AI & Insurtech

India's AI Governance Guidelines and IRDAI's Sectoral Mandate: What Commercial Insurers and Brokers Must Build in 2026

India has chosen a sectoral, principles-led route to regulating artificial intelligence rather than an omnibus AI Act, leaving the Insurance Regulatory and Development Authority of India to set the rules for AI in underwriting, claims and distribution. This piece explains the MeitY India AI Governance Guidelines, how liability is allocated across the AI value chain, and what a commercial insurer or broker should actually build to be defensible when an AI-driven decision is questioned.

Sarvada Editorial TeamInsurance Intelligence
8 min read

Listen to this article

Audio version • 8 min read

ai-governancemeity-guidelinesirdaimodel-riskai-accountabilitysectoral-regulationdpdpcommercial-insurance

Last reviewed: June 2026

India Chose Sectoral AI Governance, Not an AI Act

When the Ministry of Electronics and Information Technology released the India AI Governance Guidelines in November 2025, it settled a question the market had been asking for two years: would India copy the European Union's omnibus AI Act, with its prescriptive risk tiers and a single horizontal regulator, or take its own route? India chose its own route. The guidelines set out a principles-led, pro-innovation framework and, critically, push the actual rule-making down to the sectoral regulators. There is to be no umbrella AI statute. Instead, each regulator governs AI within its domain: the Reserve Bank of India for banking, SEBI for securities, and the IRDAI for insurance.

For a commercial insurer or a broker, this is the operative fact. It means the rules that will actually bind your use of AI in underwriting, pricing, claims and distribution will come from IRDAI, layered on top of two cross-cutting laws that already apply: the Digital Personal Data Protection Act and its 2025 Rules, which govern how you process the personal data an AI model consumes, and the Information Technology Act, under which the guidelines locate liability for AI harms. The MeitY guidelines are the constitutional layer; IRDAI's instruments are the operating layer; DPDP is the data layer running through both.

The guidelines rest on a set of principles that any insurance AI deployment will be measured against: transparency, accountability, fairness and non-discrimination, safety and robustness, human oversight, and privacy. None of these is novel as an idea. What is new is that they are now the explicit yardstick a regulator and, in due course, a court or an ombudsman will use to ask whether an automated decision that declined a risk, repriced a premium or repudiated a claim was defensible.

The practical consequence is that AI governance in Indian insurance is not a one-time legal opinion. It is an operating capability the firm has to stand up and keep running, because the regulator has signalled it will judge outcomes, not intentions.

How Liability Is Allocated Across the AI Value Chain

The single most consequential move in the MeitY guidelines for commercial insurance is the attempt to clarify liability across the AI value chain under existing law rather than to create a bespoke AI liability regime. This matters because most insurers and brokers do not build their own models; they buy or license them, embed them in workflows, and feed them client data. The chain typically runs: a foundation-model or platform developer, a deploying firm (the insurer or the broker), and the data principal (the policyholder or insured) whose information is processed and who is affected by the output.

The guidelines lean on the principle that responsibility should sit with the party best placed to prevent or mitigate the harm at each stage, while aligning the analysis with the DPDP due-diligence duties and the IT Act's intermediary and due-diligence concepts. For an insurer or broker, the uncomfortable but realistic reading is that you cannot contract your way out of accountability for an AI-driven decision merely by pointing at the vendor whose model produced it. If you deployed the model in your underwriting or claims process, you made the decision that affected the customer, and the conduct obligations that already bind you under insurance regulation attach to that decision regardless of which black box produced the recommendation.

That allocation drives three concrete obligations for the deploying firm:

  • Vendor due diligence as a continuing duty. You have to assess, document and periodically re-test the AI tools you license: what data they were trained on, how they handle the personal and sensitive data you feed them, what their known failure modes are, and where they sit relative to your data-localisation and processing commitments. A one-time procurement review will not survive scrutiny.
  • Decision accountability inside your own walls. Because the conduct duty attaches to you, you need a record of why each material AI-influenced decision was made, who reviewed it, and on what basis a human could and did override it. This is the practical meaning of the human-oversight principle.
  • Contractual flow-down and recourse. While you cannot offload accountability to the customer, you should still allocate risk and recourse with your model vendor: warranties on training-data provenance, security and model behaviour, audit rights, indemnities, and obligations to support you when a decision is challenged.

The lesson for a commercial buyer's risk team is symmetrical: if your own business deploys AI, the same value-chain logic exposes you, and your insurance programme needs to be read against it.

