AI Governance Update: Q4 2025

AI Governance Update — Q4 2025 Regulatory Developments India's approach to AI regulation continued to crystallize in Q4 2025, with several significant developments shaping the landscape for organizations deploying AI systems: MeitY's AI Governance Framework Draft: The Ministry of Electronics and IT released a consultation paper proposing a risk-based approach to AI governance — categorizing AI systems into minimal, limited, and high-risk tiers based on their potential impact on individuals and society. High-risk applications (credit scoring, hiring, healthcare diagnostics) would face mandatory impact assessments and human oversight requirements. RBI's AI Guidelines for Financial Services: The Reserve Bank of India issued draft guidelines for AI/ML model governance in banking, covering model validation, explainability requirements for credit decisions, bias testing, and customer disclosure obligations when AI influences lending or insurance decisions. SEBI's Algo Trading Framework: SEBI tightened requirements for algorithmic trading systems, mandating disclosure of AI-driven strategies and kill switches for autonomous trading algorithms — a sector-specific application of AI governance principles. NASSCOM's Responsible AI Principles: NASSCOM updated its Responsible AI guidelines with practical implementation checklists, encouraging Indian IT companies to adopt AI governance as a competitive differentiator in global markets. DPDP Act and AI: Three Critical Intersections As organizations deploy more AI systems processing personal data, three DPDP requirements create immediate compliance obligations: 1. Purpose Limitation for Training Data Section 4 of the DPDP Act requires processing only for the stated purpose. Organizations using customer data to train AI models must ensure that: The privacy notice explicitly covers AI training as a processing purpose Consent (where required) specifically mentions AI/ML model training Data collected for service delivery cannot be silently repurposed for model training without updated notice and fresh consent Practical tip: Audit your AI training pipelines to verify that all personal data used has a valid legal basis covering the specific AI use case. Use Complynz's PII Discovery Tool to identify personal data in your training datasets. 2. Automated Decision Transparency While DPDP does not have a specific "right to explanation" like GDPR Article 22, the Act's transparency obligations (Section 5) require Data Fiduciaries to inform Data Principals about processing activities — including automated decision-making. Organizations making decisions that materially affect individuals (loan approvals, insurance pricing, job screening) using AI should: Disclose in their privacy notice that automated decision-making is used Provide meaningful information about the logic involved (not the algorithm, but the factors considered) Offer a human review mechanism for contested decisions 3. Children's Data and AI Section 9's restrictions on children's data have significant implications for AI systems in edtech, gaming, and social media. AI-driven profiling, behavioral tracking, and targeted content for users under 18 require verifiable parental consent — and any AI processing that could cause "detrimental effect" on a child's wellbeing is prohibited. Best Practice: Integrated AI-DPIA Framework Organizations should not conduct separate AI assessments and DPIAs — instead, extend your DPIA process to include AI-specific risk dimensions: Data quality assessment: Is the training data representative? Could biases in the data lead to discriminatory outcomes? Fairness testing: Test model outputs across protected characteristics (gender, caste, religion, age, disability) relevant to the Indian context Explainability evaluation: Can the model's decisions be explained in terms understandable to Data Principals? What level of explanation is appropriate for the decision's impact? Human oversight design: For high-impact decisions, what human review mechanism exists? How is the human reviewer equipped to meaningfully evaluate the AI's recommendation? Data minimization review: Can the AI achieve acceptable performance with less personal data? Consider techniques like federated learning, differential privacy, or synthetic data generation For a comprehensive framework, see our full research paper on AI and Data Protection: Regulatory Convergence . Action Items for Q1 2026 Inventory all AI systems processing personal data across your organization Review privacy notices for AI-specific disclosure requirements Begin integrating AI risk dimensions into your DPIA process Monitor MeitY's AI governance framework consultation — public comments expected in Q1 2026 Assess your DPDP compliance readiness with particular focus on automated decision-making practices