Source-led article
AI Policy in India: What Businesses Need to Watch Now
AI Policy in India: What Businesses Need to Watch Now
Last updated: October 26, 2023
India's approach to Artificial Intelligence (AI) governance is taking shape through a combination of existing laws, new data protection regulations, official advisories, and strategic initiatives. For Indian businesses, this means navigating a dynamic landscape where obligations are emerging from multiple sources rather than a single, overarching AI law. Understanding these developments is crucial for managing risks and ensuring responsible AI deployment.
This guide provides a practical overview of the current AI policy environment in India, highlighting what businesses need to monitor and the steps they can take to prepare.
Quick Summary: What Indian Businesses Should Watch
While a dedicated AI law for India is still under discussion, businesses must already consider AI in the context of existing and upcoming regulations. The key areas to watch include data protection, intermediary guidelines, and sector-specific rules.
- Data Protection: Businesses using AI that processes personal data must closely track the implementation of the Digital Personal Data Protection (DPDP) Act, 2023, and its associated rules.
- Platform Responsibilities: Digital platforms and intermediaries need to monitor updates to the Information Technology (IT) Rules, especially concerning content moderation, grievance handling, misinformation, impersonation, and synthetic media.
- AI Tool Providers: Companies developing or deploying AI tools should pay attention to advisories issued by the Ministry of Electronics and Information Technology (MeitY) regarding testing, user safety, and disclosure requirements.
- Regulated Sectors: Businesses in sectors like finance, insurance, telecom, health, and securities may face additional, stricter requirements from their respective regulators.
- Internal Governance: All businesses are encouraged to start building internal AI governance frameworks to manage risks and prepare for future regulatory clarity.
Current AI Policy Landscape in India
India's AI policy environment is evolving through various channels, reflecting a multi-pronged approach rather than a single, unified framework. This distributed approach means businesses need to monitor several policy streams.
India does not operate through only one AI rulebook
AI governance in India is currently influenced by:
- MeitY Advisories: The Ministry of Electronics and Information Technology (MeitY) issues advisories that guide the responsible development and deployment of AI.
- IndiaAI Mission: This national program aims to foster an AI ecosystem, including initiatives for compute infrastructure, datasets, and responsible AI.
- Digital Personal Data Protection (DPDP) Act, 2023: This legislation significantly impacts how personal data is handled, which is critical for AI systems that process such data.
- Information Technology (IT) Act and Intermediary Rules: These regulations govern digital platforms and intermediaries, with implications for AI-generated content and user safety.
- NITI Aayog Documents: Policy papers and strategy documents from NITI Aayog provide guidance on responsible AI principles and national AI strategy.
- Sector-Specific Regulations: Various sector regulators may introduce their own guidelines for AI use within their domains.
Why businesses should track policy now
Proactive monitoring of AI policy is essential for several practical reasons:
- Data Handling: Many AI systems process personal data, making compliance with data protection laws paramount.
- Content Risks: AI-generated content can pose risks related to misinformation, impersonation, copyright infringement, and brand safety.
- Vendor Relationships: Businesses need to understand how AI vendors handle their data and customer information.
- Decision-Making Impact: AI-driven decisions can affect customers, employees, and critical business functions like lending or hiring.
- Future Compliance: Anticipating future rules, such as those requiring documentation, disclosures, audit trails, or human oversight, can reduce future compliance friction.
AI Policy Watchlist for Indian Businesses
The following table provides a quick overview of key policy areas, their current status, who should monitor them, and recommended business actions.
| Policy/source area | Current status to verify | Who should watch it | Practical business action |
|---|---|---|---|
| MeitY AI advisories | Latest official advisory, addressees, and whether advisory or binding | AI tool providers, platforms, SaaS companies, enterprises deploying AI | Track updates, document AI system use, review user-facing AI risks |
| IndiaAI Mission | Official programme components and implementation status | AI startups, cloud providers, researchers, public-sector vendors | Watch compute, datasets, funding, and responsible AI initiatives |
| DPDP Act and rules | Commencement status, notified rules, and applicable obligations | Any business using personal data in AI systems | Map personal data flows, review consent, notice, security, and vendor controls |
| IT Act and Intermediary Rules | Latest intermediary duties and official directions | Platforms, marketplaces, social apps, UGC products, digital publishers | Strengthen takedown, grievance, moderation, and harmful-content response |
| Sector regulators | Check RBI, SEBI, IRDAI, TRAI, health, education, or other applicable regulator updates | Fintech, insuretech, healthtech, edtech, telecom, securities firms | Apply sector-specific audit, explainability, outsourcing, and risk controls |
| Upcoming digital law consultations | Verify whether proposals have become law, draft rules, or consultation material | Large platforms, AI vendors, SaaS exporters, compliance teams | Monitor high-risk AI, synthetic media, data governance, and platform obligations |
Practical AI Policy Readiness Checklist
Preparing for India's evolving AI policy landscape involves a series of practical steps that businesses can implement now to mitigate risks and build a foundation for future compliance. This checklist offers actionable guidance for readiness.
- Create an AI system inventory: Document all AI tools used across customer-facing, employee-facing, and back-office operations within your organisation.
- Map data use for each AI system: Identify what types of data (personal, sensitive business, children’s, regulated-sector data) each AI system processes and how it is used.
- Review AI vendor contracts: Scrutinise terms related to AI system training, data retention, confidentiality, security, audit rights, and incident notification.
- Update privacy notices and consent flows: Ensure these reflect how AI processes personal data, especially if new collection, analysis, or sharing practices are introduced.
- Set human review rules: Establish clear guidelines for human oversight of high-impact AI outputs, particularly in areas like lending, hiring, healthcare, insurance, education, or customer eligibility.
- Build synthetic media controls: Implement processes for reviewing and managing AI-generated content in marketing, public communications, and user-generated content to address deepfake and impersonation risks.
- Maintain logs and documentation: Keep records for material AI use cases, including approvals, inputs, outputs, system changes, and escalation decisions.
- Separate experiments from production use: Implement access controls and approval gates to distinguish experimental AI usage from systems deployed in production environments.
- Create a takedown and escalation procedure: Develop procedures for addressing harmful, misleading, unlawful, or impersonating AI-generated content.
- Assign policy monitoring ownership: Designate individuals or teams responsible for tracking updates from MeitY, the DPDP Act, IT Rules, IndiaAI Mission, and relevant sector regulators.