Innovative AI Solutions | AI Development, Web & Mobile Apps – Delhi, India

AI Compliance in India: What Businesses Must Know Before 2027

AI Compliance in India: What Businesses Must Know Before 2027 - Innovative AI Solutions Blog

The Big Question

Let me start with a question that every business leader deploying AI in India must answer.

"India doesn't have an AI law. Do we actually need to worry about AI compliance?"

The honest answer:

Yes. And the deadline is fixed.

Here is the truth:

India has adopted a multi-layered, decentralized, and principle-driven approach to AI governance. While there is no standalone AI statute, AI systems are regulated through a composite framework of existing legislation — the Information Technology Act, the DPDP Act, the Consumer Protection Act, and sector-specific regulations from the RBI, SEBI, IRDAI, and others. 

The absence of a single "AI law" does not mean the absence of compliance obligations. It means you must navigate a complex quilt of statutory triggers, sector-specific circulars, and evolving liability standards.


Step 3: The DPDP Act — The Foundation of AI Compliance

What Is the DPDP Act?

The Digital Personal Data Protection Act, 2023, is India's first comprehensive legislation governing the protection of digital personal data. It establishes clear rules for how organizations collect, process, store, and transfer the personal data of Indian citizens.

Key Timelines

 
 
Date Requirement
November 14, 2025 DPDP Rules operationalized
November 13, 2026 Consent manager registration framework becomes mandatory
May 13, 2027 Full DPDP Act enforcement — all covered businesses must comply

Scope and Applicability

The DPDP Act applies to personal data collected in digital form, as well as data initially collected in non-digital form but subsequently digitized. It incorporates extraterritorial applicability, extending to foreign organizations that process personal data in connection with offering goods or services to individuals located in India.

How the DPDP Act Applies to AI Systems

 
 
Requirement Implication for AI
Consent for AI Training Specific consent must be obtained for collecting personal information for training AI models. Organizations cannot rely on broad, vague consent.
Legitimate Uses The DPDP Act provides specific legitimate uses as exceptions to consent, including voluntarily provided data, employment relationships, and public data exemptions.
Public Data Exemption The DPDP Act does not apply to personal data made publicly available by the data subject or under law. This is broader than GDPR and may allow scraping of public web data for AI training.
Algorithmic Accountability Significant Data Fiduciaries must ensure that algorithmic software, including AI systems, does not adversely affect the rights of Data Principals.
Security Safeguards AI systems must implement reasonable security safeguards.
Penalties Fines up to ₹250 crore ($28 million) for failing to prevent a personal data breach.
Breach Reporting Data controllers are obligated to report a personal data breach within 72 hours of becoming aware of the breach.

"The use of personal data without user consent to train AI models is governed by the DPDP Act. Obligations of consent, purpose limitation, and data minimization would have direct bearing on AI model training and deployment."


Step 4: The IT Amendment Rules 2026 — Mandatory AI Labeling and Faster Takedowns

On February 10, 2026, the Central Government notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026.

What Is Synthetically Generated Information (SGI)?

SGI is defined as audio, visual, or audio-visual information that is artificially or algorithmically created, generated, modified, or altered to appear real, authentic, or true.

This includes:

  • Deepfakes

  • AI-generated or AI-altered images and videos

  • Voice cloning

  • Other realistic, algorithmically generated audio-visual content

Notably, text generated by AI does not fall within SGI.

Key Obligations for Intermediaries

 
 
Obligation Requirement
Technical Measures Implement "reasonable and appropriate technical measures including automated tools" to prevent creation or dissemination of unlawful SGI
Labeling Non-prohibited SGI must be "clearly and prominently labeled" with visual labels (for visual SGI) and audio disclosures (for audio SGI)
Metadata Embed permanent metadata or unique identifiers to trace the computer resource used to generate or alter content; do not enable removal or modification
Takedown Timelines Within 3 hours for court/government orders; within 2 hours for high-risk content (nudity, intimate imagery, deepfake sexual content)

Additional Obligations for Significant Social Media Intermediaries (SSMIs)

SSMIs—platforms with over 5 million registered users in India (Meta, Alphabet, X, LinkedIn)—face heightened requirements:

  • User Declarations: Require users to declare whether uploaded content is SGI

  • Technical Verification: Deploy automated tools to verify the accuracy of user declarations—cannot rely solely on user representations


Step 5: The Draft Second Amendment to IT Rules, 2026

The Draft Second Amendment is structural in nature and has far-reaching implications on platform accountability.

