What is AI regulation in India?
AI regulation: countries and regions
India does not yet regulate AI through a single omnibus AI Act. Instead, it uses a layered model: policy papers and governance guidance, institution-building under the IndiaAI Mission, ministry advisories, platform duties under the Information Technology Act and IT Rules, data protection law for personal data use, and sector-specific supervision where AI is deployed. As of 5 June 2026, the clearest AI-specific hard law is India's synthetic-content regime for intermediaries, alongside a broader advisory and governance framework.
What this means
In India, "AI regulation" is not one document or one regulator. It is the combined effect of strategy papers, mission-led programmes, ministry advisories, digital platform rules, data protection rules and sectoral law. That is why two statements can both be true: India does not have a general AI Act, and India still has real AI-related legal duties.
It also helps to separate three nearby ideas. AI policy is the government's direction of travel. AI governance is how risks, accountability and oversight are managed. AI regulation is where legal duties or enforceable supervisory expectations attach. In India, those three layers overlap more than they do in jurisdictions that rely on one central statute.
That makes the practical question less dramatic but more important. For most organisations, the issue is not "Is there an AI law?" It is "Which Indian rules apply to this use of AI, right now, given the product, the data, the sector and whether the system creates or distributes synthetic content?"
Why it matters
This matters because Indian AI compliance is easy to underestimate. A team can wrongly assume it is outside regulation because there is no single AI Act, while missing binding duties on intermediaries, privacy and personal data constraints, sectoral rules, public procurement conditions and general liability under existing law.
For founders and operators, that affects launch design, content moderation, data pipelines, model testing, grievance handling and customer commitments. For buyers and governance leads, it affects vendor diligence, contract terms, audit rights, incident escalation and whether a deployment is acceptable in a sensitive setting such as finance, telecoms, healthcare, education or government.
It also matters strategically. India's current model is deliberately pro-adoption and institution-building, but it is not laissez-faire. The official direction is to use existing law where possible, fill gaps with targeted amendments, and support that with technical institutions, sandboxes, standards work and mission-backed guardrails. Organisations that can already show traceability, human oversight, complaint handling, data discipline and synthetic-content controls will be better placed as the framework keeps moving.
How it works
India has a layered model, not one AI statute
India's current framework is best understood as layered regulation. The top layer is strategic and advisory. The middle layer is institutional, especially through the IndiaAI Mission. The bottom layer is binding law, which comes from existing digital, data and sector rules rather than a cross-economy AI statute.
That means India is not following an EU-style model where one law classifies AI systems across the economy and imposes one common conformity route. Instead, it is building AI governance through a mix of soft law and targeted hard law. The closer a use case gets to public-facing risk, unlawful content, personal data, or a heavily regulated sector, the more concrete the legal exposure becomes.
The policy and governance layer sets the direction of travel
NITI Aayog's Responsible AI work in 2021 is still important because it framed the Indian debate around a risk-based, context-sensitive approach rather than a one-size-fits-all rulebook. It also pushed early on ideas that remain visible today: responsible public procurement, human oversight, multi-disciplinary review, governance by use case, and proportionality based on harm.
That thinking matured in the India AI Governance Guidelines unveiled in November 2025 under the IndiaAI Mission. Those guidelines are not a cross-economy binding code. They are a foundational reference framework. Their core message is that India should rely on existing law where possible, use targeted amendments where necessary, encourage voluntary governance measures, and build technical and institutional capacity instead of reaching immediately for one omnibus Act.
The 2025 guidelines also matter because they show what government expects good practice to look like: transparency, grievance handling, risk classification, accountability tied to role in the AI value chain, and more use of techno-legal tools such as provenance, privacy-preserving methods and compliance-by-design. They recommend an AI Governance Group and a Technology and Policy Expert Committee, but the sources reviewed do not clearly show that these recommended bodies are already functioning as a settled legal architecture.
The IndiaAI Mission is the main institution-building engine
The Cabinet approved the IndiaAI Mission on 7 March 2024 with a substantial budget and seven pillars. Those pillars are not only about growth and compute. They also create a governance spine. The Safe and Trusted AI pillar is especially important because it is the mission channel for responsible AI tools, self-assessment checklists, governance frameworks and related technical work.
This is significant for regulation because India is building capability and governance together. The Mission is implemented through IndiaAI under Digital India Corporation, and official materials show that the IndiaAI Safety Institute is being built out under the Safe and Trusted AI pillar. That matters operationally. In India, governance is not only a matter of legal drafting. It is also a matter of setting up institutions that can test systems, develop benchmarks, support draft standards and offer technical guidance.
The Mission has also already backed concrete responsible-AI programmes. Public material records selected projects on themes such as bias mitigation, privacy-preserving machine learning, explainability, auditing and governance testing. That gives organisations a clearer picture of what Indian public institutions consider credible governance priorities.
