India AI Governance by Sector — Banking, Healthcare, and IT Services

India AI governance — sector by sector

India does not have a standalone horizontal AI law. Instead, AI governance operates through sector-specific regulation layered on the DPDP Act 2023 foundation. For organisations operating in India, the practical compliance challenge is mapping AI use against both the horizontal DPDP framework and sector-specific requirements.

Banking and financial services

RBI FREE-AI Framework. The Framework for Responsible and Ethical Enablement of AI addresses governance structures, risk management, transparency, fairness, and data governance for banks, NBFCs, and payment system operators. While framed as guidance, RBI supervisory expectations function as de facto requirements — non-compliance creates examination risk.

Digital Lending Guidelines (2022). Directly relevant to AI-driven lending: all lending must be through a regulated entity; data collection must be need-based with customer consent; data must be stored on servers in India; no first-loss default guarantee arrangements from lending service providers. AI credit scoring and automated lending decisions must comply.

Master Direction on IT Governance (2023). Applies AI as information technology: board-level IT governance; information security management; IT outsourcing and vendor management; business continuity. AI systems in banks must comply.

IRDAI. Insurance Regulatory and Development Authority guidance applies to AI in insurance underwriting, pricing, and claims. AI pricing models must be fair and non-discriminatory.

SEBI. Securities and Exchange Board of India regulates algorithmic trading, AI in securities advisory, and automated portfolio management. Registration and compliance requirements apply to AI-driven investment tools.

Healthcare

CDSCO. The Central Drugs Standard Control Organisation regulates AI medical devices under the Medical Devices Rules 2017 (amended). AI-based diagnostic, monitoring, and treatment devices require regulatory approval. Software as a Medical Device (SaMD) including AI is within scope.

ICMR. Indian Council of Medical Research ethical guidelines apply to AI in biomedical and health research. Informed consent, ethics committee approval, and data protection requirements apply.

ABDM. The Ayushman Bharat Digital Mission creates a digital health infrastructure. AI systems interfacing with ABDM must comply with health data standards and interoperability requirements.

Telemedicine. Telemedicine Practice Guidelines (2020) apply to AI used in telemedicine — AI clinical decision support deployed in telehealth must comply.

IT services and outsourcing

India is a global hub for IT services and business process outsourcing. Companies deploying AI for clients face dual compliance obligations: Indian law (DPDP Act, IT Act, sector regulation) for their India operations, plus client jurisdiction requirements for the AI services they provide (GDPR for EU clients, CCPA for California clients, APRA CPS 230 for Australian financial services clients).

Key considerations: data localisation requirements under DPDP and sector-specific regulation; cross-border data transfer mechanisms; contractual obligations with international clients; ISO 42001 and SOC 2 certification expectations from enterprise clients; AI-specific contract provisions (no-training commitments, model documentation, bias testing).

DPDP Act — the horizontal layer

The DPDP Act 2023 and Rules 2025 (notified 13 November 2025, implemented in three phases) apply across all sectors. Significant Data Fiduciaries (likely to include major banks, insurers, and IT companies) face enhanced obligations: DPO appointment; independent data auditor; DPIA for high-risk processing including AI. Maximum penalty: 250 crores (approximately US$30 million) per contravention.

Primary sources: Reserve Bank of India · MeitY — DPDP Framework · CDSCO

Related reading

India DPDP Act AI Compliance · India AI Fintech RBI Compliance · India AI Rights for Individuals