The regulator has asked the right question — the one every board should have been asking itself.
On 24 June, the Reserve Bank of India released a draft that deserves more attention than a compliance circular usually gets. The Guidance on Regulatory Principles for Model Risk Management, open for public comment until 24 July, applies to virtually every regulated entity in Indian finance — commercial banks, small finance banks, co-operative banks, NBFCs across all layers, the AIFIs, ARCs, and credit information companies. And it defines its subject broadly: any model that materially influences a business decision — an AI system, a scoring algorithm, a rule engine, even a spreadsheet — must now be governed, whether it was built in-house or bought from a vendor.
The instinctive industry reading is already forming: a new compliance architecture, a new cost line, more documentation. I want to offer a different reading. The question is not “are your models documented?” It is “does your institution actually govern the intelligence it now runs on?”
Consider the draft’s own example. A spreadsheet that calculates loan prices, it notes, is merely a tool — until the institution uses it to derive lending rates and credit terms, at which point it becomes a model to be governed. The point is quietly radical: governance now reaches wherever a decision is being made, whether or not the institution had thought to call the thing a model. The scope is not the software. It is the decision.
What the framework actually asks
Strip away the machinery — the inventories, the tiering, the three lines of defence — and the draft asks for three things that no policy document can supply on its own.
It asks the board to own model risk, not sponsor it. The framework must be board-approved; the Risk Management Committee of the Board must itself approve high-risk model deployments and oversee third-party and AI models. Accountability is placed where the consequences land.
It asks that accountability survive outsourcing. A model bought from a vendor transfers nothing: the institution remains answerable for what the model does, and must independently validate it. “The vendor built it” joins “the model said it” in the category of defences that no longer exist.
And — the quietest, most radical line in the draft — it asks, in as many words, that the people overseeing AI be “able to effectively challenge, override, or escalate” what the model produces. Not merely to operate the kill switch. To genuinely contest the output. That is not a documentation requirement. It is a capability requirement, and it is the one on which everything else depends. A framework can mandate inventories and validation reports; it cannot mandate that the person reading them understands what they are looking at.
The real gap is capability, not compliance
Here is the uncomfortable arithmetic beneath the draft. The RBI’s own FREE-AI committee found last year, in its survey of regulated entities, that only 27% of the 171 NBFCs surveyed were using AI in some manner, and that adoption across the sector was concentrated in larger institutions running simpler models. Set that against the other end of the market: Deloitte’s State of AI in the Enterprise, whose India insights were released in March 2026, found Indian enterprises leading global peers on adoption — roughly 40% reporting significant or full AI use against a global average of about 28%, with at-scale deployment in strategy and operations reaching 56%. Intelligence is racing into the front of the market while the regulated long tail has barely begun — and it is the whole of that market the framework now makes accountable.
The gap is not only in adoption. It is in the room that governs it. A 2026 BCG survey of 625 chief executives and board members found that the board members who rated their own understanding of AI as weakest were the ones most convinced their organisation was moving too slowly — urgency running ahead of understanding, in the very rooms this framework now makes accountable.
So the binding constraint on this framework will not be policy production. Institutions will produce the inventories, the tiering policies, the validation binders — the machinery of compliance is well understood. The binding constraint is whether the board and the second line have the fluency to ask the second question: not “has this model been validated?” but “validated against what assumption, and what happens to that assumption when the market turns?” An institution can be fully documented and entirely ungoverned. That is the pattern I have watched across enterprise AI for a decade — a great deal of activity, very little outcome — and there is no reason compliance should be immune to it.
Governance, done right, is an accelerant
The reflexive objection will be that all this slows adoption. The evidence from the institutions that have actually made AI pay says the opposite.
DBS spent years building a governed, accessible data foundation before the models came — unglamorous discipline that is precisely what later allowed it to cut the journey from concept to production from twelve-to-fifteen months to two or three. BBVA brought legal and compliance in, in its own words, as partners from day one — and scaled AI access to its entire workforce. In both cases governance was not the gate at the end that blessed or blocked finished work; it was a design parameter from the first session. The thing was built safe rather than litigated into safety afterwards.
That is the opportunity hiding inside this draft. An institution that builds genuine model-governance capability — a board that can interrogate, a risk function fluent enough to co-author rather than veto — earns something scarce: the regulator’s confidence, and with it the licence to move quickly. Read correctly, this framework is not a brake. It is the entry fee to speed.
What I would add
Two things, offered constructively, and I will make them in my formal response to the consultation.
First, the “effective challenge” standard the draft rightly sets for oversight personnel should be extended, explicitly, to the board itself — and made into a mechanism rather than an aspiration. “Sufficient literacy” is a state no supervisor can measure; a standing practice is. I would institute a mandatory, minuted briefing to the board or its risk committee on the institution’s material-model and AI-risk profile, at least quarterly. The cadence matters: AI capability and threats move within months, and an annual rhythm leaves the accountable body reviewing a landscape that has already shifted. Leave the contents to each institution — principles, not formula — but make the existence, the board-level nature, and the quarterly cadence the control. That converts an unenforceable expectation into an observable one, and gives the board a structural reason to keep pace rather than one that depends on an individual director’s initiative.
Second, the draft’s proportionality is model-level but not entity-level — and the fix needs care, because the obvious version of it is wrong. It scales governance to a model’s materiality, sensibly. But the fixed structural apparatus it requires — above all an independent second-line validation function organisationally separate from those who build and own the models — carries a largely fixed cost that lands very differently on a large bank than on a base-layer NBFC. The tempting conclusion is “lighter touch for small institutions.” That would be a mistake: a small, nimble lender may run material AI models at its very core, and the controls proportionate to that risk must not be relaxed. The distinction that resolves it is between structure and control. Relieve the smaller entity of the obligation to build the same separate institutional apparatus as a bank many times its size — anchored to the RBI’s own entity categories rather than a new threshold, and justified by both fixed-cost burden and lower systemic footprint — while holding the model-level controls fully constant regardless of size. Rigour tracks the risk being taken; only the fixed overhead flexes.
The choice in front of every board
Every board covered by this draft now faces the same fork. It can meet the framework as paperwork — assign it to compliance, produce the artefacts, and carry on with a governance capability unchanged. Or it can treat the RBI’s question as the occasion to build the muscle the AI era was always going to demand: a board that understands what it is accountable for, a risk function that enables at speed, an institution that governs its intelligence rather than merely documenting it.
The first path satisfies the letter of the guidance and leaves the institution exactly as exposed as before. The second converts a regulatory obligation into a durable advantage. The regulator has asked the right question. The answer — and everything that follows from it — belongs to the board.
A formal response will be submitted through the RBI’s Connect 2 Regulate consultation.