Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

India Plans a Dedicated AI Law as RBI's Model Risk Framework Hits a July 24 Deadline — The DPDP Act Alone Is No Longer Enough

India's IT Secretary confirmed a separate AI law is being drafted as RBI's model risk management guidance closes July 24. Here's what DPDP-compliant businesses must do now.

D
DPDPBot Research Team
🕐 10 min read

#India Plans a Dedicated AI Law as RBI's Model Risk Framework Hits a July 24 Deadline — The DPDP Act Alone Is No Longer Enough

India's government confirmed this week it is actively drafting a dedicated artificial intelligence law — a sharp reversal of its position from just eight months ago — while the Reserve Bank of India's landmark Model Risk Management Guidance is in public consultation with comments due July 24, 2026. For businesses that assumed the DPDP Act 2023 was the only regulatory framework to worry about, this week's developments expose a more complex and urgent reality.

The two developments arrived in quick succession: IT Secretary S Krishnan's statement on July 3 that India needs a "separate legislation" for AI, and the active consultation window on the RBI's sweeping draft guidance that mandates AI kill switches, human oversight requirements, and board-level accountability for every bank and non-banking financial company in the country. Together, they reshape the compliance horizon for Indian enterprises navigating the Digital Personal Data Protection Act.


#India's AI Law U-Turn: What IT Secretary Krishnan Actually Said

On July 3, 2026, speaking publicly on India's regulatory stance toward artificial intelligence, IT Secretary S Krishnan stated: "We have used the IT rules, and other provisions of existing law to address various concerns that AI raises, but now, probably the time has come to look at a separate legislation."

He added that discussions with industry had already commenced, framing the announcement as an evolution rather than an overhaul: "It is a conversation which has commenced, and my Minister and I have both been on record earlier that we will look at AI regulation when the time is right, and it appears that the time is getting right."

The significance of that phrase — "the time is right" — lies in the contrast with November 2025, when MeitY had explicitly stated that a separate AI law was not yet needed, issuing instead its India AI Governance Guidelines. Eight months later, the ministry's position has reversed.

What prompted the shift? Several compounding factors. The February 2026 amendment to the IT Rules formally defined AI-generated content for the first time and mandated removal of flagged deepfake content within three hours — a targeted patch applied to an existing framework increasingly straining under AI-era pressures. The July 2 Supreme Court ruling in Pooja Ramesh Singh v. Jammu and Kashmir Bank Ltd. — which invalidated tribunal decisions based on AI-fabricated legal citations and directed the Bar Council to establish disciplinary norms — underscored that AI governance through existing legal instruments has real limits. Deepfake orders from the Delhi and Madras High Courts in the same week added judicial urgency.

The proposed AI law is expected to follow a risk-based tiering model: low-risk applications like chatbots and productivity tools would face minimal regulation, while high-risk AI deployments in banking, healthcare, and critical infrastructure would carry heavier obligations. A draft is being prepared, with industry stakeholder discussions underway — but no formal timeline has been announced.


#The RBI's Model Risk Management Guidance: Action Required Before July 24

While the AI law remains in drafting, one regulatory deadline is immediate: July 24, 2026 is the last day to submit feedback on the Reserve Bank of India's Draft Guidance on Regulatory Principles for Model Risk Management, 2026, released on June 24.

This framework, if finalized as drafted, would be the most prescriptive AI governance mandate any Indian regulator has issued to date. Its scope covers all commercial banks, small finance banks, payment banks, cooperative banks, NBFCs, asset reconstruction companies, and credit information companies — essentially every regulated financial institution in the country.

The core requirements represent a significant departure from how Indian financial institutions currently manage AI:

Board-level accountability. Each regulated entity must establish a Board-approved Model Risk Management Framework (MRMF) that governs the full lifecycle of every AI and machine learning model used in decision-making. This means risk ownership is no longer delegable to a data science team or an IT department. The board must sign off.

The Three Lines of Defense. Model validation must occur independently from model development, using a formal three-lines-of-defense structure. Self-assessed model accuracy no longer satisfies the RBI's requirement.

Kill switches and human override. For every automated decision-making model — including lending models, fraud detection, and customer-facing AI — institutions must implement an emergency kill switch to take malfunctioning models offline immediately, and Human-in-the-Loop (HITL) controls that allow human override at any stage.

Explainability requirements. Customer-facing AI systems, including chatbots, must disclose their automated nature and offer a seamless path to human assistance upon request. Black-box outputs affecting customer outcomes are explicitly flagged as problematic.

Third-party AI accountability. The guidance extends its reach to vendor-embedded AI. Regulated entities remain responsible for model risk even when the model is built and operated by a technology vendor — a requirement that will force contract renegotiations across the fintech and banking-technology vendor ecosystem.

Responses submitted to the RBI by July 24 will shape the final guidance. Banks, NBFCs, and the fintech companies that serve them should treat this window as the last opportunity to influence requirements before they become binding obligations.


#Where the DPDP Act 2023 Already Touches AI — and Where It Falls Short

The Digital Personal Data Protection Act 2023 is not silent on artificial intelligence, even though it never uses the word. The DPDP Act's consent requirement — that personal data can only be processed for a purpose that is clearly communicated and consented to — has direct implications for AI.