Key Proposed Changes

 
 
Change Implication
Compliance with MEITY Advisories Compliance with clarifications, advisories, orders, guidance, or codes of practice issued by MEITY becomes a requirement for 'due diligence' — non-compliance links to loss of safe harbor protection
Content Deletion Retention Intermediaries must comply with content deletion directions while retaining certain user-related and grievance-linked information for a minimum period of 180 days
Expanded IDC Scope The Inter-Departmental Committee's operations extend to all users beyond publishers of online news and current affairs content

"The Draft Second Amendment marks a clear shift toward tighter, more centralized regulation of digital intermediaries, significantly raising compliance expectations and legal risk."


Step 6: Sector-Specific Regulations

RBI — FREE-AI Framework

The Reserve Bank of India issued a comprehensive framework titled Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in August 2025, applying to banks, NBFCs, and fintech entities.

The framework articulates seven guiding principles and 26 actionable recommendations addressing data governance, model risk management, algorithmic accountability, and human oversight.

SEBI — AI Disclosure Requirements

SEBI requires the disclosure of AI use to clients, the maintenance of technical documentation, and the implementation of controls to ensure that algorithmic outputs comply with SEBI's conduct-of-business rules and investor protection standards.

IRDAI — Cyber Security Guidelines

The IRDAI mandates that insurers and intermediaries comply with its Guidelines on Information and Cyber Security for Insurers, with direct implications for AI-driven underwriting, claims management, and fraud detection.

TRAI — AI and Big Data Recommendations

TRAI has released recommendations on leveraging AI and Big Data in the telecommunication sector, proposing the establishment of an independent statutory body called the "Artificial Intelligence and Data Authority of India" to oversee AI governance across sectors.

CCPA — Dark Patterns Guidelines

The Central Consumer Protection Authority regulates e-commerce platforms for unfair trade practices, including AI-driven "dark patterns," as per the Guidelines for Prevention and Regulation of Dark Patterns, 2023.

Examples of AI dark patterns include:

  • AI-powered bait-and-switch

  • Personalized 'confirmshaming'

  • Dynamic privacy Zuckering

  • Deepfake sales agents


Step 7: The Machine Unlearning Challenge

The Problem

The challenge of removing personal data from the training set of an AI system or 'unlearning' it from a model is not uncommon. Unlike conventional data repositories, LLMs do not preserve information in discrete, accessible rows or columns — they operate by adjusting probabilistic weights across billions of parameters.

"Once incorporated, that data is not stored in a manner that permits straightforward retrieval, indexing, or deletion. There exists no practical mechanism to surgically excise that individual's contribution without undertaking a complete retraining of the model."

How the DPDP Act Differs from GDPR

 
 
Dimension DPDP Act GDPR
Right to Erasure Provides a right to withdraw consent (narrower obligation) Provides a blanket right to erasure
Applicability Applies only to personal data processed based on consent Applies broadly to all personal data
Technical Feasibility Courts likely to apply proportionality test Stronger presumption of erasure

Practical Approaches

 
 
Method Description Trade-off
Differential Privacy Adds random "noise" to training data, making it impossible to identify individuals Models are usually less accurate
Algorithmic Destruction / Machine Unlearning Tries to remove specific data points without retraining from scratch No agreed-upon measure of effectiveness

"In practice, regulators and courts are likely to apply a proportionality test: if erasure is technically feasible without imposing disproportionate burdens, the individual's right will prevail; if compliance would cripple innovation, alternative safeguards may be accepted."


Step 8: Shadow AI — The Governance Gap

The Scale of the Problem

Nearly 59% of large Indian enterprises have already deployed AI in operations — the highest rate globally. Yet 93% plan to increase AI investment, but only 15.8% have operationalized AI at strategic scale with proper governance.

The Cost of Poor Governance

  • 95% of enterprise generative AI initiatives show no measurable impact on profit and loss

  • Integration failures and data governance gaps are the primary causes — not model quality

  • 29% of enterprise cloud budgets are wasted, driven directly by AI workloads that organizations lack the governance to manage

  • Applied to India's cloud trajectory, the implied waste runs to roughly $3 billion annually

Shadow AI Risks

Unauthorized AI deployments:

  • Consume compute resources

  • Process sensitive personal data

  • Create DPDP compliance exposures

  • Generate no entry in any asset register or cloud cost report

"Shadow AI is invisible to the finance function and generates no entry in any asset register or cloud cost report. Unlike shadow IT of an earlier era, shadow AI consumes compute resources, processes sensitive personal data, and creates DPDP compliance exposures, often simultaneously."