The advisory layer came first, and it still matters
A defining feature of India's AI approach has been advisory-led steering before detailed AI-specific hard law. The clearest example is MeitY's advisory of 15 March 2024, issued under the existing IT Act and IT Rules framework, and expressly replacing an earlier 1 March 2024 advisory.
That March 2024 advisory told intermediaries and platforms to ensure that AI models, large language models, generative AI tools and algorithms made available through their computer resources were not used for unlawful content. It also addressed bias or discrimination that could threaten the integrity of the electoral process. For under-tested or unreliable AI, it required visible communication that outputs could be fallible. It further advised labels or embedded identifiers where intermediary tools enabled synthetic text, audio, visual or audio-visual material that could be used as misinformation or deepfakes.
In practical terms, that advisory showed the Indian government's preferred style before the 2026 rule changes: use existing due-diligence powers quickly, push responsibility onto intermediaries, and focus on deception, public harm and traceability rather than creating a general licensing regime for all AI development.
The binding AI-specific rules now bite hardest on synthetic content and platforms
The strongest AI-specific hard law in force today sits inside the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as amended in February 2026. These amendments are focused on "synthetically generated information", which is a defined term for realistic AI-generated or AI-altered audio, visual or audio-visual content that appears authentic.
For intermediaries whose tools enable the creation or modification of such material, the rules require reasonable and appropriate technical measures to prevent unlawful synthetic content. Permissible synthetic content must be clearly labelled and accompanied by provenance metadata or similar identifier mechanisms, to the extent technically feasible. Significant social media intermediaries must go further. Before publication, they must require users to declare whether content is synthetic, take reasonable technical steps to verify that declaration, and ensure clear labelling where content is confirmed to be synthetic.
The removal side is equally important. Unlawful information, including unlawful synthetic material, must be removed or disabled within three hours once actual knowledge arises through a court order or a reasoned government intimation in the manner the rules prescribe. Non-observance can jeopardise the intermediary's safe-harbour protection under section 79 of the IT Act.
This is a major point of precision. These are real binding duties, but they are not a general AI law for every enterprise using AI internally. They hit most directly where an organisation is acting as an intermediary, especially a large platform, or where it enables the creation, hosting or dissemination of deceptive synthetic media.
Personal data, sector law and procurement still do most of the wider regulatory work
Outside the synthetic-content rules, the wider regulatory picture still comes from adjacent law. If an AI system processes digital personal data, the Digital Personal Data Protection framework is relevant. That matters for training, inference, profiling, retention, security, data subject rights and transfers. But this is also a fast-dating and easy-to-misread area. The DPDP Rules, 2025 were notified in November 2025 with phased commencement, so organisations should not assume that every detailed rule is already live in the same way as the February 2026 synthetic-content amendments.
Even so, the direction is clear. AI teams that touch personal data should already be designing for notice, purpose discipline, security safeguards, data minimisation, complaints handling and documented governance. Waiting for every final date to pass before building those controls would be poor risk management.
Sector law remains decisive too. Financial services, telecoms, aviation, healthcare, education and public administration each carry their own supervisory expectations. India's official AI governance materials repeatedly assume that sectoral regulators, not one central AI authority, will lead in their own domains. The same is true in procurement. NITI Aayog's operational Responsible AI work explicitly argued that government procurement should embed responsible AI requirements, especially for higher-risk deployments. So even where legislation is not AI-specific, contracts and buying rules can still impose meaningful controls.
Enforcement is distributed, and the next stage is still open
India does not yet have one dedicated AI regulator covering all sectors. MeitY is the nodal ministry for the central digital framework and the IndiaAI Mission. Intermediary duties are enforced through the IT Act and IT Rules architecture, with consequences that can include loss of safe harbour and exposure under other laws. CERT-In shapes the cyber-security side. Sector regulators and ministries remain responsible in their own fields. Courts, law enforcement and existing statutory bodies continue to matter for fraud, defamation, obscenity, privacy and other harms linked to AI use.
The near-term direction, however, is still open. The 2025 governance guidelines argue for targeted amendments and a graded-liability approach rather than an immediate omnibus law. Parliamentary scrutiny continued into 2026, which suggests more issue-specific reform is possible. The open questions are therefore less about whether India is regulating AI, and more about where the next hard-law increments will appear: more intermediary rules, more sector-specific circulars, more procurement conditions, more standards-backed assessment, or eventually a broader statute.
Examples
A large social platform that lets users upload AI-generated video or voice in India now needs a synthetic-content workflow, not just a general moderation policy. In practice that means deciding whether it is an intermediary or a significant social media intermediary, collecting and verifying user declarations where required, attaching visible labels to synthetic material, preserving provenance metadata where technically feasible, and preparing a process to action valid court or government orders within the three-hour rule.
A bank, hospital, telecom operator or education provider cannot rely on the phrase "there is no AI Act" and move on. If it uses AI for customer-facing decisions, fraud detection, triage, personalisation or identity-linked processing, it still sits inside existing sector supervision and data governance. A sensible workflow is therefore use-case mapping first, then a combined review across sector obligations, personal-data handling, human oversight, incident escalation and customer complaints.
