The deliberate absence of an AI Act

India has not enacted, and as of mid-2026 does not propose to enact in the near term, a comprehensive horizontal statute governing artificial intelligence. This is a choice, not an oversight. The Government's stated position—articulated across ministerial statements, the IndiaAI Mission, and the work of expert committees—is that premature, prescriptive legislation risks stifling an industry the country intends to lead in, and that existing legal instruments, supplemented by principle-based guidance and sectoral regulation, can address most AI-related harms without a dedicated AI law.

The result is a governance framework that must be assembled rather than read. There is no single document an adviser can hand a client. Instead, the obligations applicable to an AI system in India are distributed across data protection law, intermediary liability rules, consumer protection, competition law, sector-specific regulation, intellectual property, and a growing body of executive advisories. Understanding Indian AI governance means understanding how these layers interact.

The institutional landscape

The Ministry of Electronics and Information Technology (MeitY) is the principal nodal ministry for AI policy. It has driven the most consequential interventions to date, including the AI advisories issued in 2024, and it houses the IndiaAI Mission. Other actors populate the field. NITI Aayog, the Government's policy think tank, authored the foundational 2018 National Strategy for Artificial Intelligence and subsequent papers on Responsible AI that established the principle vocabulary—safety and reliability, equality, inclusivity and non-discrimination, privacy and security, transparency, accountability, and protection of human values—that continues to frame Indian discourse.

Sectoral regulators are increasingly active. The Reserve Bank of India has examined the use of AI and machine learning in financial services and credit decisioning. The Securities and Exchange Board of India has consulted on AI in capital markets. These regulators do not wait for a horizontal AI law; they apply and extend their existing mandates to AI deployments within their sectors. For a regulated entity, sectoral guidance is frequently the most immediately binding source of AI obligation.

The IndiaAI Mission and the development-first orientation

The IndiaAI Mission, approved with substantial budgetary backing, is the clearest expression of India's development-first posture. Its pillars include compute capacity, a national AI compute infrastructure, support for indigenous foundation models, datasets through a national data-management platform, applications in priority sectors, future skills, startup financing, and a dedicated workstream on Safe and Trusted AI. The Safe and Trusted pillar funds the development of governance tooling—bias-mitigation techniques, explainability frameworks, watermarking and deepfake-detection tools—rather than imposing obligations. The philosophy is that India will govern AI in part by building the technical means to make it safer, not solely by prohibiting unsafe uses.

This orientation distinguishes India sharply from the European Union, whose AI Act leads with prohibition and obligation. India's wager is that a country at India's stage of AI adoption is better served by enabling infrastructure and capability than by a compliance regime calibrated to a more mature market. Whether that wager holds as Indian AI deployment scales—and as AI-enabled harms accumulate—is the central uncertainty of the framework.

The 2024 advisories: governance by executive instrument

The most revealing episode in Indian AI governance to date was MeitY's issuance of advisories to intermediaries and platforms concerning AI systems in 2024. An initial advisory required, among other things, that platforms deploying under-tested or unreliable AI models obtain explicit Government permission before making them available to Indian users, and that AI-generated content liable to be used as misinformation be appropriately labelled. The advisory drew immediate and sustained criticism from industry and the technical community, who argued it was vague, legally ungrounded in its permission requirement, and chilling to innovation and open-source development.

MeitY revised the advisory within weeks. The revised version dropped the explicit-permission requirement and refocused on labelling of synthetic content and on the susceptibility of deployed models to bias and unreliability. The episode is instructive for two reasons. First, it demonstrated the Government's willingness to govern AI through non-statutory advisories—instruments of contested legal force that nonetheless shape platform behaviour because no platform wishes to be on the wrong side of the nodal ministry. Second, it demonstrated the limits of that approach: the rapid walk-back showed that governance by advisory is responsive to industry pushback in a way that statutory obligation is not.

For advisers, the lesson is that Indian AI governance is presently fluid and instrument-light. Advisories can appear, bind in practice, and be revised on a timescale of weeks. Compliance strategy must accommodate that volatility.

Where existing law already bites

The claim that India lacks AI regulation is, on inspection, overstated. Several existing bodies of law apply to AI systems with full force.

The DPDP Act 2023 governs any AI system that processes personal data—which is to say, most consequential AI systems. An AI model trained on personal data, or one that processes personal data at inference, is subject to the consent, notice, purpose-limitation, and security obligations of the Act. The Act's requirement that processing be for a specified purpose sits awkwardly with the broad, exploratory data use characteristic of model training, and the absence of a legitimate-interests basis narrows the lawful grounds on which training data may be processed. Automated decision-making is not separately regulated in the manner of the GDPR's Article 22, but the access and correction rights of the Data Principal apply to data processed by automated systems.