IRDAI as the Operating Regulator: Sandbox, Sectoral Supervision and Model Governance

Because the national guidelines push rule-making down to the sectoral regulator, the live question is how IRDAI exercises that mandate for insurance AI. The Authority's instruments here are different in character from the data and cyber rules that sit alongside them: they are about supervised innovation and the quality of the model itself, not the security of the systems around it.

The first lever is the regulatory sandbox. IRDAI's sandbox framework lets insurers and intermediaries test innovative products, pricing and processes, including AI-driven ones, in a controlled, time-bound environment under the Authority's eye before full-scale rollout. For an AI model that influences underwriting or claims, the sandbox is the route to deploy with supervisory sight rather than presenting the regulator with a fait accompli. A firm building novel AI into pricing should treat the sandbox as the intended on-ramp, not an obstacle.

The second lever is conduct-led sectoral supervision. IRDAI supervises insurers and intermediaries against fair-treatment, suitability and grievance expectations that already exist, and an AI-driven decision is judged against those same standards. Read together with the MeitY fairness and non-discrimination principle, this points firmly at being able to explain, in plain business terms, why a model declined a risk, applied a loading, or flagged a claim for investigation. A decision the firm cannot explain is, in this framework, a decision it cannot defend before an ombudsman.

The third lever, foreseeable as IRDAI's thinking matures, is a formal model-governance expectation: a documented model inventory, pre-deployment validation, periodic bias and drift testing, change control over model versions, and a designed human-override path. These are the hallmarks of model risk management long familiar in banking supervision, and they are the natural sectoral expression of the guidelines' accountability, robustness and human-oversight principles.

What already binds the firm, irrespective of any future AI-specific circular, sits in three existing bodies of law:

  1. Existing IRDAI conduct, suitability and outsourcing norms. Where AI drives customer-facing decisions, the conduct and grievance framework applies; where it sits inside an outsourced arrangement, IRDAI's outsourcing expectations on accountability and oversight apply, and they do not let the firm treat the model vendor as the responsible party.
  2. The DPDP Act and Rules 2025, which govern the personal data any model consumes. This article treats DPDP only as the data layer running underneath; the detailed data-fiduciary and AI-vendor-contract mechanics are a distinct subject in their own right.
  3. IT Act due-diligence duties, which the AI governance guidelines explicitly invoke when locating liability across the value chain.

Building a Defensible AI Governance Operating Model

Principles and value-chain theory are only useful if they translate into something a commercial insurer or broker can actually operate. A defensible AI governance operating model in 2026 has five working parts, and each maps directly onto a principle the regulator will test.

1. A model and tool inventory. You cannot govern what you have not catalogued. The inventory records every AI tool in use, whether built, bought or embedded, what decisions it influences, what data it consumes, its vendor and contractual terms, and its risk tier. This is the foundation document an auditor or the regulator will ask for first, and most firms discover on building it that AI has entered far more workflows than the governance committee knew.

2. Risk tiering tied to decision impact. Not every AI use carries the same exposure. A model that drafts a renewal email is not a model that declines a risk or repudiates a claim. Tier tools by the materiality of the decision they influence and the sensitivity of the data they process, and concentrate validation, human oversight and explainability effort on the high-impact tier.

3. Human oversight by design. The human-in-the-loop principle is empty unless the workflow makes the human's role real: a defined decision threshold above which a person must review and can override, a record of that review, and authority that actually sits with the reviewer. Oversight that is a rubber stamp is, in a dispute, worse than none, because it documents that a human looked and did not catch the error.

4. Explainability for material decisions. For any decision that affects whether or how a customer is covered, priced or paid, the firm must be able to state, in plain terms, the basis for the decision and the principal factors that drove it. This is both a regulatory expectation and the firm's own defence when a decision is challenged at the ombudsman or in court.

5. Data governance and vendor management running underneath. Because DPDP duties and value-chain liability run through every AI use, the operating model needs continuous vendor assessment, data-flow mapping for each tool, and contractual recourse, refreshed rather than filed and forgotten.

A recurring practical difficulty is that much of an insurer's or broker's AI is pointed at unstructured documents, policy wordings, submissions, endorsements and claims files, where the governance questions of provenance, explainability and human override are sharpest because the source text is dense and the stakes are coverage. Sarvada gives commercial-insurance brokers and corporate risk teams structured, searchable access to insurer wordings and the intelligence around them, so that AI-assisted comparison and analysis can be grounded in an auditable source of truth rather than an opaque model output, which is precisely what the transparency and explainability principles demand. Brokers and risk teams building a defensible AI governance operating model can Request Access to evaluate the platform as the grounded layer beneath their wordings and analytics.