Step 9: The Responsible AI Framework

India's AI governance is anchored in a principle-based framework articulated through multiple policy instruments:

The Seven Sutras

 
 
Sutra What It Means
Safety and Reliability AI systems must be robust and secure
Equality and Inclusivity AI must advance inclusion while reducing risks of exclusion
Privacy and Security Data protection and security safeguards are mandatory
Transparency AI systems must be understandable and explainable
Accountability AI developers and deployers must remain visible and accountable
Protection and Empowerment Human agency must be strengthened, with meaningful human oversight
Human Values AI must align with constitutional values and human rights

Step 10: Implementation Roadmap — 90 Days

Month 1: Foundation (Weeks 1-4)

 
 
Action Output
Map all AI systems in use or development Complete AI asset inventory
Assess which AI systems process personal data DPDP compliance baseline
Identify shadow AI deployments Risk register
Establish AI governance committee Clear ownership and accountability

Month 2: Policy and Procedures (Weeks 5-8)

 
 
Action Output
Update privacy notices for AI-specific processing DPDP-compliant notices
Implement labeling mechanisms for SGI SGI labeling framework
Establish takedown procedures for unlawful content IT Rules compliance procedures
Tag every cloud resource with owner, purpose, cost center, and data classification Governed cloud estate

Month 3: Technical Controls (Weeks 9-12)

 
 
Action Output
Implement technical measures against unlawful content Technical controls
Deploy automated tools for SGI detection Monitoring capability
Establish audit trails for AI decisions Traceability framework
Name an owner for every workload Clear accountability

Step 11: Frequently Asked Questions

Q1: Does India have a standalone AI law?

No. India does not foresee the need for a standalone AI law. Instead, the government extends existing laws — IT Act, DPDP Act, sectoral regulations — to AI systems.

Q2: What is the most urgent compliance requirement?

The IT Amendment Rules 2026, effective from February 10, 2026, impose immediate obligations including 3-hour and 2-hour takedown timelines, labeling requirements for SGI, and technical measures against unlawful content. The DPDP Act's full enforcement arrives on May 13, 2027.

Q3: Can I scrape publicly available data for AI training in India?

Yes, but with conditions. The DPDP Act exempts personal data made publicly available by the data subject or under law. However, downstream reuse and commercial AI training may still raise compliance concerns.

Q4: How do I handle the "right to be forgotten" for AI systems?

Machine unlearning is technically challenging — data embedded in LLM weights cannot be surgically removed. The DPDP Act provides a right to withdraw consent, not a blanket right to erasure, narrowing the challenge. Practical approaches include differential privacy and algorithmic destruction, applied with proportionality.

Q5: What is the difference between India's approach and the EU AI Act?

The EU AI Act is a binding, risk-classified regulation. India's model adopts a principle-based, voluntary governance approach that extends existing laws to AI systems. However, enforcement is becoming stricter through IT Rules amendments and the DPDP Act.

Q6: How can Innovative AI Solutions help?

We help Indian businesses navigate AI governance, from compliance assessments and policy development to technical implementation of labeling, monitoring, and audit systems.

 Book a free consultation →


Step 12: Final Tagline

"India's AI governance is not a single law but a multi-layered framework integrating constitutional provisions, statutes, rules, regulations, and guidelines. The government does not foresee a standalone AI law — compliance obligations are already here, distributed across multiple legal frameworks. The question is not whether to comply, but how quickly you can build governance into your AI systems before the May 2027 deadline."

Short version:
AI compliance in India before 2027 — DPDP Act, IT Rules, sector-specific regulations, and implementation roadmap.

Hashtags:
#AIGovernance #IndiaAI #DPDPAct #ITRules #ResponsibleAI #AIPolicy #DigitalIndia #InnovativeAISolutions


Ready to Navigate AI Compliance?

India's AI regulatory landscape is evolving rapidly. Let us help you build a compliance framework that protects your business and enables innovation.

Contact Us

Phone: +91 7464 099 059 / +91 96899 67356
Email: info@innovativeais.com
Address: Netaji Subhash Place, Pitampura, Delhi – 110034
Website: https://innovativeais.com


About the Author

Abhishek Kumar
Founder & CEO, Innovative AI Solutions

5+ years building AI systems and navigating AI governance frameworks. Based in Delhi, serving clients across India.

 
📢 Share this article:

Ready to build AI solutions for your business?

Innovative AI Solutions — Delhi's leading AI development company. Free consultation available.

Get Free Consultation →