Artificial Intelligence

Artificial Intelligence

Artificial Intelligence (AI) is a set of computational techniques that enable machines to learn from data, recognise patterns, and act in ways that would otherwise require human judgment. In FY 2026-27, Indian enterprises across financial services, healthcare and manufacturing are deploying AI at scale — powered by the Union Budget-backed IndiaAI Mission and shaped by the Digital Personal Data Protection Act, 2023 (DPDP Act). Getting AI governance right is now a compliance requirement, not a strategic luxury. This article tells you exactly what that means in practice.

What Artificial Intelligence Actually Means — and Why the Definition Matters

The word "artificial intelligence" is used carelessly in board decks, investor pitches and regulatory consultations alike. Precision matters, because different categories of AI carry different legal exposure, technical requirements and governance standards.

At its core, AI refers to algorithms that learn from data — rather than following hand-coded rules — to perform tasks such as recognising an image, predicting a loan default, generating a legal summary, or routing a customer service query. The underlying engine for almost all commercial AI today is machine learning (ML): statistical optimisation over large datasets that produces a model capable of generalising to new inputs.

Within ML, deep learning uses multi-layered neural networks to handle unstructured data: speech, images, scanned documents. The most commercially disruptive subset right now is large language models (LLMs), which power generative AI products — chatbots, automated report drafting, code assistants, and contract review tools. These models are trained on internet-scale text and are subsequently fine-tuned for specific tasks.

Understanding these distinctions matters operationally because regulators increasingly ask what type of model is deployed, not just whether AI is involved. RBI's model risk guidance, SEBI's algo-trading framework and IRDAI's sandbox rules each respond differently to narrow predictive models versus generative systems versus decision-automation engines.

The Five Categories Every Enterprise Decision-Maker Should Know

Most real-world deployments combine layers: a predictive model produces a risk score, a decision model routes it to auto-approve or human review, and a generative model drafts the outbound communication. Each layer carries its own data, model and operational risk profile — and must be individually governed.

The IndiaAI Mission: What Enterprises Can Actually Access in FY 2026-27

The Union Cabinet approved the IndiaAI Mission in March 2024, with a multi-year outlay of Rs. 10,372 crore. The mission is not a single fund — it is structured around seven pillars, each offering concrete access points for enterprises, startups and researchers. Knowing the pillars tells you where your organisation can derive direct value.

The Seven Pillars and Their Practical Relevance

1. IndiaAI Compute: A government-facilitated pool of 10,000+ GPUs available to eligible applicants at subsidised rates through the indiaai.gov.in portal. If you are evaluating whether to build your own foundation model versus call a foreign API, subsidised compute access fundamentally changes the cost arithmetic.

1. IndiaAI Innovation Centre: Developing sovereign, India-specific foundational models — including multilingual LLMs trained on Indian languages. Enterprises building vernacular customer interfaces (regional-language IVR, Indic-language chatbots) should track model releases from this centre; they offer better phonemic coverage and lower data-residency risk than foreign LLMs.

1. IndiaAI Datasets Platform: A curated repository of non-personal government datasets spanning agriculture, health, transport and geospatial domains. If you are building AI for crop insurance pricing, road logistics or public-health early-warning systems, this is a freely accessible data dividend that most enterprises have not yet tapped.

1. IndiaAI Application Development Initiative: A challenge-grant mechanism for AI applications in critical sectors. Watch the portal for open calls; the grant amounts are material for early-stage startups and social enterprises working in education and health.

1. IndiaAI FutureSkills: Government-funded AI curriculum and certification programmes running through universities, IITs and polytechnics. Relevant for CHROs designing workforce transition plans — some certifications may qualify for CSR spend under Schedule VII of the Companies Act, 2013.

1. IndiaAI Startup Financing: Catalytic capital for deep-tech AI startups. Track scheme notifications through DPIIT and MeitY if you are preparing a seed or Series A round involving an AI-native product.

1. Safe and Trusted AI: Voluntary frameworks for responsible AI aligned with OECD AI Principles. These guidelines are likely to be referenced — and possibly mandated — by sectoral regulators as India's AI governance framework matures.

Practical first step: Register at indiaai.gov.in. Do not wait for a vendor or channel partner — access to compute credits and datasets is direct. The portal is the primary interface for mission benefits.

