The Big Question
Let me start with a question that every business leader deploying AI in India must answer.
"India doesn't have an AI law. Do we actually need to worry about AI compliance?"
The honest answer:
Yes. And the deadline is fixed.
Here is the truth:
India has adopted a multi-layered, decentralized, and principle-driven approach to AI governance. While there is no standalone AI statute, AI systems are regulated through a composite framework of existing legislation — the Information Technology Act, the DPDP Act, the Consumer Protection Act, and sector-specific regulations from the RBI, SEBI, IRDAI, and others.
The absence of a single "AI law" does not mean the absence of compliance obligations. It means you must navigate a complex quilt of statutory triggers, sector-specific circulars, and evolving liability standards.
Step 3: The DPDP Act — The Foundation of AI Compliance
What Is the DPDP Act?
The Digital Personal Data Protection Act, 2023, is India's first comprehensive legislation governing the protection of digital personal data. It establishes clear rules for how organizations collect, process, store, and transfer the personal data of Indian citizens.
Key Timelines
| Date | Requirement |
|---|---|
| November 14, 2025 | DPDP Rules operationalized |
| November 13, 2026 | Consent manager registration framework becomes mandatory |
| May 13, 2027 | Full DPDP Act enforcement — all covered businesses must comply |
Scope and Applicability
The DPDP Act applies to personal data collected in digital form, as well as data initially collected in non-digital form but subsequently digitized. It incorporates extraterritorial applicability, extending to foreign organizations that process personal data in connection with offering goods or services to individuals located in India.
How the DPDP Act Applies to AI Systems
| Requirement | Implication for AI |
|---|---|
| Consent for AI Training | Specific consent must be obtained for collecting personal information for training AI models. Organizations cannot rely on broad, vague consent. |
| Legitimate Uses | The DPDP Act provides specific legitimate uses as exceptions to consent, including voluntarily provided data, employment relationships, and public data exemptions. |
| Public Data Exemption | The DPDP Act does not apply to personal data made publicly available by the data subject or under law. This is broader than GDPR and may allow scraping of public web data for AI training. |
| Algorithmic Accountability | Significant Data Fiduciaries must ensure that algorithmic software, including AI systems, does not adversely affect the rights of Data Principals. |
| Security Safeguards | AI systems must implement reasonable security safeguards. |
| Penalties | Fines up to ₹250 crore ($28 million) for failing to prevent a personal data breach. |
| Breach Reporting | Data controllers are obligated to report a personal data breach within 72 hours of becoming aware of the breach. |
"The use of personal data without user consent to train AI models is governed by the DPDP Act. Obligations of consent, purpose limitation, and data minimization would have direct bearing on AI model training and deployment."
Step 4: The IT Amendment Rules 2026 — Mandatory AI Labeling and Faster Takedowns
On February 10, 2026, the Central Government notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026.
What Is Synthetically Generated Information (SGI)?
SGI is defined as audio, visual, or audio-visual information that is artificially or algorithmically created, generated, modified, or altered to appear real, authentic, or true.
This includes:
-
Deepfakes
-
AI-generated or AI-altered images and videos
-
Voice cloning
-
Other realistic, algorithmically generated audio-visual content
Notably, text generated by AI does not fall within SGI.
Key Obligations for Intermediaries
| Obligation | Requirement |
|---|---|
| Technical Measures | Implement "reasonable and appropriate technical measures including automated tools" to prevent creation or dissemination of unlawful SGI |
| Labeling | Non-prohibited SGI must be "clearly and prominently labeled" with visual labels (for visual SGI) and audio disclosures (for audio SGI) |
| Metadata | Embed permanent metadata or unique identifiers to trace the computer resource used to generate or alter content; do not enable removal or modification |
| Takedown Timelines | Within 3 hours for court/government orders; within 2 hours for high-risk content (nudity, intimate imagery, deepfake sexual content) |
Additional Obligations for Significant Social Media Intermediaries (SSMIs)
SSMIs—platforms with over 5 million registered users in India (Meta, Alphabet, X, LinkedIn)—face heightened requirements:
-
User Declarations: Require users to declare whether uploaded content is SGI
-
Technical Verification: Deploy automated tools to verify the accuracy of user declarations—cannot rely solely on user representations
Step 5: The Draft Second Amendment to IT Rules, 2026
The Draft Second Amendment is structural in nature and has far-reaching implications on platform accountability.
