For the better part of a
decade, Indian banks talked about AI in the language of innovation: faster
credit decisions, multilingual chatbots, sharper fraud detection, smarter
collections. That conversation is still happening. But a second, tougher
conversation has started alongside it, and it is the one that will actually
determine how far AI gets to go inside a regulated balance sheet: AI governancefor banks — who is accountable when the model is wrong, and how that
accountability gets proven to a regulator.
That question used to be easy
to defer. AI in Indian banking was mostly experimental — a pilot chatbot here,
a fraud-scoring layer there, rarely touching a decision that couldn't be
reversed by a human the same afternoon. That era is closing. The Reserve Bank
of India's own numbers show why: in its 2025 survey of regulated entities, the
RBI found roughly one in five institutions already running AI in production,
concentrated in customer support, credit underwriting, sales, and cybersecurity
— the exact functions where a wrong output has a rupee cost attached to it, not
just an inconvenience.
The Regulator Moves From Watching to Writing Rules
Two RBI initiatives, released
roughly a year apart, mark the shift from encouragement to enforcement.
The first is the Framework for
Responsible and Ethical Enablement of AI, or FREE-AI, released on August 13,
2025, after a committee spent close to a year surveying banks, NBFCs, and
fintechs. FREE-AI is built around seven guiding principles and organised into
six pillars — infrastructure, policy, and capacity-building on the enablement
side; governance, protection, and assurance on the risk side — translated into
26 specific recommendations. Its tone is notably not adversarial. The report
explicitly proposes a tolerant supervisory stance toward first-time AI errors,
so long as an institution can show it was operating with real governance in
place. FREE-AI reads like a regulator saying: innovate, but be able to prove
you did it responsibly.
The second initiative is
sharper-edged. In mid-2026, the RBI put out a draft Model Risk Management
framework for AI and machine learning models, open for public comment through
July 24, 2026, and expected to be formalised shortly after. Where FREE-AI set
out principles, this draft sets out controls — and the headline provision has
already become the subject of boardroom conversation across the sector: every
regulated entity must build the ability to instantly override, suspend, or
fully deactivate any AI or ML model running in its operations. No system,
however autonomous, is permitted to sit beyond the reach of a human kill
switch.
The draft also introduces
risk-based model tiering, classifying AI systems by three factors — how much a
wrong output matters (materiality), how hard the model is to interpret or
validate (complexity), and how much it acts without a human in the loop (autonomy).
A model that is all three at once — material, complex, and autonomous, like an
AI system approving or declining loan applications at scale — faces the
strictest pre-deployment scrutiny. A simple internal reporting model does not.
Proportionality is built into the rule rather than left to institutional
judgment.
Why AI Governance for Banks Is a Genuine Shift, Not Just More Paperwork
It's tempting to read this as
regulatory box-ticking layered on top of technology that was already working
fine. That reading misses what actually changed. FREE-AI and the Model Risk
Management draft together move AI oversight out of the IT department and into
the boardroom. Model risk stops being an operational question owned by a data
science team and becomes a governance obligation owned by the board — the same
category of accountability banks already apply to credit risk and capital
adequacy.
That reframing has a specific
trigger. Regulators globally, RBI included, have watched frontier AI systems
grow more autonomous and more capable of taking multi-step actions with limited
human review. A credit-scoring model that outputs a number for a loan officer
to review is one risk profile. An AI agent that reads an application, checks it
against policy, and initiates an approval on its own is a different one
entirely — and it's the difference the Model Risk Management draft is
explicitly built to address.
What Accountability Actually Requires in Practice
Reading through both documents,
three practical obligations stand out for any bank, NBFC, or payment company
operating in India:
Board-approved AI policy.
FREE-AI's very first governance recommendation is that every regulated entity
adopt a board-approved AI policy defining oversight, escalation, and model risk
protocols — not a technical document buried in an engineering wiki, but a
governance artifact the board has actually reviewed and signed off on.
A working kill switch, not a
theoretical one. The Model Risk Management draft doesn't ask whether a bank
could shut down a model in an emergency — it requires the mechanism to exist,
be tested, and be demonstrably available before a model with meaningful
autonomy goes live.
Continuous monitoring, not a
one-time evaluation. Both frameworks treat pre-launch testing as necessary but
insufficient. FREE-AI's assurance pillar and the draft's tiering system both
assume model behaviour drifts after deployment, and both expect institutions to
be watching for that drift in production, not just at go-live.
Where a Governance and Assurance Layer Fits
This is precisely the gap that
platforms like Trusys are built to close
for regulated enterprises. Continuous evaluation of model outputs, runtime
monitoring that flags behavioural drift before it becomes an incident, and
audit-ready reporting mapped to frameworks like the EU AI Act, ISO 42001, and
NIST AI RMF are exactly the operational muscle FREE-AI's assurance pillar and
the RBI's model-tiering approach assume institutions already have. For Indian
banks now working out how to translate board-level policy into an enforced,
auditable control, that operational layer is the difference between a
governance document and a governance program.
The Bigger Picture
India's financial sector has a
genuine opportunity here, not just a compliance burden. A regulator willing to
write kill-switch requirements into draft rules while simultaneously proposing
tolerance for good-faith first errors is signalling something specific: it
wants AI adoption to continue, on the condition that adoption is provably
accountable. Institutions that build governance, identity, and monitoring into
their AI programs now — rather than waiting for the Model Risk Management draft
to become binding — will be the ones positioned to keep innovating once
enforcement begins.
The innovation phase of AI in
Indian banking isn't over. But it now has a second track running alongside it,
and for the institutions that get both tracks right, accountability isn't the
brake on innovation — it's what earns AI the permission to keep scaling. Strong
AI governance for banks, in other words, isn't a constraint on the innovation
story. It's the precondition for it.