AI in Indian Financial Services: Opportunity and Regulatory Obligation

Financial services is the sector where AI adoption in India is deepest and where regulatory expectations are most developed. Banks, NBFCs, insurers, asset managers and fintechs are all deploying AI — but the compliance obligations are sector-specific and non-negotiable.

What Banks and NBFCs Are Deploying

• Credit underwriting: ML models scoring applicants on bureau data, bank-statement analytics and alternate data (UPI transaction patterns, GST filing history, e-commerce behaviour). RBI's model risk management expectations require these models to be formally validated before go-live and periodically thereafter.
• Fraud and AML transaction monitoring: Rule-based systems are being replaced with anomaly-detection ML models that adapt to evolving fraud typologies. RBI's Master Direction on IT Risk and Cyber Security Controls (January 2024) requires documented model inventories and validation evidence.
• KYC and document processing: Computer vision and NLP extract and verify data from Aadhaar, PAN cards, NACH mandates and income tax returns — cutting processing time from hours to minutes and enabling straight-through processing for standardised cases.
• Customer service automation: LLM-powered chatbots handle routine queries in multiple Indian languages. Under MeitY's advisory framework operative from 2024, AI-generated responses in customer-facing contexts must be identifiable as AI-generated.

What SEBI Expects of AI-Using Intermediaries

SEBI's algorithmic trading framework already requires registration, API-level audit trails and kill-switch mechanisms. In FY 2026-27, SEBI's disclosure expectation extends to Research Analysts (RAs) and Investment Advisers (IAs) who use AI models to generate recommendations. If your firm uses an LLM to draft research notes or an ML model to generate buy/sell signals, you must:

• Disclose AI use in each piece of research or advice output
• Maintain model documentation and training data records, available for SEBI inspection
• Confirm the model output passes the firm's suitability and conflict-of-interest checks before client delivery

What IRDAI Requires for InsurTech AI

IRDAI's regulatory sandbox allows AI-based underwriting, fraud detection and claims automation to be tested under controlled conditions. Moving from sandbox to full production deployment requires a governance dossier covering: training data provenance, validation test results, ongoing monitoring cadence, and an explainability mechanism for adverse underwriting decisions communicated to policyholders.

The DPDP Act, 2023 and AI: Five Obligations You Cannot Ignore

The Digital Personal Data Protection Act, 2023 is the foundational data law that applies to every AI system processing personal data of Indian residents — whether for training, inference, output generation or automated decision-making. The DPDP Rules were notified in 2025 and are now operative. Five obligations are particularly critical for AI deployers.

1. Lawful Basis for Personal Data Used in Model Training

If your ML model was trained on customer data, you must establish lawful basis — typically consent or a legitimate use specified under Section 4 of the DPDP Act. The consent under which data was originally collected (often "for service delivery") may not extend to AI model training. Retroactively obtaining specific consent for historical training data is operationally difficult — and many enterprises have not yet resolved this.

2. Consent Specificity for Inference-Time Data

When an AI system uses a customer's personal data to make a real-time decision — credit score, health risk assessment, price quotation — the customer must have consented to that specific purpose. Bundled, broad-form consent in terms and conditions does not satisfy the DPDP Act standard.

3. Data Principal Rights and Adverse AI Decisions

Every Indian resident whose data is processed has the right under the DPDP Act to access what data is held and to correct it. If an AI model ingested incorrect data and made an adverse decision on that basis — a loan decline, an insurance rejection — the enterprise must have a live mechanism to receive correction requests, update the underlying data, and reassess the decision. Manual workarounds are not compliant at scale; this requires a workflow integrated with your CRM and model-serving infrastructure.

4. Cross-Border Data Transfer Restrictions

Many enterprises use AI services hosted by foreign cloud providers. Passing Indian customer personal data (names, financial records, health information) into a foreign LLM API may constitute a restricted cross-border transfer under Section 16 of the DPDP Act, unless the destination country is approved by the Central Government. The permitted country list has not been fully notified as of FY 2026-27. Legal mitigants: anonymise or pseudonymise personal data before any external API call, or deploy on-premise or India-hosted models for sensitive use cases.

