AI GOVERNANCE

India's new governance guidelines are shaping how organisations are expected to manage AI, and where accountability now sits.

At 5:18 AM, while the city was still asleep, the CIO of a large Indian enterprise glanced at an operations dashboard that suddenly didn't make sense.

Overnight, one of the company's core AI systems, responsible for thousands of automated decisions every hour, had shifted its behaviour. Approval rates changed. Routing priorities adjusted. Risk scores moved in unexpected directions.

There was no outage.

No alert. No obvious failure.

Yet the CIO knew something was wrong. In AI-driven operations, the most serious risks rarely arrive with alarms. They surface quietly. Within minutes, data science and security teams were on the call.

“What changed?” the CIO asked.

“The model updated itself,” an engineer replied. “It may have discovered a new optimisation path.”

“Is this drift? Bias? Or something worse?”

“We don't know yet.”

Then came the question that increasingly defines the modern CIO's role:

“Under India's AI governance guidelines, does this qualify as a reportable incident?”

The room went silent. Someone pulled up The guidelines. Another checked the DPDP Act. The CISO revisited CERT-In's six-hour reporting rule. A data analyst flagged the requirement for human oversight.

No one had a clear answer. But everyone understood the stakes.

This is the new reality for Indian enterprises. Al now runs core operations, and Al governance is becoming central to accountability. But the ambiguity is intentional.

The government has deliberately avoided defining a rigid concept of “Al incident reporting”. Al risk varies by context: what is critical in banking may be routine in retail. A one-size-fits-all mandate would either overwhelm regulators with noise or discourage innovation through over-compliance.