All articles

Building AI Governance Frameworks: A Practical Guide for Indian Enterprises | Setidure Technologies

Indian enterprises are deploying AI faster than they are governing it. Here is what a real governance framework looks like under the DPDP Act, RBI guidelines, and the realities of on-premise AI infrastructure. Built for CIOs and CISOs, not consultants. Primary: AI governance framework India · Secondary: private on-premises AI infrastructure, AI compliance India, DPDP Act AI, enterprise AI risk management

Arindam Chakraborty9 May 2026

# AI Governance for Indian Enterprises: A Working Framework for 2026

Introduction

Most Indian enterprises now have an AI strategy slide. Far fewer have an AI governance document. Almost none have a governance system that actually runs.

The gap is uncomfortable. AI has moved from pilots to production in the last eighteen months. Banks are using LLMs to summarise customer complaints. Hospitals are running vision models on diagnostic images. Manufacturing firms are deploying agents to triage maintenance tickets. Hiring teams are scoring resumes through models that nobody on the HR team has audited.

Each of these systems makes decisions that affect customers, employees, or candidates. Each of them is sitting on data covered by the DPDP Act, sectoral guidelines from the RBI, SEBI, IRDAI, or the Ministry of Health, and contractual obligations to enterprise clients. And in most cases, the people running the model and the people responsible for compliance are not the same people, and they are not talking to each other.

This blog is a working framework for fixing that. Not a maturity model. Not a slide deck. A set of structures and processes you can put in place over the next quarter.

---

Why "AI Governance" Sounds Soft — and Why That Is the Problem

The phrase itself is part of the trouble. "Governance" sounds like committees and policy documents. So organisations create a committee, write a policy, file it, and consider the work done.

Real AI governance is operational. It looks like this:

  • A registry of every AI system in production, who owns it, what data it touches, and what decisions it influences.
  • Pre-deployment review gates that a model has to clear before it can move from staging to production.
  • Live monitoring for drift, bias, and failure modes, with alerts going to a named human.
  • A documented retention and deletion policy that actually runs as code.
  • An incident response playbook that has been tested at least once.
> If your organisation has none of these, you do not have AI governance. You have AI *policy*, which is a different thing.

---

The Indian Regulatory Stack You Are Already Subject To

A common objection from Indian CIOs is that AI regulation in India is "still evolving" and therefore can wait. This is a misreading of the current landscape. AI systems in India are already governed by a stack of existing law and guidance.

1. The Digital Personal Data Protection Act, 2023

Any AI system that processes personal data — which is to say, almost all of them — falls under DPDP. The Act requires informed consent, purpose limitation, retention limits, and the ability to fulfil data principal rights (access, correction, deletion). Penalties go up to Rs 250 crore per violation.

2. RBI Guidance on AI in Financial Services

Banks and NBFCs are expected to maintain explainability for credit decisions, monitor models for bias, and document model lineage. The RBI's framework for the responsible and ethical enablement of AI (FREE-AI), released in 2025, formalises a lot of this.

3. SEBI Guidance on AI/ML in Markets

Any AI system used in trading, advisory, or investor-facing functions has reporting and oversight requirements.

4. IRDAI and the Ministry of Health

Diagnostic AI, claims AI, and underwriting AI all carry sectoral oversight.

5. The MeitY Draft Framework on Responsible AI

Voluntary today, increasingly cited as the baseline standard during enterprise procurement.

> You do not need to wait for "AI law" in India. You are already subject to enough regulation that an AI deployment without a governance framework is a compliance liability, not a future-state concern.

---

The Five Components of a Working Governance Framework

A governance framework that actually runs has five components. Each of them is operational, not aspirational.

Component 1: AI System Registry

You cannot govern what you cannot see. The first artefact of any working governance program is a registry of every AI system in the organisation. For each system, the registry records:

| Field | Description |

|---|---|

| System name and owner | A named individual, not a team |

| Business function | What decisions it influences |

| Data sources | Classifications: PII, financial, health, internal |

| Deployment environment | Cloud, hybrid, on-premise |

| Model lineage | Base model, fine-tuning, version |

| Date of last review | — |

> In practice, most enterprises discover they have between 3× and 10× as many AI systems in production as they thought, once a registry exercise is done. A lot of them are vendor tools with embedded AI features that no one explicitly approved.

The registry is the foundation. Every other component depends on it.

---

Component 2: Pre-Deployment Review Gates

Before any AI system moves from development to production, it should clear a documented review covering:

  • Data sourcing and consent posture
  • Bias and fairness testing on representative data
  • Explainability for decisions that materially affect users
  • Security review (prompt injection, data exfiltration, model theft)
  • Compliance review against applicable regulations
  • Approval from a named risk owner
This is not a multi-week consulting engagement. For most systems, it is a four-page document and a one-hour review meeting. The point is that it happens, that it is documented, and that production deployment is gated on it.

---

Component 3: Operational Monitoring

A model that was fair on launch day can become unfair three months later as the data distribution shifts. A model that was accurate on launch can degrade silently. Governance requires monitoring that runs continuously and surfaces problems to a named human.

At a minimum, monitor:

  • Input distribution drift — are the questions the model is being asked changing?
  • Output distribution drift — are the answers shifting in unexpected ways?
  • Bias metrics on protected attributes
  • Failure rates and timeouts
  • Cost per query
The monitoring should write to a dashboard that the system owner reviews weekly, and it should generate alerts on threshold breaches.

---

Component 4: Data Lifecycle Controls

Most AI governance failures are actually data governance failures. The model is fine. The data feeding it is not.

