India AI Impact Summit Insights
All sectors·Session library

AI Policy & Regulation

Synthesized from 102 talks · India AI Impact Summit 2026

Contents

Overview

AI policy and regulation emerged at the India AI Impact Summit 2026 as the summit's organizing preoccupation, cutting across every sector from healthcare to diplomacy to disaster management. The central tension is chronological: AI systems are being deployed at population scale today while governance frameworks remain incomplete, fragmented, and—in many jurisdictions—still aspirational. India occupies an unusual position in this landscape, simultaneously a test market for regulatory approaches, a convening power for Global South governance norms, and a nation with its own binding obligations under the DPDP Act and emerging sector-specific rules. The summit's 102 sessions converged on a shared conviction that governance quality, not computational scale, will determine which nations and populations benefit from AI. What remains genuinely contested is how fast to regulate, who holds liability, and whether voluntary frameworks can substitute for enforceable law.

Key Insights

  • Regulate harms and use cases, not underlying models. Rules written for "AI systems" generically become obsolete within months; durable regulation targets financial fraud, autonomous clinical decisions, or critical infrastructure failures—problems that persist regardless of which model generates them . The EU AI Act's risk-based tiering and India's sector-specific sandboxes both reflect this logic, though they implement it at different speeds and with different compliance costs .

  • The liability gap is an immediate business crisis in India. Indian organizations deploying foreign black-box models currently bear full DPDP Act liability for systems they cannot audit, explain, or override . No contractual arrangement resolves this; it requires either mandatory model transparency obligations or explicit liability-allocation rules—neither of which exists yet. This is not a future problem; it is today's legal exposure for every enterprise deploying third-party AI.

  • Sovereignty means verified control, not autarky. Across more than a dozen sessions, speakers rejected the binary of "build everything domestically" versus "accept dependency." The operative definition of sovereignty that emerged is: control over design decisions, data governance, and deployment architecture, secured through formal verification mechanisms, while strategically partnering on components . Hardware-rooted cryptographic proofs of data localization—already production-deployable—make this verifiable rather than rhetorical .

  • Governance must precede deployment, not follow it. For open-weight models, post-release governance is structurally ineffective . For agentic systems executing irreversible transactions autonomously, the absence of pre-defined responsibility chains is a critical gap that standards bodies are actively working to close but have not yet resolved . The pattern of deploying first and regulating after—which characterized social media—was repeatedly cited as the error that AI governance must not repeat .

  • Voluntary frameworks are necessary but insufficient, and the window is closing. Seoul commitment signatories were later implicated in harmful deployments . The summit's own "New Delhi Commitments" prompted skepticism about non-binding declarations . The emerging consensus is that voluntary frameworks serve as useful transitional scaffolding while binding legal frameworks catch up, but only if they include explicit incentives, persistent monitoring, and iterative revision mechanisms—not one-time pledges .

  • International standards harmonization is a geopolitical stakes question, not a technical formality. Global South nations that are absent from ISO/IEC SC42 committees, NIST processes, and OECD working groups will find themselves implementing governance frameworks designed for advanced-economy contexts that systematically fail their populations . India's submission of benchmarking standards and multilingual evaluation frameworks to international bodies represents a strategic move to shape, not merely adopt, global norms .

  • Incentive alignment outperforms enforcement mandates in fast-moving sectors. ISO 42001 certification is already a procurement requirement in regulated sectors; organizations without it are losing contracts . Insurance pricing, liability clarity, and public procurement conditions drive compliance more reliably than regulatory sanctions in domains where governments lack technical capacity to audit systems . The implication for India's relatively light-touch approach is that market mechanisms must be deliberately designed—they do not emerge automatically.

  • Agentic AI represents a qualitatively new governance challenge requiring new evaluation paradigms. Multi-agent systems can exhibit emergent behaviors that no single-agent test captures . Current benchmarking approaches designed for static models are structurally inadequate for autonomous agents with tool use, memory, and multi-step planning . Standards for risk-scoring sequences of autonomous actions—not just model outputs—are an active work item in SC42 but remain unfinished .

