Key Takeaways
- AI governance is now mandatory for any Indian enterprise deploying GenAI at scale, regulator-driven (RBI, SEBI) and customer-driven (enterprise SaaS, BFSI).
- Risk-tiered approach: classify AI use cases by impact (high, medium, low) and apply proportionate controls. Not every AI use needs board approval.
- Standard framework: AI policy + AI risk register + AI committee + use case approval workflow + monitoring + incident response, mirroring traditional risk governance.
- Alignment with existing frameworks reduces effort: ISO 27001, ISO 42001 (AI management), NIST AI RMF, DPDP and RBI guidance all share core controls.
- The cost of NOT having governance: regulatory penalty exposure, enterprise sales friction, internal AI sprawl with unmanaged risk, customer trust loss.
Why AI Governance Has Become Mandatory
Three years ago, AI governance was a paper exercise for most Indian enterprises. In 2026, it is operational reality. Four forces have converged:
- Regulatory pressure: RBI's draft AI in BFSI guidance, SEBI's AI usage circulars, MeitY's AI advisory, all impose new obligations. EU AI Act compliance is required for Indian businesses serving EU markets.
- Customer requirements: Fortune 500 procurement now asks AI governance questions, and enterprise SaaS buyers expect documented AI policies before signing.
- Internal AI sprawl: every team is shipping AI features. Without governance, you have no visibility into what data goes to which LLMs, what risks are being accepted, or where liability sits.
- Incident exposure: AI-related incidents (data leakage via prompts, bias-driven decisions, hallucinated outputs causing customer harm) carry regulatory and reputational exposure. Governance defines the accountable parties before incidents occur.
AI Use Case Risk Classification
Governance starts with classification. Not every AI use case carries the same risk, and applying maximum controls to every use case is impractical. A three-tier classification is standard:
- Tier 1 (High Risk): AI making or directly influencing decisions with material impact, credit decisions, hiring, healthcare diagnostics, fraud screening, content moderation at scale. Requires: board approval, formal risk assessment, ongoing bias and accuracy testing, human-in-the-loop, regulatory disclosure where required.
- Tier 2 (Medium Risk): AI augmenting human decisions or processing sensitive data, customer support copilots, sales intelligence, marketing personalization, code review assistants. Requires: department head approval, data classification review, output monitoring, customer disclosure where appropriate.
- Tier 3 (Low Risk): AI for internal productivity or non-sensitive use, internal Q&A, document summarization for non-sensitive content, brainstorming. Requires: usage policy adherence, basic logging, periodic spot review.
AI Governance Maturity Assessment
Free 60-minute call with our AI governance lead. We will benchmark your current AI governance maturity and identify the highest-leverage next steps.
Book Free Assessment →The AI Policy Framework
A standard AI governance policy framework includes six interlocking components:
- AI Acceptable Use Policy: what AI tools employees can use, with which data, under what conditions. Specifies allowed third-party services, prohibited use cases, and data classification rules.
- AI Risk Register: living inventory of AI use cases with risk tier, owner, data flows, third-party dependencies, and mitigation status. Same structure as a traditional risk register.
- AI Use Case Approval Workflow: pre-deployment review process appropriate to risk tier. Tier 1 needs formal AI committee approval; Tier 3 needs only policy adherence.
- Data Governance for AI: how data classification, retention, residency and protection rules apply to prompts, completions, training data, and fine-tuning data.
- Third-Party AI Risk: due diligence for AI vendors (OpenAI, Anthropic, AWS Bedrock, etc.), DPA review, model risk assessment.
- AI Incident Response: definition of AI-specific incidents, escalation paths, communication templates, regulator notification (where applicable).
Oversight Structure: AI Committee and Roles
Governance needs accountability. The standard structure:
- Board level: AI strategy and Tier 1 use case approval, typically reported through Audit/Risk Committee
- AI Governance Committee (executive level): chaired by CTO or CISO, members from Legal, Compliance, Security, Privacy, Data, Engineering, Business. Meets monthly. Reviews Tier 1 and 2 use cases, AI risk register, incidents, third-party risk.
- AI Steward (per business unit): domain expert who serves as first line for AI use case proposals, reviews and routes upward as appropriate
- AI Security Lead: technical lead responsible for AI-specific security controls, often the same person as Application Security Lead at smaller organizations
- Data Protection Officer: existing DPO role gains AI-specific responsibilities, prompt data review, completions audit, vendor DPA AI clauses
Aligning With External Frameworks
Rather than building from scratch, align with established frameworks. Indian enterprises typically map their AI governance to multiple of:
- ISO/IEC 42001:2023: AI Management System standard. Auditable, certifiable, mirrors ISO 27001 structure. Increasingly requested by enterprise customers.
- NIST AI Risk Management Framework (RMF): US-origin, widely adopted globally. Structured around Govern, Map, Measure, Manage functions.
