India Chose Sectoral AI Governance, Not an AI Act
When the Ministry of Electronics and Information Technology released the India AI Governance Guidelines in November 2025, it settled a question the market had been asking for two years: would India copy the European Union's omnibus AI Act, with its prescriptive risk tiers and a single horizontal regulator, or take its own route? India chose its own route. The guidelines set out a principles-led, pro-innovation framework and, critically, push the actual rule-making down to the sectoral regulators. There is to be no umbrella AI statute. Instead, each regulator governs AI within its domain: the Reserve Bank of India for banking, SEBI for securities, and the IRDAI for insurance.
For a commercial insurer or a broker, this is the operative fact. It means the rules that will actually bind your use of AI in underwriting, pricing, claims and distribution will come from IRDAI, layered on top of two cross-cutting laws that already apply: the Digital Personal Data Protection Act and its 2025 Rules, which govern how you process the personal data an AI model consumes, and the Information Technology Act, under which the guidelines locate liability for AI harms. The MeitY guidelines are the constitutional layer; IRDAI's instruments are the operating layer; DPDP is the data layer running through both.
The guidelines rest on a set of principles that any insurance AI deployment will be measured against: transparency, accountability, fairness and non-discrimination, safety and robustness, human oversight, and privacy. None of these is novel as an idea. What is new is that they are now the explicit yardstick a regulator and, in due course, a court or an ombudsman will use to ask whether an automated decision that declined a risk, repriced a premium or repudiated a claim was defensible.
The practical consequence is that AI governance in Indian insurance is not a one-time legal opinion. It is an operating capability the firm has to stand up and keep running, because the regulator has signalled it will judge outcomes, not intentions.
How Liability Is Allocated Across the AI Value Chain
The single most consequential move in the MeitY guidelines for commercial insurance is the attempt to clarify liability across the AI value chain under existing law rather than to create a bespoke AI liability regime. This matters because most insurers and brokers do not build their own models; they buy or license them, embed them in workflows, and feed them client data. The chain typically runs: a foundation-model or platform developer, a deploying firm (the insurer or the broker), and the data principal (the policyholder or insured) whose information is processed and who is affected by the output.
The guidelines lean on the principle that responsibility should sit with the party best placed to prevent or mitigate the harm at each stage, while aligning the analysis with the DPDP due-diligence duties and the IT Act's intermediary and due-diligence concepts. For an insurer or broker, the uncomfortable but realistic reading is that you cannot contract your way out of accountability for an AI-driven decision merely by pointing at the vendor whose model produced it. If you deployed the model in your underwriting or claims process, you made the decision that affected the customer, and the conduct obligations that already bind you under insurance regulation attach to that decision regardless of which black box produced the recommendation.
That allocation drives three concrete obligations for the deploying firm:
- Vendor due diligence as a continuing duty. You have to assess, document and periodically re-test the AI tools you license: what data they were trained on, how they handle the personal and sensitive data you feed them, what their known failure modes are, and where they sit relative to your data-localisation and processing commitments. A one-time procurement review will not survive scrutiny.
- Decision accountability inside your own walls. Because the conduct duty attaches to you, you need a record of why each material AI-influenced decision was made, who reviewed it, and on what basis a human could and did override it. This is the practical meaning of the human-oversight principle.
- Contractual flow-down and recourse. While you cannot offload accountability to the customer, you should still allocate risk and recourse with your model vendor: warranties on training-data provenance, security and model behaviour, audit rights, indemnities, and obligations to support you when a decision is challenged.
The lesson for a commercial buyer's risk team is symmetrical: if your own business deploys AI, the same value-chain logic exposes you, and your insurance programme needs to be read against it.
IRDAI as the Operating Regulator: Sandbox, Sectoral Supervision and Model Governance
Because the national guidelines push rule-making down to the sectoral regulator, the live question is how IRDAI exercises that mandate for insurance AI. The Authority's instruments here are different in character from the data and cyber rules that sit alongside them: they are about supervised innovation and the quality of the model itself, not the security of the systems around it.
