DOXIA AXIS
BOOK
← ALL INSIGHTS
Regulation26 Mar 20264 min read

India's AI regulatory stack: DPDP, RBI FREE-AI, IRDAI, and SEBI — what operators need to know

India doesn't have a single AI law. It has a patchwork — DPDP as the data-protection base, RBI's FREE-AI framework for financial services, IRDAI for insurance, and SEBI guidance for markets. Here's the one-page map.

The pattern

India is not taking the EU's route — one horizontal AI law applying to everyone. Instead, AI regulation is emerging sector-by-sector, sitting on top of the Digital Personal Data Protection Act (DPDP), 2023 as the data-protection base layer.

For any business operating in India and using AI, this means regulatory compliance is a function of which sector you touch, not a generic AI checklist.

Here's the current map (as of April 2026).

The base layer — DPDP, 2023

The DPDP Act is the foundation. If you process personal data in India, the Act applies. Core obligations:

  • Consent-first processing — explicit, informed, withdrawable.
  • Data Fiduciary obligations — purpose limitation, data minimisation, security, breach notification.
  • Significant Data Fiduciary (SDF) designation — likely to apply to AI-heavy platforms once the Rules are notified.
  • Data Principal rights — access, correction, erasure, grievance.

The Rules under the Act are still being finalised. The pending question everyone is watching: what triggers SDF classification for an AI-driven business? If you're processing biometric, health, children's, or "significant volume" data — plan on being in scope.

The financial services layer — RBI FREE-AI

The Reserve Bank of India's Framework for Responsible and Ethical Enablement of AI (FREE-AI) is the most AI-specific Indian regulation today. Applies to banks, NBFCs, and regulated entities using AI/ML in customer-facing or credit-decisioning workflows.

Core obligations:

  • Governance — board-level oversight of AI use, a designated senior executive, documented risk framework.
  • Model risk management — pre-deployment validation, continuous monitoring, documented retraining triggers.
  • Explainability — models used in credit, pricing, or adverse customer actions must produce human-interpretable rationales.
  • Fairness testing — periodic fairness audits against protected attributes.
  • Third-party / BaaS rules — if you outsource the model or use an FM-API, the primary responsibility still sits with the regulated entity.

If you're a fintech startup building on top of a regulated partner, FREE-AI obligations likely flow down to you contractually — even though you're not directly regulated.

The insurance layer — IRDAI AI guidance

The Insurance Regulatory and Development Authority has issued AI-use guidance to insurers and insurtech partners, focused primarily on:

  • Claims automation with human override
  • Underwriting explainability for any AI-driven premium or coverage decision
  • Customer consent for AI-based recommendation engines

If your product interfaces with an insurance workflow, expect the IRDAI guidance to flow into your vendor contract.

The capital markets layer — SEBI AI advisory

The Securities and Exchange Board of India has issued consultation papers and circulars on AI use in:

  • Algo trading — registration, kill-switches, order-to-trade ratios
  • Robo-advisory — suitability testing, disclosure, conflict-of-interest management
  • Market surveillance — SEBI itself is deploying AI; market participants should expect heightened pattern detection

What most operators miss

Three things we consistently flag in audits of Indian businesses deploying AI:

  1. The DPDP consent architecture is wrong for LLM prompts. Most businesses built a 2023-era consent UI that doesn't cover "prompt content will be sent to a US-based LLM and may be retained by the provider." That's a DPDP cross-border-transfer exposure.

  2. Sector classification is sloppy. Businesses adjacent to finance (lending aggregators, BNPL, invoice financing) often assume they're unregulated. They're typically inside the FREE-AI perimeter via their banking partner.

  3. No documented AI use inventory. Every sector regulator expects you to know which models you deploy, where, trained on what, with what fallback. Most businesses can produce this list in 20 minutes of interviews — but have never written it down.

The roadmap ahead

Watch three things over the next four quarters:

  • DPDP Rules finalisation and SDF classification — this is the biggest near-term change.
  • Nasscom-EY AI Adoption Index v2.0 (2025 refresh) — the industry benchmark for where Indian enterprise actually is on AI maturity, updated for the first time since 2022.
  • First enforcement actions — DPDP penalties and RBI show-cause notices will set the tone.

A Free First Audit includes a Legal + Compliance lane calibrated to the Indian regulatory stack. We produce the sector classification, the DPDP posture review, and the AI use inventory — in three to five days. Start here.

Want this depth applied to your business?