- OECD AI Principles: high-level principles often referenced in regulatory guidance
- EU AI Act: legal requirement for businesses serving EU markets. Risk-tiered approach influences global enterprise expectations.
- RBI Draft AI Guidance: applies to Indian BFSI, expected to be finalized in 2026. Mandatory risk-based controls.
- DPDP Act 2023: applies to all personal data processing including AI use cases. AI does not exempt you from DPDP obligations.
- Mapping your AI governance to ISO 42001 + NIST AI RMF covers 80% of what any regulator or enterprise customer will ask, and provides certification options that materially help enterprise sales.
Full AI Governance Implementation
Fixed-price AI governance program: policy, risk register, committee structure, ISO 42001/NIST AI RMF alignment, training, ongoing oversight. 4-6 month engagements.
Contact Us →Implementation Roadmap
Most Indian enterprises can implement working AI governance in 4-6 months:
- Month 1: AI inventory and discovery. Survey all teams for AI usage. Initial risk classification. Identify regulatory exposure.
- Month 2: Policy authoring. Draft AI Acceptable Use Policy, Risk Register, Use Case Approval workflow. Legal and compliance review.
- Month 3: Governance structure. Form AI Committee. Designate AI Stewards. Define meeting cadence and decision rights.
- Month 4: Operationalize for new use cases. Run Tier 1 use cases through formal approval. Update vendor due diligence with AI questions.
- Month 5: Operationalize for existing use cases. Backfill risk register. Identify and remediate highest-risk legacy AI usage.
- Month 6: Independent assessment. External review against ISO 42001 / NIST AI RMF readiness. Plan for certification if commercially valuable.
Cost and ROI
Standalone AI governance program: INR 20-40 lakh in first-year consulting, plus 0.5-1 FTE internal coordination. Ongoing maintenance: INR 8-15 lakh per year.
ROI sources: faster enterprise deal closure (AI governance is often a procurement question), reduced regulatory penalty exposure under DPDP and emerging frameworks, lower internal AI risk surface, and competitive differentiation for enterprise SaaS sales.
For Indian enterprises with material AI investment (more than INR 5 crore annual AI spend or AI as a competitive differentiator), AI governance is unambiguously net-positive. Below that threshold, governance can be lighter and embedded in existing risk processes.
Frequently Asked Questions
Is ISO 42001 certification worth pursuing for Indian enterprises?
Increasingly yes, especially for enterprise SaaS, BFSI, and any business with EU customer base. ISO 42001 (AI Management System) is the international standard equivalent of ISO 27001 for AI. Certification takes 6-9 months with proper preparation and runs INR 25-50 lakh including consulting and audit fees. ROI is faster enterprise sales and regulatory positioning.
Does DPDP apply to AI use cases?
Yes, fully. AI does not exempt you from DPDP. If your AI processes personal data of Indian residents, DPDP obligations apply: lawful basis, notice, consent (or legitimate use), data minimization, security, breach notification, data subject rights. Cross-border data transfer to LLM APIs (OpenAI etc) is an active compliance question.
Who should chair the AI Governance Committee?
Typically CTO or CISO. Some enterprises designate a Chief AI Officer; smaller organizations often have the CISO chair. The chair's role is convening members, ensuring decisions are documented, and reporting to the Board. Avoid chairing by a department head with vested interest in AI adoption, this creates conflict.
How do we govern third-party AI services like ChatGPT Enterprise or Microsoft Copilot?
Three angles: data governance (what data goes to the service), contractual (DPA, AI-specific clauses, data residency, no-training commitments), and monitoring (audit logs, usage patterns). Most enterprise SaaS now has AI-specific contract clauses; some need supplementing for DPDP specifically.
Do we need a separate AI risk register?
Recommended at scale, often a separate register works better than mixing AI risks into the general risk register. AI risks have unique attributes (model risk, training data risk, hallucination risk, prompt injection risk) that don't map cleanly to traditional categories. A separate register also makes regulatory reporting easier.
How does AI governance interact with the EU AI Act?
EU AI Act has a risk-tiered structure similar to what we recommend internally. Indian enterprises serving EU markets must comply with EU AI Act where applicable (especially high-risk AI categories). Mapping your internal governance to EU AI Act categories is a one-time exercise that simplifies EU customer questions.
Can small Indian businesses skip formal AI governance?
Smaller businesses can run lighter governance, often embedded in existing security and compliance processes rather than a dedicated committee. The minimum viable AI governance is: an AI Acceptable Use Policy, an inventory of AI use cases with risk tagging, and basic incident handling. Even 5-person companies should have this.
Build AI Governance That Unlocks Enterprise Deals
Codesecure is ISO/IEC 27001:2022 certified and helps Indian enterprises build AI governance programs aligned to ISO 42001, NIST AI RMF, DPDP and RBI guidance. Fixed-price engagements, named consultants.
