Why a banking framework lands on insurance desks in 2026
On 13 August 2025, the Reserve Bank of India's expert committee released the FREE-AI report (Framework for Responsible and Ethical Enablement of Artificial Intelligence). It sets out 7 sutras, 6 pillars and 26 recommendations for AI use across regulated entities. Three months later, on 5 November 2025, MeitY published the India AI Governance Guidelines, which lifted the same seven sutras almost verbatim and routed sectoral implementation through the existing regulators: RBI, SEBI, ICMR and, for our world, IRDAI.
That sequencing matters. FREE-AI is technically an RBI committee report aimed at banks, NBFCs and payment players. But the architecture is now national policy, and IRDAI sits inside the same coordination structure that the guidelines envisage, with a cross-government AI governance group steering sectoral rollout. The realistic reading for any Indian broker or insurer is that IRDAI will not write a clean-sheet AI regime. It will adapt the FREE-AI scaffolding to insurance, the way it has historically aligned with cross-regulator norms on outsourcing, cyber and data.
For brokers and corporate risk managers this is not abstract. Most firms have already put generative tools into live workflows: policy-wording extraction, submission triage, endorsement drafting, claims summarisation, RFP responses. Very few have documented what those tools are, who owns them, or what happens when one hallucinates a coverage position into a client email.
The argument of this post is simple. The three FREE-AI mechanics most likely to bind insurers and brokers (an internal AI inventory, risk-tiered audits, and contributions to a sector repository) are cheap to start today and expensive to retrofit. Start them now.
The internal AI inventory: your first and most overdue artefact
FREE-AI's most concrete operational ask is an internal inventory of every AI system a regulated entity uses. The committee frames it as a living register that records the model, the use case, the user segment, dependencies, associated risks and any complaints received, reviewed and refreshed at least every six months and kept ready for regulatory inspection.
Most broking firms cannot produce this today. Tools arrive through SaaS subscriptions, embedded features in a placement platform, or an analyst quietly pasting submissions into a public chatbot. An inventory forces that into daylight.
Build it as a structured register, not a slide. For each AI system capture at minimum:
- Name and vendor, and whether the model is hosted in India, abroad, or on-premise.
- Use case and business owner (the named person accountable, not a department).
- Data it touches, especially personal data and client-confidential wordings, and whether that data leaves your tenant.
- Decision influence: does it draft, recommend, or decide? A tool that auto-binds is a different risk animal from one that suggests text a human approves.
- Risk tier (covered in the next section) and the date last reviewed.
Two practitioner notes. First, shadow AI is the real exposure. The inventory only works if frontline staff feel safe declaring tools they already use rather than hiding them, so pair the register with an amnesty rather than a witch-hunt. Second, your inventory should reconcile against your DPDP records of processing. If a tool appears in one and not the other, one of your compliance artefacts is wrong. For the data-protection overlap, our note on DPDP AI vendor governance for insurers and brokers maps the same vendors from the privacy angle.
The inventory is also your cheapest professional-indemnity defence. If a client later alleges that an AI-generated coverage summary misled them, a dated register showing the tool was logged, tiered and human-reviewed is far stronger evidence than a reconstruction built after the dispute lands.
Risk-tiering: not every copilot deserves the same scrutiny
FREE-AI does not ask for the same controls on every tool. It asks for proportionality: internal audit effort scaled to the risk level of the AI, and independent third-party audits reserved for high-risk or complex use cases. That proportionality is the part brokers most often get wrong, either drowning low-risk tools in paperwork or letting a high-impact tool run with none.
A workable tiering for a broking or insurer environment runs along two axes: how much the tool influences a customer or pricing outcome, and how sensitive the data it handles is.
- Tier 1, high risk. Anything that influences a price, a coverage decision, a claim admittance, or a regulatory filing without a meaningful human check. Underwriting recommendation engines, automated claims triage that can decline, and pricing models sit here. These warrant the heaviest documentation and, eventually, independent validation.
- Tier 2, medium risk. Tools that draft material a human reviews before it reaches a client or insurer: endorsement drafting, wording comparison, RFP responses, claims-note summarisation. The human-in-the-loop reduces but does not remove risk, because review fatigue is real.
- Tier 3, low risk. Internal productivity tools with no customer-facing or pricing output: meeting summaries, internal research, code assistance.
The tiering decision is itself a governance act and should be recorded with a one-line rationale. Two firms can legitimately tier the same tool differently based on how they deploy it. A wording-comparison engine whose output goes straight into a binding quote is Tier 1; the same engine used only for internal analyst learning is Tier 3.
For the underwriting end of this spectrum, where explainability and model validation expectations are sharpest, see our deeper treatment in AI model-risk governance for insurer underwriting under IRDAI.
Audits: what internal and independent review actually mean here
FREE-AI splits assurance into internal audit proportional to risk and independent third-party audit for high-risk systems. Brokers tend to assume audit means a once-a-year tick exercise. For AI it has to be more specific, because the thing being audited drifts.
An internal AI audit, at a usable minimum, checks four things. Whether the inventory is accurate and current. Whether each tool is still being used the way its tier assumed. Whether human-review controls on Tier 1 and Tier 2 tools are actually being exercised rather than rubber-stamped. And whether any incidents (a hallucinated clause, a data leak, a client complaint) were logged and closed.