Key Proposed Changes
| Change | Implication |
|---|---|
| Compliance with MEITY Advisories | Compliance with clarifications, advisories, orders, guidance, or codes of practice issued by MEITY becomes a requirement for 'due diligence' — non-compliance links to loss of safe harbor protection |
| Content Deletion Retention | Intermediaries must comply with content deletion directions while retaining certain user-related and grievance-linked information for a minimum period of 180 days |
| Expanded IDC Scope | The Inter-Departmental Committee's operations extend to all users beyond publishers of online news and current affairs content |
"The Draft Second Amendment marks a clear shift toward tighter, more centralized regulation of digital intermediaries, significantly raising compliance expectations and legal risk."
Step 6: Sector-Specific Regulations
RBI — FREE-AI Framework
The Reserve Bank of India issued a comprehensive framework titled Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in August 2025, applying to banks, NBFCs, and fintech entities.
The framework articulates seven guiding principles and 26 actionable recommendations addressing data governance, model risk management, algorithmic accountability, and human oversight.
SEBI — AI Disclosure Requirements
SEBI requires the disclosure of AI use to clients, the maintenance of technical documentation, and the implementation of controls to ensure that algorithmic outputs comply with SEBI's conduct-of-business rules and investor protection standards.
IRDAI — Cyber Security Guidelines
The IRDAI mandates that insurers and intermediaries comply with its Guidelines on Information and Cyber Security for Insurers, with direct implications for AI-driven underwriting, claims management, and fraud detection.
TRAI — AI and Big Data Recommendations
TRAI has released recommendations on leveraging AI and Big Data in the telecommunication sector, proposing the establishment of an independent statutory body called the "Artificial Intelligence and Data Authority of India" to oversee AI governance across sectors.
CCPA — Dark Patterns Guidelines
The Central Consumer Protection Authority regulates e-commerce platforms for unfair trade practices, including AI-driven "dark patterns," as per the Guidelines for Prevention and Regulation of Dark Patterns, 2023.
Examples of AI dark patterns include:
-
AI-powered bait-and-switch
-
Personalized 'confirmshaming'
-
Dynamic privacy Zuckering
-
Deepfake sales agents
Step 7: The Machine Unlearning Challenge
The Problem
The challenge of removing personal data from the training set of an AI system or 'unlearning' it from a model is not uncommon. Unlike conventional data repositories, LLMs do not preserve information in discrete, accessible rows or columns — they operate by adjusting probabilistic weights across billions of parameters.
"Once incorporated, that data is not stored in a manner that permits straightforward retrieval, indexing, or deletion. There exists no practical mechanism to surgically excise that individual's contribution without undertaking a complete retraining of the model."
How the DPDP Act Differs from GDPR
| Dimension | DPDP Act | GDPR |
|---|---|---|
| Right to Erasure | Provides a right to withdraw consent (narrower obligation) | Provides a blanket right to erasure |
| Applicability | Applies only to personal data processed based on consent | Applies broadly to all personal data |
| Technical Feasibility | Courts likely to apply proportionality test | Stronger presumption of erasure |
Practical Approaches
| Method | Description | Trade-off |
|---|---|---|
| Differential Privacy | Adds random "noise" to training data, making it impossible to identify individuals | Models are usually less accurate |
| Algorithmic Destruction / Machine Unlearning | Tries to remove specific data points without retraining from scratch | No agreed-upon measure of effectiveness |
"In practice, regulators and courts are likely to apply a proportionality test: if erasure is technically feasible without imposing disproportionate burdens, the individual's right will prevail; if compliance would cripple innovation, alternative safeguards may be accepted."
Step 8: Shadow AI — The Governance Gap
The Scale of the Problem
Nearly 59% of large Indian enterprises have already deployed AI in operations — the highest rate globally. Yet 93% plan to increase AI investment, but only 15.8% have operationalized AI at strategic scale with proper governance.
The Cost of Poor Governance
-
95% of enterprise generative AI initiatives show no measurable impact on profit and loss
-
Integration failures and data governance gaps are the primary causes — not model quality
-
29% of enterprise cloud budgets are wasted, driven directly by AI workloads that organizations lack the governance to manage
-
Applied to India's cloud trajectory, the implied waste runs to roughly $3 billion annually
Shadow AI Risks
Unauthorized AI deployments:
-
Consume compute resources
-
Process sensitive personal data
-
Create DPDP compliance exposures
-
Generate no entry in any asset register or cloud cost report
"Shadow AI is invisible to the finance function and generates no entry in any asset register or cloud cost report. Unlike shadow IT of an earlier era, shadow AI consumes compute resources, processes sensitive personal data, and creates DPDP compliance exposures, often simultaneously."