5. Penalties That Make Governance Non-Optional

The Schedule to the DPDP Act prescribes financial penalties that make governance investment a straightforward cost-benefit calculation:

• Failure to implement reasonable security safeguards: up to Rs. 250 crore per breach
• Failure to notify a personal data breach to the Data Protection Board and affected individuals: up to Rs. 200 crore
• Non-compliance with Significant Data Fiduciary (SDF) obligations: up to Rs. 150 crore
• Cross-border transfer in violation of Section 16: up to Rs. 150 crore
• Breach of a voluntary undertaking given to the Board: up to Rs. 10,000 crore — an extraordinary figure that makes voluntary undertakings a legal instrument to approach with great caution

If your organisation processes personal data at a scale that may attract Significant Data Fiduciary designation (MeitY will formally designate SDFs by notification), budget additionally for: a Data Protection Officer at approximately Rs. 18-30 lakh per annum, Data Protection Impact Assessments (DPIAs) at Rs. 5-10 lakh per major AI system, and annual third-party audits.

AI Regulation in India: The Full 2026 Landscape

India does not yet have a standalone AI Act equivalent to the EU AI Act (which entered full application in 2026). Instead, AI is governed through a layered, multi-regulator framework:

• DPDP Act, 2023: Personal data processed by AI systems
• IT Act, 2000 and IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021: AI platforms operating as intermediaries
• MeitY Advisories: Guidance on generative AI disclosure, AI-generated content labelling, and safety testing obligations — the March 2024 advisory was a watershed moment establishing that AI deployers bear accountability for harmful outputs
• Sectoral regulations: RBI, SEBI, IRDAI, TRAI — each issues guidance applicable to AI in their domains, and none of it is optional
• IndiaAI Mission's Safe and Trusted AI pillar: Voluntary governance frameworks expected to harden into sectoral requirements as the mission matures

The EU AI Act categorises systems by risk level: unacceptable risk (prohibited), high risk (mandatory conformity assessment), limited risk (transparency obligations), minimal risk (no specific obligations). India's evolving approach — signalled in MeitY and NITI Aayog working papers — follows a similar risk-tiered logic. High-risk uses in India include: credit decisions affecting individuals, health diagnostics, biometric identification, and automated HR decisions. Expect mandatory pre-deployment requirements in these categories within the next two to three years.

What to do now: Even without a formal AI Act, AI deployers in high-risk categories should voluntarily adopt EU AI Act high-risk governance practices — technical documentation, risk management systems, human oversight protocols, bias testing. Doing this in FY 2026-27 positions you ahead of regulation rather than scrambling to retrofit governance onto live systems.

A Practical Framework for Enterprise AI Deployment: Seven Steps

Deploying AI responsibly is not a single project — it is a continuous operational discipline. Follow this sequence before going live on any consequential AI system.

1. Define the use case and risk tier: Is this narrow-scope automation (low risk) or does it make or materially influence consequential decisions affecting individuals (high risk)? The risk tier governs everything that follows. Classify in writing before scoping the technical solution.

1. Audit training data for legal provenance: Was the data collected with consent that extends to AI training? Does it contain personal data triggering DPDP Act obligations? Is it representative of the population the model will serve — including regional, linguistic and demographic segments?

1. Build a Model Card: Document training data sources, model architecture, performance metrics (accuracy, precision, recall, AUC-ROC), confidence intervals, known failure modes and demographic performance disparities across gender, age band, geography and language. This is your first line of defence in a regulatory inspection.

1. Conduct bias testing across Indian demographic segments: A model that performs well on pan-India aggregate metrics can still be systematically unfair to specific groups — borrowers from north-eastern states, women entrepreneurs, rural applicants, Indic-language users. Test explicitly. Adverse performance gaps are both a fairness issue and a regulatory risk.

1. Establish human oversight thresholds: For high-risk decisions, define the model confidence level below which a human reviewer must adjudicate. Enforce this technically — a model that theoretically allows override but defaults to full automation is not genuine human oversight in the regulatory sense.

1. Implement ongoing monitoring and drift detection: A model valid at deployment will degrade as data distributions shift — economic shocks, new fraud patterns, demographic changes, GST or income-tax rule changes. Configure performance alerts and schedule formal re-validation at least annually, or after any significant distribution-shift event.

