RBI sets compliance blueprint for AI-driven finance under draft framework
Mumbai, Jun 24, 2026
The draft framework requires regulated entities to establish board-approved model risk management systems covering all models, including AI and machine learning applications
Regulated entities will be required to put in place a board-approved model risk management framework (MRMF) covering all models, including artificial intelligence and machine learning (AI/ML) models, the Reserve Bank of India’s (RBI’s) draft Guidance on Regulatory Principles for Model Risk Management, released on Wednesday, said.
The proposed framework will apply irrespective of whether the models are developed internally, sourced from third parties, or built using a combination of both. Feedback on the draft guidelines can be submitted until July 24.
Under the proposed framework, boards will be required to periodically review the MRMF, approve the entity’s risk appetite and tolerance for model risk, and ensure these assessments are informed by scenario analysis and stress testing. Boards will also have to approve policies relating to model risk management and model-risk classification.
Recognising the growing use of AI/ML models by regulated entities across business and decision-making processes, the RBI said weaknesses in governance, oversight, risk management, and controls could expose institutions to financial, operational, compliance, and reputational risks. The draft guidance lays down broad regulatory expectations for managing model-related risks across the entire lifecycle of such systems.
The central bank has proposed a greater oversight role for the Risk Management Committee of the Board. The committee will be required to review validation reports of models classified as high risk before deployment, oversee monitoring of third-party and AI-based models, review model-risk classification reports at least annually, and examine material breaches and other major concerns.
The RBI has also sought to address risks arising from the use of third-party AI models. It said that where vendors do not disclose adequate information regarding AI/ML models, regulated entities should identify risks arising from such limitations and put in place appropriate safeguards, including restricting the use of such models where necessary.
Regulated entities will be required to assess risks arising from the behavioural characteristics of AI models and test their performance under atypical and stressed scenarios. According to the draft, institutions should evaluate models under edge cases, abnormal inputs, manipulation attempts, and adversarial conditions to identify vulnerabilities that may not emerge under normal operating conditions.
The draft framework also requires regulated entities to ensure that deployment of AI models does not introduce vulnerabilities into their production environments and that adequate safeguards are implemented to mitigate such risks.
For customer-facing AI systems, including generative AI applications, the RBI has proposed additional cybersecurity safeguards such as protection against prompt injection attacks and adversarial inputs, limits on session and context persistence, and mechanisms to detect anomalous usage patterns. Regulated entities will also be required to inform users when they are interacting with an AI-based system, disclose the limitations of such systems, and provide an option to switch to human assistance upon request.
The central bank has further proposed mandatory human oversight for AI-driven decision-making. Regulated entities will need to establish review mechanisms that address risks arising from automation bias, over-reliance on model outputs, and decision fatigue.
[The Business Standard]