A startup or research consortium that wants to align early with the Indian direction of travel can use the Safe and Trusted AI pillar as a practical signal. IndiaAI has already selected mission-backed projects in areas such as bias mitigation, privacy-preserving machine learning, explainability, auditing and governance testing. That does not create a legal licence, but it is a strong indicator of what credible public-interest AI governance is likely to look like in India.
Common misunderstandings
India has no AI regulation at all. Wrong. India has no single omnibus AI Act, but it does have binding platform rules, data law, sector law and ministry advisories that already affect AI deployment.
The India AI Governance Guidelines are binding law. Not on their own. They are a reference framework and policy signal, not a general cross-economy statute.
The 2026 synthetic-content amendments regulate every AI system in India. Not exactly. They are most directly aimed at intermediaries and significant social media intermediaries dealing with synthetic media.
If you are not a platform, Indian AI law does not matter. Wrong. Personal data, consumer harm, fraud, sector supervision, contracts and procurement can still create real compliance duties.
The DPDP framework is fully live in one stroke. Not safely assumed. The 2025 rules use phased commencement, so timing and scope need to be checked carefully.
Risks and boundaries
The biggest boundary is scope. India's present framework is not a single code for all AI harms. It is strongest where unlawful content, deepfakes, platform due diligence, personal data and regulated sectors are involved. For many enterprise uses, the legal position is still assembled from several adjacent regimes rather than one AI-specific statute.
That also means over-generalisation is risky. A consumer chatbot, a credit-scoring model, an AI hiring tool, a medical support system and a synthetic-video platform do not face the same Indian regulatory profile. The answer depends on role in the value chain, sector, deployment context, data type and whether the tool creates or spreads deceptive synthetic content.
There is also genuine point-in-time uncertainty. The 2025 governance guidelines recommend further institutions and targeted amendments, but the reviewed sources do not confirm that every recommended governance body has already been fully formalised. The DPDP framework is moving in stages, so personal-data compliance timing must be read against actual commencement provisions, not slogans. And while a future omnibus AI law remains possible, the confirmed official direction reviewed here still leans toward mission-led governance, existing-law enforcement and targeted gap-filling.
This article explains the framework at a high level as of 5 June 2026. It is not legal advice, and it should not be treated as a substitute for use-case-specific review where public-sector deployment, high-risk decisions, personal data or platform obligations are involved.
What to do next
First, classify your role. Are you building a model, deploying one internally, selling an AI product, operating a platform, or buying a system from a vendor? In India, these roles do not carry the same legal exposure.
Second, map your use cases by risk rather than by team name. Separate synthetic-content features, personal-data processing, customer-facing decision support, public-sector use, and sector-regulated deployments. That simple sorting exercise will usually show whether you are facing platform duties, privacy duties, sector supervision, procurement conditions, or some combination of them.
Third, build the control set that India's framework is clearly rewarding: documented purpose and accountability, testing before rollout, visible complaint routes, human oversight for sensitive decisions, synthetic-content labelling where relevant, incident escalation, and records that let you explain how the system was governed.
Fourth, if you are a platform or creator tool, treat the February 2026 synthetic-content rules as an immediate operating issue. Product, trust and safety, legal and engineering teams need one joined process, not separate policies.
Finally, keep watching official movement. This is a fast-dating jurisdiction. The most important updates will usually come from MeitY, IndiaAI Mission material, the IT Rules framework, the DPDP rulemaking track and the sector regulator that already oversees your market.
FAQs
Does India have one central AI Act?
No. India regulates AI through a layered mix of guidance, mission-led institutions, digital platform rules, data law and sector-specific supervision.
Are the India AI Governance Guidelines legally binding?
Not as a general cross-economy rulebook. They are a policy and governance framework that guides future regulation, institutional design and good practice.
What is the main AI-specific hard law in India right now?
As of 5 June 2026, the clearest AI-specific binding rules are the February 2026 amendments to the IT Rules on "synthetically generated information".
Do all AI developers need government approval before launching in India?
No general prior-approval regime is confirmed for all AI development. But specific sectors, public contracts and platform duties can still create gatekeeping and compliance checks.
Does India's data protection regime already matter for AI?
Yes, especially where digital personal data is used. But the detailed DPDP rulebook has phased commencement, so exact timing still matters.
Who enforces AI rules in India?
Enforcement is distributed. MeitY leads the core digital framework, sector regulators supervise their own domains, and courts, law enforcement and data authorities also matter depending on the issue.
Is India likely to copy the EU AI Act soon?
The confirmed official direction reviewed here points more toward targeted amendments, existing-law enforcement, sandboxes and sectoral controls than an immediate EU-style omnibus model.
What is the practical first step for a company using AI in India?
Build a use-case inventory and separate synthetic-content features, personal-data uses and sector-regulated deployments. That usually reveals which Indian rules matter first.