The first lever is the regulatory sandbox. IRDAI's sandbox framework lets insurers and intermediaries test innovative products, pricing and processes, including AI-driven ones, in a controlled, time-bound environment under the Authority's eye before full-scale rollout. For an AI model that influences underwriting or claims, the sandbox is the route to deploy with supervisory sight rather than presenting the regulator with a fait accompli. A firm building novel AI into pricing should treat the sandbox as the intended on-ramp, not an obstacle.
The second lever is conduct-led sectoral supervision. IRDAI supervises insurers and intermediaries against fair-treatment, suitability and grievance expectations that already exist, and an AI-driven decision is judged against those same standards. Read together with the MeitY fairness and non-discrimination principle, this points firmly at being able to explain, in plain business terms, why a model declined a risk, applied a loading, or flagged a claim for investigation. A decision the firm cannot explain is, in this framework, a decision it cannot defend before an ombudsman.
The third lever, foreseeable as IRDAI's thinking matures, is a formal model-governance expectation: a documented model inventory, pre-deployment validation, periodic bias and drift testing, change control over model versions, and a designed human-override path. These are the hallmarks of model risk management long familiar in banking supervision, and they are the natural sectoral expression of the guidelines' accountability, robustness and human-oversight principles.
What already binds the firm, irrespective of any future AI-specific circular, sits in three existing bodies of law:
- Existing IRDAI conduct, suitability and outsourcing norms. Where AI drives customer-facing decisions, the conduct and grievance framework applies; where it sits inside an outsourced arrangement, IRDAI's outsourcing expectations on accountability and oversight apply, and they do not let the firm treat the model vendor as the responsible party.
- The DPDP Act and Rules 2025, which govern the personal data any model consumes. This article treats DPDP only as the data layer running underneath; the detailed data-fiduciary and AI-vendor-contract mechanics are a distinct subject in their own right.
- IT Act due-diligence duties, which the AI governance guidelines explicitly invoke when locating liability across the value chain.
Building a Defensible AI Governance Operating Model
Principles and value-chain theory are only useful if they translate into something a commercial insurer or broker can actually operate. A defensible AI governance operating model in 2026 has five working parts, and each maps directly onto a principle the regulator will test.
1. A model and tool inventory. You cannot govern what you have not catalogued. The inventory records every AI tool in use, whether built, bought or embedded, what decisions it influences, what data it consumes, its vendor and contractual terms, and its risk tier. This is the foundation document an auditor or the regulator will ask for first, and most firms discover on building it that AI has entered far more workflows than the governance committee knew.
2. Risk tiering tied to decision impact. Not every AI use carries the same exposure. A model that drafts a renewal email is not a model that declines a risk or repudiates a claim. Tier tools by the materiality of the decision they influence and the sensitivity of the data they process, and concentrate validation, human oversight and explainability effort on the high-impact tier.
3. Human oversight by design. The human-in-the-loop principle is empty unless the workflow makes the human's role real: a defined decision threshold above which a person must review and can override, a record of that review, and authority that actually sits with the reviewer. Oversight that is a rubber stamp is, in a dispute, worse than none, because it documents that a human looked and did not catch the error.
4. Explainability for material decisions. For any decision that affects whether or how a customer is covered, priced or paid, the firm must be able to state, in plain terms, the basis for the decision and the principal factors that drove it. This is both a regulatory expectation and the firm's own defence when a decision is challenged at the ombudsman or in court.
5. Data governance and vendor management running underneath. Because DPDP duties and value-chain liability run through every AI use, the operating model needs continuous vendor assessment, data-flow mapping for each tool, and contractual recourse, refreshed rather than filed and forgotten.
A recurring practical difficulty is that much of an insurer's or broker's AI is pointed at unstructured documents, policy wordings, submissions, endorsements and claims files, where the governance questions of provenance, explainability and human override are sharpest because the source text is dense and the stakes are coverage. Sarvada gives commercial-insurance brokers and corporate risk teams structured, searchable access to insurer wordings and the intelligence around them, so that AI-assisted comparison and analysis can be grounded in an auditable source of truth rather than an opaque model output, which is precisely what the transparency and explainability principles demand. Brokers and risk teams building a defensible AI governance operating model can Request Access to evaluate the platform as the grounded layer beneath their wordings and analytics.