  • The science-policy translation layer is missing. Safety institutes produce technical reports; policymakers need feasible, evidence-informed options with explicit tradeoffs . Without a middle layer that translates capability evaluations into policy choices, governments are making deployment and procurement decisions without the technical grounding necessary to make them responsibly .

  • Data governance failures cascade through the entire AI stack. Eighty percent of AI pilots fail at scale due to data silos and governance gaps, not algorithmic limitations . Biased or poisoned source data defeats every downstream safety measure . India's federal structure—28 state governments generating data in incompatible formats under fragmented oversight—means data governance is not merely a compliance question but an architectural one requiring federated solutions .

Recurring Themes

  • Trust is infrastructure, not an outcome. Speakers across financial services , healthcare , public administration , and diplomatic AI independently converged on the same formulation: trust is not produced by capability demonstration alone but by transparency, auditability, human override mechanisms, and predictable accountability. The practical implication is that trust must be engineered into system architecture from inception—it cannot be retrofitted. Sessions on agentic AI , DPI sandboxes , and AI investment governance all made the same argument in different vocabularies.

  • Regulation and innovation are not in tension—the claim that they are is a rhetorical tactic. Multiple speakers invoked historical parallels: aviation, pharmaceuticals, nuclear power, food safety, and cigarettes were all accompanied by industry claims that regulation would stifle innovation . The empirical record shows otherwise. India's sector-specific, risk-proportionate approach was cited as a credible alternative both to EU-style compliance overhead and to regulatory absence . The consensus position is that well-designed regulation builds the public trust that enables adoption at scale.

  • The Global South must be a standard-setter, not a standard-taker. This point was made independently by speakers on multilingual AI , South-South cooperation , international standards processes , financial inclusion , and diplomatic AI governance . The structural problem is resource asymmetry: meaningful participation in ISO, OECD, and NIST processes requires funded travel, technical literacy, and co-authorship capacity that most Global South governments do not currently have . Without deliberate resourcing, inclusivity commitments remain tokenistic.

  • Human oversight and accountability cannot be delegated to AI systems. Sessions on judicial AI , healthcare AI , diplomatic AI , and agentic systems governance all drew the same boundary: AI handles volume, pattern recognition, and administrative burden; humans retain accountability for consequential decisions. This is simultaneously an ethical principle and a practical liability rule—whoever deploys a system is responsible for its outputs, and that responsibility cannot be contractually transferred to a model provider .

  • Skills and institutional capacity are the binding constraints, not technology. Compute, models, and APIs are increasingly available; the bottleneck is trained governance professionals, AI-literate regulators, informed board members, and civil servants who can evaluate—not just procure—AI systems . Twenty-six percent of government workers deploying AI understand the ethics frameworks governing their use . No regulatory framework, however well-designed, functions without the human capacity to implement and enforce it.

Open Challenges & Tensions

  • How fast should India formalize its regulatory approach? The summit surfaced genuine disagreement between those who argue India's light-touch, voluntary governance model is a competitive advantage enabling innovation and those who argue voluntary frameworks have demonstrably failed and enforceable rules with judicial remedies are now urgent . The tension is sharpest in high-stakes domains—healthcare diagnostics, criminal justice algorithms, credit scoring—where harm is immediate and the population scale is enormous. No session produced a resolution; the question of timing remains actively contested.

  • Who bears liability for AI failures across the deployment chain? Model developers, fine-tuners, application builders, deployers, and end-users each have different risk management systems and different capacities to absorb liability . India's DPDP Act assigns liability to the data principal—but AI systems often fail not through data breaches but through model errors, distributional shift, or emergent agentic behavior that no single actor in the chain deliberately caused. Explicit ex-ante liability allocation versus post-hoc tort responses remain unresolved, and the absence of clarity is already creating legal exposure.

  • Can open-source AI and data sovereignty coexist? Multiple sessions celebrated open-source models as enabling sovereignty through auditability and local adaptation . But the spectrum from "open weights" to "truly auditable" is wide—most current open-weight models provide cost-free access without genuine transparency into training data, fine-tuning, or safety evaluations . The governance question of what "open" must mean to be genuinely sovereign—and who certifies compliance with that definition—remains unresolved.

  • How should red lines be defined and enforced internationally? The session on multilateral red lines acknowledged that zero-tolerance rules work for existential risks but break down for social harms requiring malleable thresholds. Voluntary summits have produced commitments that signatories later violated. Binding treaty mechanisms require consensus that geopolitical fragmentation makes unlikely in the near term. The gap between the urgency of the problem and the feasibility of enforcement mechanisms was acknowledged but not bridged. Incremental approaches—shared incident reporting, mutual recognition of compliance regimes, procurement conditions—were proposed as realistic near-term steps.

  • How do you evaluate what you cannot measure? AI Safety Institutes are building evaluation infrastructure , but public benchmarks have been corrupted by commercial incentives and are no longer reliable indicators of real-world safety . Private test sets address gaming but create transparency problems. Agentic systems operating continuously across networks cannot be meaningfully assessed through pre-deployment testing alone . The measurement science required to underpin any credible governance framework—whether voluntary or legally binding—is genuinely immature, and investments in it are chronically underfunded relative to model development.

Notable Examples

  • India's DPDP Act as live liability exposure. Several sessions identified a specific and immediate legal problem: Indian enterprises deploying foreign AI models face full DPDP Act liability for systems they cannot audit. This is not a hypothetical future scenario—it describes the current operational reality for organizations that have already integrated third-party models into customer-facing workflows. The Act's enforcement mechanisms, combined with the absence of model transparency obligations on foreign providers, creates an asymmetric risk that Indian regulators have not yet formally addressed.

  • NIST's AI Risk Management Framework and the "codes of practice" model. The EU's approach of pairing legislation with adaptable codes of practice—developed through iterative industry consultation rather than top-down prescription —and NIST's RFI and listening-session process were both cited as procedural models that produce more durable standards than either legislative mandates or pure industry self-governance. India's "living documents" framing for its AI governance guidelines reflects the same logic applied domestically.

  • MahaAI and the Sabasar gram panchayat platform. Maharashtra's MahaAI initiative and the Sabasar platform for gram panchayat meeting documentation represent concrete deployments of AI in government administration at scale—linking meeting minutes to action tracking, fund disbursement to asset geo-tagging, and governance records to public scrutiny. Sabasar's design—mobile phone recording, cloud processing, no new hardware required—achieved adoption in contexts where technically sophisticated alternatives had failed. Both were cited as models of accountability infrastructure, not just efficiency tools.

  • RBI's "Mule Hunter" and SEBI's tax compliance nudge programs. India's financial regulators have moved beyond pilot stage: Mule Hunter is saving ₹75–100 crore per bank by identifying fraudulent accounts through behavioral anomaly detection; the income tax authority's nudge program measurably changed taxpayer behavior through proactive discrepancy notifications rather than punitive audits . These deployments—sovereign, domain-specific, India-hosted—were presented as evidence that trust-based, explainable AI governance produces better compliance outcomes than enforcement-first approaches.

  • The Taiwan AI crisis liaison network proposal and the Africa-Asia AI Policymaker Network. Taiwan's proposal for a regional AI crisis hotline extending existing cybersecurity frameworks (FIRST, APERT) to cover AI-specific incidents and the five-year track record of the Africa-Asia AI Policymaker Network for peer-to-peer governance learning represent two distinct but complementary models of international coordination below the treaty level. Both address the institutional gap between diplomatic time and algorithmic time—the former through pre-positioned technical communication infrastructure, the latter through sustained relationship-building that enables trust before crisis.