RBI AI Guidelines for Public Comments-2

Posted on June 26, 2026 by Vijayashankar Na

This is in continuation of our earlier post on “Model Risk Management” guidelines released by RBI as draft for public comments.  (Copy of guidelines)

Let us discuss the “Chapter II” of the draft guidelines on “Governance”.

This chapter prescribes that an RE is accountable for the “Outcomes” of all models used by it irrespective of whether it was developed internally or sourced from outside. The focus on “Outcomes” and not the technology itself is a very intelligent way of bringing all “Automated Decision making” into the realms of the regulation.

The regulation also requires that there should be a “Board Approved Model Risk Management Framework” in place including AI/ML models. Since the definition of “Models” extend to all algorithms, analytics, interfaces, applications, decision-based rules, and other computational tools which, by virtue of their use, have a material impact on decision-making in various business processes, this applies to even internal excel sheets which are designed to take decisions and influence client decisions.

The Model Risk Management Framework (MRMF) should therefore cover risks that arise from the use of any automated decision making algorithms.

The distinction of what is included and what  is not in the regulation depends on the detailed definition of a “Model” which uses three  components.

1. Input Component

2. Processing Component

3. Output component.

Input component includes “Data”, “Decision rules” and “Assumptions”.

Processing component includes “Statistical”, “Mathematical” techniques including AI which is used to analyse and interpret the input components.

Output components are the business and operational decision making that arises out of the model.

This is a very broad definition and hence MRMF has to include all decision related risks where the decision making uses a software component which  uses any form of intelligence.

The Board should be responsible for the oversight on MRMF and periodically approve and review. Guideline also recognizes the need for factoring the RE’s risk appetite.

This exactly reflects the DGPSI principles where the risk assessment is vetted by the top management  and a “Deviation Justification Document” based  on the Risk absorption capacity is adopted.

Committees  under the Board and the Senior Management are expected to establish appropriate procedures etc to mitigate the risks.

Chapter III of the  draft regulations address the “Model Risk Management” (MRM) requirements.

The MRM requirements suggest three lines of defence namely

a) Model owners being first line of defence,

b) An independent model risk management and validation function being second line of defence, and

c) A  robust and independent internal audit function being third line of defence

This is the same as “Process Owners” as the  process  level risk managers envisaged in the DGPSI. Suggests Concurrent supervision  including performance testing.

The guideline recommends “Risk Based Model Tiering” with “High” or “Low” which should be reviewed at least annually. Models  classified as “High Risk” should be approved by an appropriate committee. The Risk assessment is based on the impact on the financial outcomes affecting the RE as well as the potential implication on the consumers.

An appropriate inventory of all “Models” need to be maintained by the RE with details such as Model Owners, developers, Validators, approvers, risk, intended use, dependencies etc. This is similar to the “Process Inventory” recommended under DGPSI.

RE should ensure that the Grievance redressal system should cover the consumer risks.

Chapter IV covers the Model Life Cycle Management which requires appropriate  documentation and procedures of model selection, development, validation, approval, deployment and online monitoring.

RE should also manage appropriate Change Management, Business Continuity management  and  De-commissioning of unused models.

Under Chapter V, the guideline specify how policies and procedures should guide third party models in the entire life  cycle of acquisition, use, de-commissioning etc.

Guidelines specify that An RE should define the scope of AI / ML model, including for foundational AI models and frontier AI models, and put in place additional controls, commensurate with its potential impact on customers, business operations, and financial outcomes.

In cases where the third-party provider does not disclose adequate information regarding the AI / ML model, the RE should identify risks that arise from such constraints, and put in place the necessary mitigants, such as limiting the usage.

In cases where the third-party provider does not disclose adequate information regarding the AI / ML model, the RE should identify risks that arise from such constraints, and put in place the necessary mitigants, such as limiting the usage.

RE should put in place appropriate control boundaries through system-level controls or model design features to mitigate risks of hallucinations, particularly in models capable of generating content (e.g., generative AI models) and use cases where the model outputs directly or indirectly drive customer interaction or decision making.

It should ensure that models are not overfitted to training data and are capable of appropriate generalisation.

An RE should establish appropriate mitigants to address the data risks such as data quality, non-representativeness, incompleteness, breach of intellectual property rights. (*Ed: Need to add Personal Data Protection also) Changes in data distribution, including data drift and concept drift, should be monitored and addressed on an ongoing basis.

Guidelines prescribe “Human Oversight”  on AI and adoption of “Kill Switch”  stating

An RE should establish robust human oversight for AI models including use cases involving automated decision-making by models. It should establish appropriate risk mitigants which inter-alia include:
(i) Human-in-command arrangements (e.g., human-in-the-loop / human-on-the-loop / other human oversight mechanisms);
(ii) override, suspension, or deactivation mechanisms, including kill-switch arrangements; and,
(iii) periodic review of model outputs and model-driven decisions by humans to identify anomalies.

Chapter VI clarifies that these guidelines once approved will super cede relevant provisions in the Guidance Note on Credit Risk management dated October 12, 2002.

In summary,  RBI has produced a comprehensive governance framework that extends beyond AI to encompass every automated decision-making model used by regulated entities. Its emphasis on Board accountability, lifecycle governance, independent validation and human oversight makes it one of the most mature regulatory approaches to AI governance in India.

From the DGPSI perspective, many of the principles—Board oversight, risk-based governance, process ownership, inventories, lifecycle management and documented risk acceptance—are already embedded within the DGPSI framework, demonstrating a strong convergence between RBI’s regulatory expectations and established data governance best practices.

This development has given some additional thoughts  for elaborating certain  aspects of DGPSI-Banks.

Just as “Data is Life” is a key differentiator for   DGPSI-Hospital framework,  “Model Risk Management” becomes a key distinction of DGPSI-Banks framework.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.