Data lifecycle controls cover:

  • Retention policies — how long is training data, fine-tuning data, and prompt logs kept?
  • Deletion mechanisms — can a specific user's data be removed from training corpora and prompt logs?
  • Access controls — who can see what data, with audit logs?
  • Data residency — where physically does the data sit, including backups?
> For Indian enterprises, data residency is the point that most often fails an audit. A model running on a cloud LLM API is, by default, sending prompts — and possibly retaining them — on infrastructure outside India. For HR data, financial data, and health data, this is usually not acceptable.

---

Component 5: Incident Response

Every AI system will fail. The question is whether the failure is contained, communicated, and corrected — or whether it ends up on the front page of a newspaper.

A working incident response playbook covers:

| Step | Description |

|---|---|

| Detection | How do we know something has gone wrong? |

| Containment | How do we stop the bleeding, including disabling the model quickly? |

| Communication | Who is told, including regulators if compliance implications exist? |

| Remediation | How do we fix the root cause? |

| Post-mortem | What changes to prevent recurrence? |

> The playbook should be tested at least once a year with a tabletop exercise. The first time you walk through an AI incident response should not be during an actual incident.

---

A 12-Week Rollout Plan

For a mid-sized Indian enterprise with somewhere between five and twenty AI systems in production, a working governance framework is a twelve-week project, not a twelve-month one.

| Weeks | Phase | Output |

|---|---|---|

| 1–2 | Discovery | Initial AI system registry, owner assignment |

| 3–4 | Risk classification | Each system tagged high, medium, or low risk based on data sensitivity and decision impact |

| 5–6 | Policy drafting | Pre-deployment review template, monitoring requirements, retention policy, incident response playbook |

| 7–8 | Tooling | Monitoring dashboard, registry tool, audit log integration |

| 9–10 | Pilot | Run two existing systems through the new review process retroactively; refine the process |

| 11 | Training | All AI system owners trained on the framework |

| 12 | Go-live | Framework becomes mandatory for all new deployments |

> The point of the timeline is to make governance a project that finishes, not a permanent committee that never delivers.

---

Where On-Premise Infrastructure Changes the Equation

Governance gets significantly easier when the underlying infrastructure is under your control.

On a cloud LLM API, you do not control where prompts are stored, what they are logged with, or whether they are used for vendor model improvement. You depend on contractual assurances. For sensitive data, those assurances may not be enough for a regulator.

On a private, on-premise AI deployment, the data path is something you can draw on a whiteboard. Prompts, model weights, training data, and logs all sit on infrastructure inside your network:

  • Retention is a configuration
  • Deletion is a delete statement
  • Audit logs are first-class
  • Compliance becomes a system property rather than a vendor management exercise
This is what Setidure Technologies builds — private LLM infrastructure for Indian enterprises that need genuine governance, not vendor-supplied compliance theatre. Our Granthik platform handles document ingestion, OCR, and structured extraction entirely on-premise. Our multi-agent orchestration layer runs internal workflows without sending prompts to external APIs. The governance benefit is not a feature we added. It is what falls out of the architecture.

---

A Realistic Self-Assessment

Use the following ten questions to assess your organisation's current AI governance posture.

| # | Question | Yes / No |

|---|---|---|

| 1 | Can you produce a complete list of every AI system in production within one working day? | |

| 2 | Does each AI system have a named individual owner who is accountable for its behaviour? | |

| 3 | Is there a documented review that every new AI system must pass before going to production? | |

| 4 | Can you identify, for each AI system, the categories of personal data it touches? | |

| 5 | Do you monitor model behaviour in production for drift and bias? | |

| 6 | Can you fulfil a DPDP data deletion request that touches AI systems within 72 hours? | |

| 7 | Do you know the data residency of every AI system, including vendor-supplied ones? | |

| 8 | Have you tested an AI incident response playbook in the last twelve months? | |

| 9 | Are AI vendors contractually bound to your governance requirements (residency, retention, deletion)? | |

| 10 | Does AI governance have an executive owner at the CIO, CISO, or CRO level? | |

| Score | _ / 10 | |

  • 7 or above — Suggests a working framework
  • Below 5 — Material risk during the next compliance audit or incident
---

Common Objections, Honestly Answered

"This will slow down innovation."

It will, slightly, in the same way that having a code review process slows down shipping code. The argument that governance kills innovation is almost always made by people who have not had to manage an incident yet.

"We are too small for this."

The framework scales. A ten-person company does not need a governance committee, but it absolutely needs a registry, an owner per system, and a monitoring approach. The structures get lighter; the principles do not.

"We use only enterprise AI vendors, so they handle compliance."

No. The data fiduciary — which is your organisation — bears primary responsibility under the DPDP Act. The vendor is a data processor. If their subprocessor mishandles data, the regulatory exposure is yours.

"Our regulator has not asked for this yet."

The regulators most likely to ask first — RBI, SEBI, IRDAI — are already asking. Even where formal demands have not arrived, the frameworks they are publishing make the direction clear.

---

Conclusion

AI governance in Indian enterprises in 2026 is at the same stage that information security was in around 2008: known to be important, widely under-invested, and one major incident away from becoming a board-level priority.

The organisations that build a working framework now will spend the next two years quietly compounding the benefits. The ones that wait will spend those two years either lucky or in remediation.

---

*If your organisation has AI in production and is unsure how a regulator's first question would be answered, that is worth a conversation.*

*Reach out to [admin@setidure.com](mailto:admin@setidure.com) to discuss how Setidure Technologies builds governance-ready AI infrastructure for Indian enterprises — on your servers, under your control.*