India's AI Governance Guidelines Meet the DPDPA: What the Dual Framework Means for AI-Driven Businesses

Introduction

India's approach to regulating artificial intelligence took a decisive turn in late 2025 when the Ministry of Electronics and Information Technology (MeitY) released its AI Governance Guidelines alongside the DPDP Rules — creating what is effectively a dual compliance framework for AI-driven businesses. As documented by the International Association of Privacy Professionals (IAPP), these guidelines were published in November 2025, coinciding with the DPDP Rules notification, signalling that India views AI governance and data protection as deeply intertwined. The subsequent AI Impact Summit 2026 further reinforced the government's commitment to building a comprehensive regulatory ecosystem. For organisations deploying AI systems that process personal data — which includes virtually every enterprise AI application — compliance now requires navigating both frameworks simultaneously.

The Seven Sutras: India's AI Governance Principles

MeitY's AI Governance Guidelines are structured around seven foundational principles — referred to as 'sutras' — that establish the ethical and operational standards expected of AI systems deployed in India. These principles are not merely aspirational; they are designed to be operationalised alongside the DPDPA's binding obligations, creating a practical compliance framework. The Kiteworks regulatory analysis notes that MeitY's approach draws from global frameworks while incorporating India-specific considerations around digital inclusion and sovereignty.

• Safety and reliability — AI systems must be designed, tested, and deployed to minimise risks of harm, with robust testing protocols and fail-safe mechanisms
• Transparency and explainability — organisations must be transparent about when AI is being used and provide meaningful explanations of how AI-driven decisions are made
• Fairness and non-discrimination — AI systems must not produce biased outcomes based on caste, religion, gender, or other protected characteristics under the Indian Constitution
• Accountability — clear accountability structures must exist for AI outcomes, with designated individuals responsible for the system's behaviour and impact
• Privacy and security — AI systems must process personal data in accordance with the DPDPA and implement security safeguards proportionate to the risk
• Positive societal impact — AI deployment should contribute to India's developmental goals, including digital inclusion, economic growth, and public welfare
• Digital sovereignty — AI systems operating in India must respect India's regulatory authority and ensure that data processing does not compromise national interests

Where the DPDPA and AI Guidelines Overlap

The intersection between the DPDPA and the AI Governance Guidelines creates a zone of overlapping compliance that organisations must navigate carefully. The DPDPA's consent requirements and the AI Guidelines' transparency mandate converge on a common principle: individuals must know how their data is being used and have meaningful control over that use. When an AI system processes personal data to make automated decisions — credit scoring, insurance underwriting, content recommendation, hiring screening — both frameworks apply simultaneously, each adding specific requirements that must be satisfied.

• Consent for AI processing — under the DPDPA, processing personal data through AI systems requires specific, informed consent that explains the AI-driven purpose. Blanket consent for 'analytics' or 'service improvement' is insufficient
• Explainability as a notice requirement — the DPDPA's notice obligations, combined with the AI Guidelines' explainability sutra, require organisations to explain in plain language how AI models use personal data to reach conclusions
• Data minimisation in AI training — the DPDPA's purpose limitation principle constrains the use of personal data for AI model training unless specific consent has been obtained for that purpose
• Automated decision-making safeguards — Significant Data Fiduciaries using AI for automated decisions face particularly stringent requirements under both frameworks, including mandatory human review mechanisms

AI Impact Summit 2026: Regulatory Signals

The AI Impact Summit 2026, organised under MeitY's auspices, provided critical signals about the direction of India's AI regulatory landscape. As reported by Kiteworks, the summit brought together regulators, industry leaders, and civil society to discuss the practical implementation of the dual framework. Key takeaways included MeitY's confirmation that the AI Guidelines would be enforced through sectoral regulators — meaning RBI for fintech AI, IRDAI for insurance AI, and SEBI for capital markets AI — rather than through a single AI regulator. This sectoral approach means that AI compliance requirements will vary by industry, with financial services and healthcare facing the most stringent oversight. The summit also previewed potential amendments that would make certain AI governance principles legally binding through subordinate legislation under the DPDPA.

Consent Challenges for AI Systems

Obtaining valid DPDPA-compliant consent for AI processing presents unique challenges that go beyond traditional data collection scenarios. AI systems often process data in ways that are difficult to explain to non-technical users, yet the DPDPA demands that consent be 'informed' — meaning the Data Principal must genuinely understand how their data will be used. According to Brookings Institution, this tension between AI complexity and consent simplicity is one of the most significant implementation challenges facing Indian businesses.