Frequently Asked Questions

Does India have an AI Act that insurers must comply with?
No. India has deliberately not enacted an omnibus AI statute. The Ministry of Electronics and Information Technology released the India AI Governance Guidelines in November 2025, which set out a principles-led, pro-innovation framework and delegate the actual rule-making to sectoral regulators. For insurance, that regulator is the IRDAI, which will issue and enforce AI rules within its domain. So an insurer or broker's AI obligations are not found in a single AI law; they are the sum of three layers: the MeitY guidelines as the principled constitutional layer, IRDAI's instruments as the operating layer governing AI in underwriting, claims and distribution, and the Digital Personal Data Protection Act with its 2025 Rules plus the IT Act as the cross-cutting data and liability layers. The guidelines articulate principles of transparency, accountability, fairness, safety, human oversight and privacy, and these are the yardstick against which any insurance AI deployment will be measured. The practical upshot is that there is no single compliance box to tick; governance has to be built to satisfy insurance-conduct, data-protection and liability requirements at the same time, because one AI-driven decision can be challenged on all three grounds at once.
If we use a third-party AI model and it makes a wrong decision, who is liable?
The MeitY guidelines clarify liability across the AI value chain under existing law rather than creating a separate AI liability regime, and the realistic reading for insurers and brokers is that you cannot offload accountability to the vendor whose model produced the output. The value chain runs from the model developer, through your firm as the deploying party, to the data principal affected by the decision. Responsibility is allocated to the party best placed to prevent or mitigate the harm at each stage, and because your insurance conduct obligations already attach to a decision that declines, prices or repudiates a customer, that decision is yours regardless of which model produced the recommendation. This drives three duties: continuing vendor due diligence on the tools you license, including their training data, data handling and failure modes; decision accountability inside your own walls, with a record of why each material AI-influenced decision was made and how a human could and did override it; and contractual flow-down with your vendor for warranties, audit rights, indemnities and support when a decision is challenged. You can allocate risk and recourse with the vendor, but you cannot move the customer-facing accountability off your own firm.
How does IRDAI exercise its AI mandate, and what should we build before a dedicated circular?
IRDAI's levers here are about supervised innovation and the quality of the model itself, distinct from the data and cyber rules that sit alongside them. First, the regulatory sandbox lets insurers and intermediaries test innovative AI-driven products, pricing and processes in a controlled, time-bound environment under the Authority's supervision before full rollout, so a firm embedding novel AI into underwriting or pricing should treat the sandbox as the intended on-ramp rather than presenting the regulator with a completed deployment. Second, conduct-led sectoral supervision means an AI-driven decision is judged against the fair-treatment, suitability and grievance standards that already bind insurers and intermediaries, and read with the MeitY fairness and transparency principles this requires you to explain in plain business terms why a model declined a risk, applied a loading or flagged a claim, because a decision you cannot explain is one you cannot defend before an ombudsman. Third, a formal model-governance expectation is foreseeable as IRDAI's thinking matures: a documented model inventory, pre-deployment validation, periodic bias and drift testing, change control over model versions and a designed human-override path, the hallmarks of model risk management long familiar in banking supervision. The prudent course is to build that scaffolding now rather than wait, because it is the common denominator of every principle the national guidelines articulate and the most likely shape of IRDAI's eventual instrument, and firms that wait will be retrofitting governance onto live production models under supervisory pressure.
Our own company is deploying AI; how does this affect our insurance programme?
The same value-chain logic that exposes insurers exposes any commercial business deploying AI, so your insurance programme needs to be read against it deliberately. When your business uses AI in decisions that affect customers, employees or counterparties, you become exposed to AI-related claims, and the live question is which policy responds. Professional indemnity may respond where AI-assisted professional advice or services go wrong; directors and officers liability may be triggered where AI governance failures lead to claims against management; cyber insurance may respond to AI-enabled attacks, data breaches involving AI systems, or prompt-injection incidents; and technology errors-and-omissions cover may be relevant for technology businesses. The problem is that these wordings were often not drafted with AI in mind, so coverage can be ambiguous at exactly the point where exposure is rising. The right response is to map where your business uses AI and in what decisions, identify the resulting exposures, and then test your existing wordings against those exposures with your broker, looking specifically for silent AI risk, exclusions that might bite, and gaps between policies. Given the DPDP overlay, you should also confirm how data-protection liability and regulatory-defence costs are treated. This is a wordings exercise, not a renewal afterthought.

Related Glossary Terms

Related Insurance Types

Related Industries

Related Articles

Sarvada

Ready to see Sarvada in action?

Explore the platform workflow or start a product conversation with our underwriting automation team.

Explore the platform