1. Create a model incident response plan: If the model makes a systematic error — wrong credit decisions, discriminatory pricing, erroneous health flags — have a documented response plan: who is notified internally, how affected customers are identified, how remediation is delivered, and how regulators are informed within the timeframes the DPDP Act and sectoral rules require.

Worked Example: AI Credit Underwriting at a Mid-Size NBFC

Consider an NBFC processing 5,000 personal loan applications per month with an average loan size of Rs. 2 lakh.

Without AI: 12 credit analysts at Rs. 8 lakh per year = Rs. 96 lakh in annual analyst cost. Average decision turnaround: 3 business days.

With AI-assisted underwriting: The model auto-approves or auto-declines 70% of applications (3,500 per month) within minutes. The remaining 1,500 edge cases go to human review — requiring only 4 analysts. Annual analyst cost falls to Rs. 32 lakh, a saving of Rs. 64 lakh. Customer experience improves: most borrowers get a decision in under 15 minutes.

The governance cost of getting it wrong:

Suppose the model was trained on three years of historical data that under-represents borrowers from tier-3 towns in North-East India. The model systematically assigns this segment 15-20 points lower credit scores than their actual creditworthiness warrants, producing a disproportionate decline rate. This goes undetected for six months.

• Remediation cost: Re-underwrite 600 incorrect decline files manually at approximately Rs. 500 per file = Rs. 3 lakh; issue decision-reversal letters; recalculate interest timelines.
• Lost net interest income: 600 eligible applicants × Rs. 2 lakh average loan × 12% interest rate × 0.5-year average period = approximately Rs. 72 lakh in foregone income.
• RBI supervisory risk: If identified in an annual inspection, the NBFC faces model governance directions, a mandatory independent model audit, and possible business-line restrictions pending remediation.
• DPDP Act exposure: Systematic adverse processing of personal data may constitute a security or processing breach. The Data Protection Board could levy penalties up to Rs. 250 crore depending on the breach characterisation.

The upfront governance investment — an independent model validation engagement at Rs. 8-12 lakh, demographic bias testing at Rs. 3-5 lakh, and model card documentation at marginal internal cost — is trivially small against this exposure. The Rs. 64 lakh annual saving from AI underwriting is only bankable if the system is governed correctly from day one.

Common Mistakes Indian Enterprises Make with AI — and How to Fix Them

Mistake 1: Treating AI Deployment as a Technology Release, Not a Governance Event

What goes wrong: The IT team deploys an ML model to production without legal, compliance or risk signing off on data usage, oversight architecture or model documentation. The model is live before anyone outside the tech team understands what it is doing.

Fix: Require a formal Model Risk Acceptance sign-off from the Chief Risk Officer (or equivalent authority) before any AI system makes production decisions. Treat model go-live like a new product launch — not a software release.

Mistake 2: Relying on Old Consent for AI Training Data

What goes wrong: An enterprise trains a customer churn model on its full transaction database, which was collected under a consent clause covering "service delivery", not "AI model training for business analytics".

Fix: Audit consent architecture against your AI use cases before training commences. Either obtain fresh, specific consent for AI training purposes, or anonymise and pseudonymise data so that DPDP Act personal-data obligations no longer apply. Document the legal basis in the model card.

Mistake 3: No Performance Monitoring After Go-Live

What goes wrong: A fraud detection model is reviewed only when a major fraud event occurs. By then, model drift has allowed a new fraud typology to go undetected for months, causing significant losses.

Fix: Configure automated monitoring with monthly performance dashboards. Set trigger-based alerts when key metrics — precision, recall, false positive rate, coverage — deviate beyond a defined threshold. Assign a named model owner responsible for monitoring outputs and escalating anomalies.

Mistake 4: Sending Indian Customer PII to Foreign AI APIs Without Controls

What goes wrong: A financial services firm integrates a foreign LLM API and passes customer names, account numbers and loan amounts as prompt context. This is a potential DPDP Act cross-border transfer violation and a confidentiality risk under RBI's outsourcing norms.

Fix: Anonymise or pseudonymise any personal data before it leaves your environment and enters a third-party AI API. For high-sensitivity use cases — banking, insurance, health — evaluate on-premise or India-hosted sovereign model deployment.

Mistake 5: Confusing a Convincing Demo with a Production-Ready System

What goes wrong: A proof-of-concept chatbot that handles 80% of queries correctly in a demo is rushed to production without edge-case testing, load testing or a defined human escalation path. It fails on complex queries, frustrates customers and erodes trust in AI generally within the organisation.

