterprise AI governance requires coordination across legal, compliance, IT risk, and business functions — and where the applicable obligations depend heavily on the sector the organisation operates in.

DPDP Act: the enterprise data protection framework

The DPDP Act creates a consent-based framework for personal data processing. For enterprises, the most significant requirements are: obtaining specific, informed consent for each purpose for which personal data is used in AI systems; implementing consent management infrastructure that can demonstrate consent for each processing purpose; providing meaningful responses to data principal rights requests (access, correction, erasure) including access to data used in AI-assisted decisions; and appointing a Data Protection Officer who must be registered with the Data Protection Board once operational.

Significant Data Fiduciaries (SDFs) — organisations designated by the government based on data volume, sensitivity, and impact criteria — will face elevated obligations including mandatory DPO appointment in India, periodic Data Protection Impact Assessments, and independent data audits. Organisations processing large volumes of Indian consumer data (e-commerce, financial services, healthcare, social media) should assess likelihood of SDF designation and prepare governance infrastructure accordingly.

Sector regulatory AI governance

RBI regulated entities: the RBI's model risk management guidance applies to AI models used in credit underwriting, fraud detection, and other regulated activities. Core requirements include independent model validation before deployment, documentation of model limitations and failure modes, ongoing performance monitoring with demographic bias assessment, and board-level visibility of model risk. The RBI's Fair Practices Code requires that credit rejections — including AI-driven ones — be accompanied by specific reasons, not just model output.

SEBI regulated entities: SEBI's algorithmic trading framework, and increasing attention to AI in investment advisory, requires validation of AI trading and recommendation systems, audit trail maintenance, suitability assessment for individual clients, and compliance with front-running and market manipulation prohibitions that apply regardless of whether decisions are human or algorithm-driven.

IRDAI regulated entities: IRDAI's guidance on technology in insurance applies to AI in underwriting, claims processing, and distribution. Fairness requirements prevent AI underwriting from resulting in unjustified discrimination; explainability requirements apply to AI-driven claims decisions that are disputed; and consumer protection standards apply to AI in insurance distribution.

Board-level accountability

Board-level governance of AI risk is increasingly expected by Indian regulators. SEBI's corporate governance requirements for listed companies create frameworks within which AI as a material operational risk must be managed at board level. IRDAI's board oversight expectations for insurance companies apply to technology risk including AI. And RBI's CPS 230-equivalent prudential standards create documented board-level accountability for operational risk including AI.

Enterprise boards should be able to demonstrate: understanding of what AI systems the organisation uses in material activities; board-approved governance framework addressing AI risk; regular reporting on AI incidents and emerging AI regulatory requirements; and board-level accountability for AI governance failures.

Data localisation and cross-border transfer

The DPDP Act empowers the government to restrict transfers of Indian personal data to certain countries or territories. The implementing rules will specify which countries are "trusted" for data transfer purposes. Organisations using overseas AI infrastructure — cloud providers, US-based AI services — must review their data transfer arrangements once the rules are published and ensure compliance with applicable restrictions. This is particularly significant for organisations using AI models trained and operated on US or European infrastructure.