Independent audit for high-risk systems is harder and India's assurance market for it is still thin. Realistically, for a Tier 1 underwriting or pricing model an insurer should expect to commission external validation of model logic, data quality, bias testing and explainability. Brokers rarely build models of that class, so most broker exposure stays in internal audit, with independent review triggered only if a firm deploys its own pricing or triage model.
The practitioner trap is review fatigue masquerading as control. A claims summariser that produces a plausible paragraph nine times out of ten trains the reviewer to approve the tenth without reading it. Good audit samples the human-review step itself: pull a batch of approved AI outputs and re-check them blind. If the error rate in approved outputs is non-trivial, your control exists on paper only.
Document the audit, however light. A dated memo recording what was checked, what was found and what was fixed is worth more under IRDAI inspection than a perfect process nobody can evidence. The same discipline already shows up in adjacent IRDAI expectations on e-policy issuance audit trails, and AI audit will be read against that template.
The National Repository and what a submission looks like
FREE-AI proposes a sector-wide repository of audited AI models, with regulated entities contributing anonymised summaries so the regulator can spot concentration and systemic vulnerability across the system. The intent is supervisory: if forty insurers all run the same third-party fraud-scoring model, a flaw in that model is a systemic event, and the repository is how the regulator sees it coming.
For insurers and brokers this means a future obligation to describe your AI estate to IRDAI in a standard, comparable form, without exposing your competitive secrets or your customers' data. Nobody should submit raw model weights or client records. The submission is a profile: model class, use case, data categories, risk tier, audit status, known limitations.
The firms that will struggle are those whose internal inventory does not exist or does not reconcile. You cannot file an anonymised summary of an estate you have never mapped. This is the strongest practical reason to start the inventory now: the repository submission is a derivative of the inventory, so a clean register makes the eventual filing a formatting job rather than a discovery project.
There is also a concentration insight here that brokers can use commercially today. If your firm and your clients all depend on the same handful of vendor models for extraction or scoring, that is an aggregation exposure worth raising in risk reviews, the same way you would flag a single cloud provider. The repository will eventually make such concentration visible to the regulator; smart brokers map it for their own book first.
The repository is the recommendation most likely to lag in actual rollout, because it needs cross-regulator plumbing between RBI, SEBI, IRDAI and PFRDA. Do not wait for the portal to exist. The inventory and tiering that feed it are useful on their own and are the parts you control.
Board ownership and the accountability question
Both FREE-AI and the MeitY guidelines insist that AI governance is not an IT problem to be delegated downward. FREE-AI calls for a board-approved AI policy and accountability fixed up to board or committee level, covering the full model lifecycle from data sourcing through validation, approval, change control and retirement.
For insurers this folds naturally into the existing board risk and IT committees. For brokers, many of whom run leaner governance, it means somebody at the top must own AI in writing. The accountability sutra is explicit that a human stays answerable for AI-driven outcomes. You cannot outsource liability to a vendor's model card.
The policy itself should be short and operational rather than aspirational. A usable AI policy states which tiers of tool are permitted, what approval a new tool needs before it touches client work, who signs off on Tier 1 deployment, how incidents are reported, and how often the inventory is reviewed. Anything longer tends to be written once and never opened again.
There is a real liability dimension here that brokers under-price. If an AI tool contributes to a wrong coverage placement or a missed exclusion, the claim lands on the broker's professional-indemnity policy, and the broker's defence depends on showing reasonable controls. A board-approved policy, an inventory entry and an audit trail are precisely what a PI insurer and a court will look for. Our piece on the broker's own professional-indemnity exposure sets out why AI raises the stakes on that cover, and the governance steps that keep it defensible.
The firms that treat AI accountability as a box-ticking memo will find the memo does not protect them. The firms that treat it as a real allocation of responsibility, with a named owner and a working approval gate, build something that holds up under both inspection and litigation.
A 90-day starting plan for brokers and risk managers
None of this requires waiting for an IRDAI circular. Here is a sequence a mid-sized broking firm or corporate risk function can run inside a quarter, ahead of any binding direction.
- Weeks 1 to 3, discover. Run an internal AI amnesty. Ask every team to declare every tool, including informal use of public chatbots. Build the first draft inventory from what comes back. Expect surprises; the gap between what leadership thinks is in use and what is actually in use is usually large.
- Weeks 4 to 6, tier and reconcile. Assign each tool a risk tier with a one-line rationale. Reconcile the inventory against your DPDP records of processing and your vendor contracts. Flag any Tier 1 tool that lacks a human-review gate as a priority remediation.
- Weeks 7 to 9, control. Write a one-page board-approved AI policy. Stand up an approval gate so no new client-facing tool goes live without sign-off. Put a basic incident log in place so hallucinations and data slips get recorded rather than buried.
- Weeks 10 to 12, audit and rehearse. Run a first internal audit: sample approved AI outputs and re-check them blind to test whether human review is real. Draft a mock anonymised repository summary for your two or three highest-risk tools, so you know your inventory can produce one.
This is deliberately modest. It will not make you fully FREE-AI compliant, because the framework is advisory and the insurance-specific rules are not written yet. What it does is convert AI from an undocumented liability into a governed, evidenced capability, which is exactly the posture IRDAI supervision rewards. For the broader sectoral picture of how the MeitY guidelines are expected to translate into IRDAI rules, our companion analysis on the India AI Governance Guidelines and IRDAI sectoral rules sets the context this plan operates within.