• Purpose specificity for AI — 'We will use your data to train machine learning models' is not specific enough. Consent must explain what the model does, what decisions it influences, and how it affects the Data Principal
• Dynamic processing — AI models evolve through retraining, and the processing purpose may shift over time. Fresh consent may be required when the model's use case materially changes
• Third-party model providers — when organisations use pre-trained models from providers like OpenAI or Google, the data flow to third parties must be disclosed and consented to separately
• Federated and edge AI — processing personal data on-device or through federated learning still constitutes processing under the DPDPA and requires appropriate consent mechanisms

Transparency and Explainability Requirements

The AI Guidelines' transparency sutra, combined with the DPDPA's notice requirements under the DPDP Rules, creates a comprehensive transparency obligation for AI-driven processing. Organisations must disclose when AI is involved in decision-making, provide meaningful explanations of the logic involved, and enable Data Principals to understand the significance and likely consequences of AI-driven processing. The World Economic Forum has noted that India's approach to AI transparency aligns with emerging global standards while maintaining flexibility for innovation.

• AI disclosure notices — Data Principals must be informed when AI is used to process their data, including in customer service chatbots, recommendation engines, and automated screening
• Logic explanations — for significant decisions affecting access to services, credit, employment, or insurance, organisations must explain the key factors that influenced the AI's output
• Human review rights — Data Principals should have the ability to request human review of AI-driven decisions that significantly affect them, particularly for SDFs
• Model documentation — organisations must maintain documentation about AI models, including training data sources, performance metrics, and bias testing results

Preventing AI Data Leakage Under the Dual Framework

One of the most pressing risks at the intersection of AI and data protection is the leakage of personal data through AI systems — whether through model memorisation, prompt injection, or inadequate access controls. Our detailed analysis of preventing GenAI data leakage explores this risk in depth. Under the dual framework, organisations must implement data classification and DLP solutions that specifically account for AI processing pathways. The DPDPA's security safeguard requirements (carrying penalties up to ₹250 crore) apply with equal force to AI systems as they do to traditional databases, and the AI Guidelines add requirements for AI-specific security testing including adversarial robustness and prompt injection resistance.

Industry-Specific Implications

The dual framework's impact varies significantly across industries, with sectors that are both heavily regulated and AI-intensive facing the most complex compliance landscape. According to NASSCOM, over 70% of Indian enterprises are deploying or piloting AI systems, but fewer than 20% have established AI governance frameworks.

• Financial services — banks and NBFCs using AI for credit scoring, fraud detection, and KYC must comply with the DPDPA, AI Guidelines, and RBI's data localisation and privacy requirements. The layering of regulatory obligations makes this sector the most complex
• Healthcare — AI diagnostic tools, telemedicine platforms, and health data analytics must navigate DPDPA consent requirements for sensitive health data alongside the AI Guidelines' safety and reliability sutras
• E-commerce and retail — recommendation engines, dynamic pricing algorithms, and personalisation systems must provide transparency about AI-driven decisions while maintaining compliant consent frameworks
• HR and recruitment — AI-powered screening tools must demonstrate fairness and non-discrimination while complying with DPDPA requirements for employee data processing

Building a Unified Compliance Strategy

Rather than treating the DPDPA and AI Guidelines as separate compliance workstreams, organisations should build a unified strategy that addresses both frameworks simultaneously. This integrated approach reduces duplication, ensures consistency, and creates a more robust governance structure. The DPDPA compliance checklist should be expanded to incorporate AI-specific requirements, creating a single source of truth for data and AI governance.

• Integrated data and AI inventory — map all AI systems alongside your data processing inventory, identifying which AI systems process personal data and how
• Unified consent framework — design consent mechanisms that cover both traditional data processing and AI-specific uses, avoiding the need for separate consent flows
• Combined impact assessments — conduct assessments that evaluate both data protection impact and AI risk in a single exercise, particularly for high-risk AI applications
• Cross-functional governance — establish governance structures that bring together data protection, AI ethics, cybersecurity, and legal teams under a common framework
• Continuous monitoring — implement monitoring systems that track compliance with both frameworks in real time, using automated auditing tools to detect drift

How Kraver.ai Bridges AI Governance and Data Protection

Kraver.ai is uniquely positioned to help organisations navigate the dual framework because our platform was designed from the ground up to handle the intersection of AI and data protection. Our data discovery engine automatically identifies when personal data flows into AI systems, flagging processing activities that require enhanced consent or transparency. The platform's consent management module supports AI-specific consent flows with plain-language explanations of algorithmic processing, while our audit capabilities generate unified compliance reports covering both DPDPA obligations and AI governance principles. By treating AI governance and data protection as a single compliance challenge, Kraver.ai helps organisations avoid the costly duplication and gaps that arise from managing two frameworks separately.