Training a large language model or a recommendation engine on user data collected for a different purpose violates the DPDP Act's purpose limitation principle. Using consent given for one service to feed a behavioral profiling system for another violates the same clause. This means any Indian business that has collected personal data and now wants to use it for AI model training must re-examine whether the original consent covers that use — and in most cases, it does not.

The DPDP Rules 2025 also give data principals the right to erasure and correction. For AI systems trained on personal data, these rights create a technical problem that few Indian enterprises have begun solving: what happens to the model when a data principal withdraws consent or requests deletion of their data?

However, the DPDP Act has no provisions specific to automated decision-making, no requirement for algorithmic impact assessments, and no transparency obligation for AI-generated outputs. That gap is precisely what the proposed AI law would address — and what the RBI's guidance is trying to fill for the financial sector in the interim.

The result, as of July 2026, is a fragmented compliance landscape: DPDP Act governs the data that feeds AI; the RBI's framework governs the AI models themselves in financial services; and the incoming AI law will eventually govern the broader system. For a business operating across all three, the compliance surface area is already larger than DPDP alone.


#The Three-Framework Problem Indian Businesses Now Face

A business that has spent the last six months building DPDP compliance infrastructure — consent management, data classification, breach notification pipelines — has not necessarily addressed its AI governance exposure.

The EY India's Data Privacy Shift report, which surveyed more than 150 professionals across sectors, found that nearly 71% of Indian enterprises struggle to interpret the DPDP Act, 83% have not begun comprehensive implementation, and approximately 77% are not equipped with consent management, data discovery, or rights fulfillment tools. These numbers reflect readiness for a single framework — the DPDP Act — that is itself not yet fully enforced.

Now add the RBI's model risk requirements for financial entities, and the prospect of a third, AI-specific law. India's Global Capability Centre (GCC) ecosystem — 2,117 centres employing 2.36 million professionals — sits at the intersection of all three. GCC site leaders increasingly hold dual mandates for privacy and AI governance. The compliance team that was already stretched thin managing DPDP Act preparations must now also track RBI comment rounds and AI law consultations.

The regulatory layering is not accidental. India's approach has been to move incrementally: use the IT Act and Rules for immediate issues, use the DPDP Act for comprehensive data protection, and use sectoral regulators (RBI, SEBI, IRDAI) for domain-specific AI governance, while preparing a horizontal AI law for what sectoral rules cannot cover. This is a deliberate sequencing strategy, but it means compliance teams face a rolling sequence of regulatory milestones rather than a single implementation project.


#What Businesses Should Do Right Now

Submit comments on the RBI's Model Risk Management Guidance before July 24. If your business operates as a bank, NBFC, fintech provider, or technology vendor to financial institutions, the consultation window closes in less than two weeks. Requirements like board-level MRMF, kill switches, and third-party AI accountability will shape your compliance obligations for years. Industry bodies including NASSCOM have submitted analysis — align with their submissions or submit independently.

Audit AI systems for DPDP Act consent gaps. Map every dataset being used to train or operate AI models against the consent scope under which that data was collected. Where there is a mismatch, either obtain fresh consent or cease using the data for AI purposes before May 2027 enforcement. The /consent-manager tools available in the Indian market — including the systems validated in MeitY's recent Code for Consent challenge — can help automate this audit.

Watch for Significant Data Fiduciary designation if you are AI-intensive. The central government has not yet issued SDF designations, but the criteria include volume of data processed and systemic risk to citizens' rights. Enterprises running large-scale AI systems on Indian personal data are natural candidates. SDF status triggers annual algorithmic impact assessments, an India-based Data Protection Officer, and potentially stricter cross-border transfer restrictions.

Track the AI law consultation process from the start. IT Secretary Krishnan confirmed that stakeholder discussions have already begun. Unlike the DPDP Act — where public consultation was limited — the AI law process appears to be starting with industry input. Early participation in shaping that framework is worth more than late compliance with a finalized one.

Don't treat DPDP readiness as AI readiness. The EY survey makes clear that most Indian enterprises are not yet fully DPDP-ready. Building a compliance posture that treats the DPDP Act as the ceiling rather than the floor will leave businesses exposed when the AI law and RBI guidance become enforceable. Consent management infrastructure built for DPDP should be designed to plug into AI governance workflows from the outset, not retrofitted later.


#What Comes Next

The next regulatory milestone in the DPDP Act timeline is November 13, 2026 — the date the Consent Manager Framework becomes operational. By that date, organizations that want to use third-party consent managers must integrate with a registered platform; entities wanting to register as consent managers must apply to the Data Protection Board of India.

With the DPBI's Chairperson and Members still in the appointment process as of mid-July 2026, some operational uncertainty persists around the board's enforcement capacity. But the broader regulatory direction is clear: India is accelerating toward a multi-layered governance regime for data and AI, not simplifying its compliance environment.

For businesses waiting for a single clear moment when compliance becomes mandatory, there is no such moment. The DPDP Act, the RBI's model risk framework, and the AI law in gestation are three overlapping processes — each with its own deadlines, each demanding action before the others finalize.

The July 24 RBI deadline is two weeks away. That is the nearest actionable date on the calendar. Start there.


Have questions about how the DPDP Act, RBI's AI governance framework, and India's upcoming AI law intersect for your business? Explore our consent manager tools or visit /resources for compliance templates and implementation guides.

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial