Direct answer
An enterprise AI governance program in India is the operating system for safe, compliant, and explainable AI adoption. It is not a single document — it is a policy, a committee, a model inventory, a risk classification framework, controls per risk tier, and a cadence of reporting to leadership. Done well, it removes the friction that kills most AI pilots before they reach production.
The seven components
- An AI use policy. What employees can and cannot do with AI tools (ChatGPT, Copilot, Claude). What data can and cannot be uploaded. Approved vendors. Acceptable use. Sanctions.
- A cross-functional AI risk committee. Senior executive chair, members from risk, legal, compliance, data, IT, security, and the major business functions deploying AI.
- A model inventory. Every AI system in production and pilot: what it does, who owns it, what data it touches, what its risk tier is. Most enterprises discover they have 3–10× more AI in production than they thought.
- A risk classification framework. High / medium / low tier based on impact, autonomy, data sensitivity, and regulatory scope. EU AI Act categories are a reasonable starting model even for India-only operations.
- Controls per risk tier. Approval gates, validation requirements, monitoring, audit logging, and human oversight scaled to the risk classification.
- Board reporting cadence. Quarterly AI risk dashboard for the board, monthly operational reviews for the committee.
- Vendor and procurement integration. AI clauses in vendor contracts, AI questionnaires in procurement, audit rights for third-party AI systems.
Indian regulatory landscape — what to align to
| Framework | Applies to |
|---|---|
| DPDP Act 2023 | All enterprises processing personal data of Indian data principals |
| RBI Responsible AI guidelines | Banks, NBFCs, payment systems |
| IRDAI AI/ML guidelines | Insurance companies |
| SEBI technology risk circulars | Capital markets, asset management |
| CDSCO SaMD framework | Medical AI software (clinical decision support, diagnostic) |
| ISO 42001 | Reference framework; certifiable when needed |
| NIST AI RMF | Voluntary US framework; useful for risk taxonomy |
| EU AI Act | Required for any AI offering EU customers; useful risk-tier model otherwise |
A worked timeline
| Week | What happens |
|---|---|
| 1–2 | Charter the AI risk committee; appoint chair and members |
| 2–3 | Draft AI use policy; publish v1 with sanctions and approved tools |
| 3–6 | Build model inventory; classify by risk tier |
| 4–8 | Define controls per tier; assign owners |
| 6–10 | Integrate AI questionnaires into vendor procurement |
| 8–12 | First board AI risk readout; quarterly cadence locked |
| Ongoing | Active monitoring, drift detection, vendor reviews, training refreshes |
What typically goes wrong
- Policy without committee. A document on the intranet that nobody owns. Decay in 3 months.
- Committee without authority. The committee can recommend but cannot stop a project. Risk tiers become advisory theatre.
- Compliance theatre. Documentation produced for auditors that nobody uses operationally. The DPDP Act audit fails because the policy and the practice don't match.
- No model inventory. Without knowing what AI is actually deployed, every other control is fiction.
How AI Guru helps
AI Guru runs the AI Governance & Ethics program for risk, compliance, legal, audit, and CISO teams — and the broader AI Governance & Board Advisory practice for board-level oversight. Reference case: a leading Indian private bank built a board-approved AI risk framework in 6 weeks, audited 15 existing AI models, and passed a subsequent RBI technology audit with zero findings.