The Information Technology Act, 2000 and the intermediary rules made under it govern the liability of platforms hosting or deploying AI systems, including obligations of due diligence and content moderation. The Consumer Protection Act, 2019 reaches AI systems that mislead consumers or produce unfair outcomes, and its provisions on misleading advertisements and product liability are capable of application to AI-driven services. Competition law addresses algorithmic collusion and the data-driven market power of dominant AI platforms. Copyright law frames the contested questions of training-data use and the authorship of AI-generated works. And the general law of tort, contract, and criminal liability applies to AI-mediated harms as it does to any other.

The practical consequence is that a developer or deployer in India faces real and present legal exposure, distributed across these instruments, notwithstanding the absence of a dedicated AI statute.

Deepfakes, synthetic media, and the labelling impulse

If any single AI harm has concentrated Indian regulatory attention, it is synthetic media. High-profile deepfake incidents involving public figures catalysed both the 2024 advisories and broader policy discussion. The regulatory instinct has been towards labelling and provenance: requiring that AI-generated or AI-modified content be identifiable as such, whether through visible labels, embedded metadata, or watermarking. This aligns with international movement towards content-provenance standards, though India has not yet mandated a specific technical standard.

The labelling approach is attractive because it is comparatively light-touch—it regulates disclosure rather than prohibiting creation—and because it places the compliance burden on platforms and generators rather than requiring case-by-case adjudication of harm. Its limitations are equally clear: labels can be stripped, watermarks can be defeated, and provenance metadata depends on adoption across a fragmented generation ecosystem. Labelling is a necessary component of synthetic-media governance, not a complete solution, and Indian policy will have to decide how much enforcement weight to place on it.

The contrast with the EU AI Act

The European Union's AI Act is the natural comparator and the deliberate counterpoint. The EU model is prescriptive and risk-tiered: it classifies AI systems into unacceptable-risk uses that are prohibited, high-risk uses subject to extensive conformity-assessment and documentation obligations, limited-risk uses subject to transparency requirements, and minimal-risk uses left largely unregulated. It imposes obligations ex ante, before deployment, and backs them with significant penalties.

India has chosen, for now, the opposite design. Rather than classifying systems by risk and attaching obligations to each tier, it relies on existing law to address harms as they manifest, supplemented by principle-based guidance and targeted advisories. The Indian approach is lighter, more flexible, and more accommodating of innovation; it is also less predictable, harder to advise on, and weaker in its ex ante protections. Each model reflects the regulator's underlying priorities. The EU prioritises the prevention of harm and the protection of fundamental rights, accepting compliance cost as the price. India prioritises the growth of domestic AI capability, accepting regulatory uncertainty as the price.

The two approaches are not static. The EU AI Act's obligations are phasing in over an extended period, and its practical effect remains to be seen. India's framework is, if anything, more likely to evolve, and the direction of that evolution—towards a more structured regime as deployment matures, or a continuation of the principle-based model—is genuinely open. Multinational organisations will, in the meantime, frequently calibrate to the more demanding EU standard and apply it globally, which means the EU Act may shape Indian AI practice more than Indian instruments do.

From the 2018 National Strategy to the present

India's AI policy did not begin with the 2024 advisories. Its intellectual foundations were laid in NITI Aayog's 2018 National Strategy for Artificial Intelligence, which framed AI as an instrument of inclusive growth under the banner of "AI for All" and identified priority sectors—healthcare, agriculture, education, smart cities and infrastructure, and smart mobility—where AI could deliver social returns at scale. The Strategy was aspirational rather than regulatory; it set a direction of travel rather than imposing obligations. Subsequent NITI Aayog papers on Responsible AI, published across 2021, developed the principle set—safety and reliability, equality, inclusivity and non-discrimination, privacy and security, transparency, accountability, and the protection of positive human values—that remains the reference vocabulary for Indian AI governance.

This lineage matters because it explains the framework's present character. India's approach to AI has been, throughout, principle-led and capability-focused rather than rule-led. The 2024 advisories were an aberration from this pattern—a reach for binding executive instruction—and their rapid revision can be read as a return to the principle-based mean. Understanding the trajectory helps an adviser predict the direction of future intervention: more likely incremental, sectoral, and principle-anchored than a sudden pivot to a comprehensive horizontal statute.

The liability question: who answers for an AI decision?

Among the hardest unresolved questions in Indian AI governance is the allocation of liability for harm caused by an autonomous or semi-autonomous system. The Indian legal system addresses this question today through general principles rather than AI-specific rules. Where an AI system causes harm, liability may be sought through negligence, where the relevant duty of care and its breach can be established; through product liability under the Consumer Protection Act, where the AI system is characterised as a defective product or service; through contract, where the allocation of risk has been agreed between commercial parties; and through vicarious and enterprise liability principles that attribute the conduct of a system to the entity that deployed it for its benefit.