Step 9: The Responsible AI Framework
India's AI governance is anchored in a principle-based framework articulated through multiple policy instruments:
The Seven Sutras
| Sutra | What It Means |
|---|---|
| Safety and Reliability | AI systems must be robust and secure |
| Equality and Inclusivity | AI must advance inclusion while reducing risks of exclusion |
| Privacy and Security | Data protection and security safeguards are mandatory |
| Transparency | AI systems must be understandable and explainable |
| Accountability | AI developers and deployers must remain visible and accountable |
| Protection and Empowerment | Human agency must be strengthened, with meaningful human oversight |
| Human Values | AI must align with constitutional values and human rights |
Step 10: Implementation Roadmap — 90 Days
Month 1: Foundation (Weeks 1-4)
| Action | Output |
|---|---|
| Map all AI systems in use or development | Complete AI asset inventory |
| Assess which AI systems process personal data | DPDP compliance baseline |
| Identify shadow AI deployments | Risk register |
| Establish AI governance committee | Clear ownership and accountability |
Month 2: Policy and Procedures (Weeks 5-8)
| Action | Output |
|---|---|
| Update privacy notices for AI-specific processing | DPDP-compliant notices |
| Implement labeling mechanisms for SGI | SGI labeling framework |
| Establish takedown procedures for unlawful content | IT Rules compliance procedures |
| Tag every cloud resource with owner, purpose, cost center, and data classification | Governed cloud estate |
Month 3: Technical Controls (Weeks 9-12)
| Action | Output |
|---|---|
| Implement technical measures against unlawful content | Technical controls |
| Deploy automated tools for SGI detection | Monitoring capability |
| Establish audit trails for AI decisions | Traceability framework |
| Name an owner for every workload | Clear accountability |
Step 11: Frequently Asked Questions
Q1: Does India have a standalone AI law?
No. India does not foresee the need for a standalone AI law. Instead, the government extends existing laws — IT Act, DPDP Act, sectoral regulations — to AI systems.
Q2: What is the most urgent compliance requirement?
The IT Amendment Rules 2026, effective from February 10, 2026, impose immediate obligations including 3-hour and 2-hour takedown timelines, labeling requirements for SGI, and technical measures against unlawful content. The DPDP Act's full enforcement arrives on May 13, 2027.
Q3: Can I scrape publicly available data for AI training in India?
Yes, but with conditions. The DPDP Act exempts personal data made publicly available by the data subject or under law. However, downstream reuse and commercial AI training may still raise compliance concerns.
Q4: How do I handle the "right to be forgotten" for AI systems?
Machine unlearning is technically challenging — data embedded in LLM weights cannot be surgically removed. The DPDP Act provides a right to withdraw consent, not a blanket right to erasure, narrowing the challenge. Practical approaches include differential privacy and algorithmic destruction, applied with proportionality.
Q5: What is the difference between India's approach and the EU AI Act?
The EU AI Act is a binding, risk-classified regulation. India's model adopts a principle-based, voluntary governance approach that extends existing laws to AI systems. However, enforcement is becoming stricter through IT Rules amendments and the DPDP Act.
Q6: How can Innovative AI Solutions help?
We help Indian businesses navigate AI governance, from compliance assessments and policy development to technical implementation of labeling, monitoring, and audit systems.
Step 12: Final Tagline
"India's AI governance is not a single law but a multi-layered framework integrating constitutional provisions, statutes, rules, regulations, and guidelines. The government does not foresee a standalone AI law — compliance obligations are already here, distributed across multiple legal frameworks. The question is not whether to comply, but how quickly you can build governance into your AI systems before the May 2027 deadline."
Short version:
AI compliance in India before 2027 — DPDP Act, IT Rules, sector-specific regulations, and implementation roadmap.
Hashtags:
#AIGovernance #IndiaAI #DPDPAct #ITRules #ResponsibleAI #AIPolicy #DigitalIndia #InnovativeAISolutions
Ready to Navigate AI Compliance?
India's AI regulatory landscape is evolving rapidly. Let us help you build a compliance framework that protects your business and enables innovation.
Contact Us
Phone: +91 7464 099 059 / +91 96899 67356
Email: info@innovativeais.com
Address: Netaji Subhash Place, Pitampura, Delhi – 110034
Website: https://innovativeais.com
About the Author
Abhishek Kumar
Founder & CEO, Innovative AI Solutions
5+ years building AI systems and navigating AI governance frameworks. Based in Delhi, serving clients across India.