For the better part of a decade, Indian banks talked about AI in the language of innovation: faster credit decisions, multilingual chatbots, sharper fraud detection, smarter collections. That conversation is still happening. But a second, tougher conversation has started alongside it, and it is the one that will actually determine how far AI gets to go inside a regulated balance sheet: AI governancefor banks — who is accountable when the model is wrong, and how that accountability gets proven to a regulator.

That question used to be easy to defer. AI in Indian banking was mostly experimental — a pilot chatbot here, a fraud-scoring layer there, rarely touching a decision that couldn't be reversed by a human the same afternoon. That era is closing. The Reserve Bank of India's own numbers show why: in its 2025 survey of regulated entities, the RBI found roughly one in five institutions already running AI in production, concentrated in customer support, credit underwriting, sales, and cybersecurity — the exact functions where a wrong output has a rupee cost attached to it, not just an inconvenience.

The Regulator Moves From Watching to Writing Rules

Two RBI initiatives, released roughly a year apart, mark the shift from encouragement to enforcement.

The first is the Framework for Responsible and Ethical Enablement of AI, or FREE-AI, released on August 13, 2025, after a committee spent close to a year surveying banks, NBFCs, and fintechs. FREE-AI is built around seven guiding principles and organised into six pillars — infrastructure, policy, and capacity-building on the enablement side; governance, protection, and assurance on the risk side — translated into 26 specific recommendations. Its tone is notably not adversarial. The report explicitly proposes a tolerant supervisory stance toward first-time AI errors, so long as an institution can show it was operating with real governance in place. FREE-AI reads like a regulator saying: innovate, but be able to prove you did it responsibly.

The second initiative is sharper-edged. In mid-2026, the RBI put out a draft Model Risk Management framework for AI and machine learning models, open for public comment through July 24, 2026, and expected to be formalised shortly after. Where FREE-AI set out principles, this draft sets out controls — and the headline provision has already become the subject of boardroom conversation across the sector: every regulated entity must build the ability to instantly override, suspend, or fully deactivate any AI or ML model running in its operations. No system, however autonomous, is permitted to sit beyond the reach of a human kill switch.

The draft also introduces risk-based model tiering, classifying AI systems by three factors — how much a wrong output matters (materiality), how hard the model is to interpret or validate (complexity), and how much it acts without a human in the loop (autonomy). A model that is all three at once — material, complex, and autonomous, like an AI system approving or declining loan applications at scale — faces the strictest pre-deployment scrutiny. A simple internal reporting model does not. Proportionality is built into the rule rather than left to institutional judgment.

Why AI Governance for Banks Is a Genuine Shift, Not Just More Paperwork

It's tempting to read this as regulatory box-ticking layered on top of technology that was already working fine. That reading misses what actually changed. FREE-AI and the Model Risk Management draft together move AI oversight out of the IT department and into the boardroom. Model risk stops being an operational question owned by a data science team and becomes a governance obligation owned by the board — the same category of accountability banks already apply to credit risk and capital adequacy.

That reframing has a specific trigger. Regulators globally, RBI included, have watched frontier AI systems grow more autonomous and more capable of taking multi-step actions with limited human review. A credit-scoring model that outputs a number for a loan officer to review is one risk profile. An AI agent that reads an application, checks it against policy, and initiates an approval on its own is a different one entirely — and it's the difference the Model Risk Management draft is explicitly built to address.

What Accountability Actually Requires in Practice

Reading through both documents, three practical obligations stand out for any bank, NBFC, or payment company operating in India:

Board-approved AI policy. FREE-AI's very first governance recommendation is that every regulated entity adopt a board-approved AI policy defining oversight, escalation, and model risk protocols — not a technical document buried in an engineering wiki, but a governance artifact the board has actually reviewed and signed off on.

A working kill switch, not a theoretical one. The Model Risk Management draft doesn't ask whether a bank could shut down a model in an emergency — it requires the mechanism to exist, be tested, and be demonstrably available before a model with meaningful autonomy goes live.

Continuous monitoring, not a one-time evaluation. Both frameworks treat pre-launch testing as necessary but insufficient. FREE-AI's assurance pillar and the draft's tiering system both assume model behaviour drifts after deployment, and both expect institutions to be watching for that drift in production, not just at go-live.

Where a Governance and Assurance Layer Fits

This is precisely the gap that platforms like Trusys are built to close for regulated enterprises. Continuous evaluation of model outputs, runtime monitoring that flags behavioural drift before it becomes an incident, and audit-ready reporting mapped to frameworks like the EU AI Act, ISO 42001, and NIST AI RMF are exactly the operational muscle FREE-AI's assurance pillar and the RBI's model-tiering approach assume institutions already have. For Indian banks now working out how to translate board-level policy into an enforced, auditable control, that operational layer is the difference between a governance document and a governance program.

The Bigger Picture

India's financial sector has a genuine opportunity here, not just a compliance burden. A regulator willing to write kill-switch requirements into draft rules while simultaneously proposing tolerance for good-faith first errors is signalling something specific: it wants AI adoption to continue, on the condition that adoption is provably accountable. Institutions that build governance, identity, and monitoring into their AI programs now — rather than waiting for the Model Risk Management draft to become binding — will be the ones positioned to keep innovating once enforcement begins.

The innovation phase of AI in Indian banking isn't over. But it now has a second track running alongside it, and for the institutions that get both tracks right, accountability isn't the brake on innovation — it's what earns AI the permission to keep scaling. Strong AI governance for banks, in other words, isn't a constraint on the innovation story. It's the precondition for it.