The difficulty is that these doctrines were built for human and mechanical actors, and they strain when applied to systems whose behaviour is emergent, probabilistic, and not fully foreseeable even to their developers. Questions of causation become acute where a harmful output results from the interaction of training data, model architecture, deployment context, and user input across a chain of distinct actors. India has not yet legislated to resolve these questions, and in their absence the allocation of AI liability will be worked out, case by case, through litigation and contract. For deployers, the practical response is to address liability expressly in commercial agreements rather than relying on the uncertain default position of the general law.

The open-source tension

The 2024 advisory episode exposed a tension that will recur: the friction between AI governance instruments and the open-source development model. The initial advisory's permission requirement, read literally, threatened to capture not only large commercial platforms but also developers and distributors of open-source models, who could not realistically seek case-by-case Government approval for downstream uses they neither controlled nor foresaw. The backlash from the open-source and research communities was a significant factor in the advisory's revision.

The episode signals a structural challenge for Indian AI policy. India has a substantial and growing community of AI researchers and open-source contributors, and the IndiaAI Mission's support for indigenous foundation models presupposes an open and permissive development environment. Governance instruments that impose obligations calibrated to large commercial deployers can inadvertently burden open-source development, which lacks the compliance resources of large firms and operates on a distributed model ill-suited to permission-and-approval regimes. Reconciling effective governance with a thriving open-source ecosystem is a balance Indian policy has not yet struck, and the manner in which it does so will materially affect whether India's foundation-model ambitions are realised domestically or ceded to better-resourced jurisdictions.

Compute, sovereignty, and the infrastructure of governance

An underappreciated dimension of India's AI framework is the extent to which it treats compute infrastructure as a governance lever in its own right. The IndiaAI Mission's substantial investment in national AI compute capacity reflects a view that meaningful sovereignty over AI requires control of the underlying infrastructure—the chips, data centres, and cloud capacity on which models are trained and served. A country dependent on foreign compute and foreign foundation models has limited practical ability to govern the AI systems its citizens use, regardless of the statutes it enacts. India's compute strategy is therefore not merely industrial policy; it is a precondition for governance autonomy.

This framing connects Indian AI policy to the broader sovereign-AI discourse gaining traction internationally, in which states seek to develop indigenous capability rather than depend on a handful of foreign providers. The tension is between the cost and difficulty of building domestic capability and the speed and quality available from established global providers. India's bet is that the long-term governance and strategic benefits of indigenous compute and models justify the near-term cost. The success of that bet will shape not only India's AI industry but the practical reach of its governance framework, since a government that controls the infrastructure has regulatory options unavailable to one that does not.

Interoperability and the global regulatory mosaic

No account of Indian AI governance is complete without situating it in the emerging global regulatory mosaic. The European Union has legislated comprehensively. The United States has proceeded through executive action, agency guidance, and sectoral regulation, with the federal posture shifting across administrations. China has issued binding rules on recommendation algorithms, deep synthesis, and generative AI. The United Kingdom has adopted a context-specific, regulator-led approach closer in spirit to India's than to the EU's. International bodies—the OECD, the G7 through the Hiroshima Process, and various standards organisations—are working towards principles and technical standards that may eventually supply a measure of interoperability across these divergent national regimes.

India participates in these international conversations while preserving its policy autonomy, and its principle set aligns broadly with the OECD AI Principles to which it subscribes. For multinational organisations, the practical reality is a patchwork of national requirements that do not neatly align, and the compliance strategy that emerges is frequently to identify the most demanding applicable standard and apply it across the board, supplemented by jurisdiction-specific adjustments where local law diverges. In this dynamic, India's relatively light framework means that Indian operations are often governed in practice by standards set elsewhere—a paradox in which the absence of prescriptive domestic AI law results not in unregulated Indian AI but in Indian AI regulated by proxy through foreign requirements and global corporate policy.

What organisations should do now

The operational guidance follows from the framework's distributed character. An organisation deploying AI in India cannot discharge its obligations by reference to a single instrument; it must conduct a layered assessment. That means mapping the AI system against the DPDP Act where it processes personal data, against sectoral regulation where it operates in a regulated domain, against the IT Act and intermediary rules where it hosts or moderates content, against consumer and competition law where it affects markets and consumers, and against the prevailing advisories and principle frameworks that signal the direction of executive expectation.

It also means building governance capability that can absorb volatility. Because Indian AI governance presently moves through advisories and guidance rather than slow-moving statute, the compliance function must monitor executive instruments continuously and be capable of rapid adjustment. Documentation, model evaluation, bias assessment, content-provenance measures, and clear accountability for AI decisions are prudent not because a single Indian law mandates them, but because they position the organisation to satisfy whichever layer of the framework crystallises into binding obligation.

India's bet is that capability and principle can substitute, for now, for comprehensive statute. For those building and deploying AI in the Indian market, the task is to navigate a framework that is real, consequential, and deliberately incomplete.

This article is provided for general information and does not constitute legal advice. Organisations should obtain advice tailored to their specific AI systems and deployment contexts.