Fix: Define explicit production-exit criteria for every proof-of-concept: minimum accuracy threshold, latency SLA, failure-mode documentation, human escalation protocol. Pilot at 5-10% of live volume before full rollout, with a structured feedback loop.

Mistake 6: Black-Box Decisions Without Explainability for Adverse Outcomes

What goes wrong: A bank's ensemble model declines a credit application. The customer and the relationship manager both ask why. There is no interpretable answer, because the model is a complex black box. RBI's fair-lending expectations — and the DPDP Act's emerging automated decision-making provisions — require a meaningful, human-comprehensible explanation.

Fix: For high-risk decisions, use inherently interpretable models or implement post-hoc explainability methods such as SHAP (SHapley Additive exPlanations) values. Ensure your customer-facing teams can translate model outputs into plain-language reason codes. Build reason-code generation into your model-serving infrastructure, not as an afterthought.

Building AI Talent: India's Skills Imperative in FY 2026-27

India's AI advantage ultimately rests on its talent base — but that base must be actively and deliberately cultivated. The IndiaAI FutureSkills pillar targets skilling five million Indians in AI-related competencies over the mission period. For enterprises, the practical talent agenda has three distinct layers.

Foundation layer — for all business professionals: Data literacy and statistical thinking for finance, operations, HR and marketing teams. If your analysts cannot critically interrogate a model's output — understand what precision and recall mean, identify when a model's training population is unrepresentative of live users — they cannot provide meaningful human oversight, which regulators require.

Practitioner layer — for product and technology teams: ML engineering, MLOps, model monitoring, and domain-specific AI application skills. Encourage developers and data scientists to certify in major cloud AI platforms (AWS SageMaker, Azure ML, GCP Vertex AI) and in MLOps frameworks. These certifications take 2-4 months for an experienced developer and cost Rs. 15,000-40,000 per person — a modest investment against the productivity upside.

Governance layer — for risk, legal and compliance professionals: AI risk management, model validation methodology, AI ethics and bias-testing. This is the most under-supplied skill set in Indian enterprises today and the most urgently needed given the regulatory trajectory. Budget for external training programmes or secondments to model validation teams; some ICAI and ICSI CPE-accredited programmes are beginning to cover AI governance.

Build apprenticeship pipelines from IITs, IIITs and NIT AI programmes. Enterprises that treat internship hiring as a talent supply strategy — rather than a checkbox activity — will build differentiated capability in-house. Do not outsource your entire AI function to a system integrator: the enterprises that will outperform in this decade are those that retain the internal capability to understand, evaluate and defend their AI systems, even when the model was built externally.

Key Takeaways

• AI is not monolithic: Know precisely whether you are deploying narrow, generative, predictive or decision AI — each carries different data, governance and regulatory requirements under Indian law.
• The IndiaAI Mission (Rs. 10,372 crore over five years) offers direct access to subsidised GPU compute, curated datasets and skilling grants — register at indiaai.gov.in without waiting for an intermediary.
• The DPDP Act, 2023 applies to every AI system that processes personal data of Indian residents, including for model training; penalties reach Rs. 250 crore for failure to implement reasonable security safeguards, and Rs. 10,000 crore for breach of a voluntary undertaking given to the Data Protection Board.
• In financial services, RBI, SEBI and IRDAI each impose sector-specific AI obligations — model inventory maintenance, formal validation evidence, bias testing documentation and AI-use disclosure to customers are non-negotiable.
• The governance investment is small relative to the downside: as the NBFC worked example demonstrates, Rs. 8-12 lakh in upfront model validation and bias testing protects against Rs. 72 lakh in lost revenue and regulatory penalties that can reach hundreds of crore.
• Six critical mistakes to avoid: skipping governance sign-off, using training data without a valid consent basis, deploying without post-live monitoring, sending PII to foreign AI APIs without controls, rushing a proof-of-concept to production, and relying on black-box decisions for adverse outcomes that require explanation.
• Talent is the long game: build internal AI governance capability — especially in risk and compliance teams — rather than relying entirely on vendors; the regulatory trajectory in FY 2026-27 and beyond will reward organisations that can independently evaluate and defend their AI systems.