This paper provides a comprehensive analysis of AI regulation in India by examining perspectives across government, industry, and civil society stakeholders. It evaluates the current regulatory state and proposes a policy roadmap forward. Does India need new AI regulations? What should they look like? Who is driving this debate in India and what are their views?
This publication was produced under Carnegie India's Technology and Society Program. For details on the program's funding, please visit the Carnegie India website. The views expressed in this piece are solely those of the authors.
Artificial intelligence (AI) is a general-purpose technology that has existed since the early 1950s. Its trajectory is marked by cycles of hype and innovation, followed by periods of stagnation and disillusionment. In 2022 alone, more than thirty laws related to AI were passed in over a hundred countries. What explains this sudden rush to regulate AI?
Some say the launch of ChatGPT in late 2022 was a defining moment. It brought generative AI to the forefront, and along with it, concerns about bias, misinformation, copyright violations, and the impact on labor markets. One might also point to a confluence of factors -- the massive breakthroughs in machine learning, new and powerful capabilities of large language models, and the global reach of social media -- which has stoked the fears of policymakers and prompted new regulations in some countries.
And yet, nobody seems to have a clear collective vision for how AI should be regulated. This has resulted in divergent approaches around the world -- from comprehensive legislation in the European Union (EU) to technology-specific rules in China, and voluntary commitments in the United States. Despite these differences, global policymakers seem to agree on one thing -- we must leverage the power of AI while mitigating its risks.
Where does this leave India on AI regulation? The existing body of literature concerning India's approach to regulating AI is disconnected, narrow, or superficial. It includes news coverage of regulatory proposals; brief commentaries on national and global policy developments; editorials on what India's approach should be; summaries of the legal landscape; readouts of roundtable discussions; and analyses of specific regulatory issues involving AI. What is missing is a clear and comprehensive analysis of India's overall advance on AI regulation. Who is driving the debate in India? What are the views of different stakeholders? Does India need new AI regulations? What should they look like?
The goal of this paper is to answer two main questions:
To that end, this paper will capture the views of government, industry, and civil society in India and suggest a policy roadmap to inform India's advance on AI regulation.
The paper is divided into four parts:
Part I provides an overview of the current sentiment in government, industry, and civil society in India on the topic of AI regulation.
Part II explores the scope and objectives of AI regulation, the nature of AI risks, and areas where additional regulations may be required.
Part III examines global approaches to AI regulation and views in India.
Part IV suggests a policy roadmap for India on AI regulation.
Our analysis is based on multiple discussions with key stakeholders over several months, both in closed-door and public settings.
We also conducted seventeen interviews with senior government officials, industry executives, lawyers, technologists, and scholars working specifically on AI policy in India. All interviewees have been granted anonymity to protect their privacy given their ongoing engagements on these issues and the sensitivity of these discussions.
Finally, we have referenced several books, policy documents, academic papers, news reports, and articles.
Since 2022, the Indian government has oscillated between a hands-off approach to AI regulation and one that is more direct and interventionist, which has led to some confusion.
Broadly, India supports a "pro-innovation" approach to AI regulation. It wants to unlock the full potential of AI while taking into account the anticipated risks. This is reflected in the G20 Ministerial Declaration made during India's presidency, as well as a statement in Parliament in April 2023 that "[the Indian government] is not considering bringing a law or regulating the growth of AI in the country."
However, around the same time, the Ministry of Electronics and Information Technology (MeitY) published a blueprint for a new Digital India Act, which includes a specific reference to the "regulation of high-risk AI systems." Then, after a lull of close to a year, the government issued an advisory in March 2024 that jolted the industry. The advisory, which mandated compliance with immediate effect, directed companies to obtain the government's permission before deploying certain AI models in India, and to take steps to prevent algorithmic discrimination and the distribution of deepfakes. Following sharp criticism, the advisory was withdrawn and replaced with a fresh one that continues to remain in force.
The reason for the government's fragmented approach is that there are multiple, differing views within the establishment. MeitY, which is the nodal ministry for technology regulation in the country, favors a "light touch approach." An official suggested that the much-criticized AI advisory from March 2024 was the product of another agency's influence and not the brainchild of MeitY. Some factions within the government want more regulation. For example, a member of the Prime Minister's Economic Advisory Council has published a report that characterizes AI as a "complex adaptive system" that requires "proactive regulatory intervention." Another key official involved in framing India's AI policy said that MeitY was "not doing enough" to address the risks of AI.
For now, it appears the Indian government is still building consensus while adopting a cautious approach. It has tasked the Office of the Principal Scientific Advisor (PSA), set up to advise the Prime Minister and the cabinet on matters of science and technology, to consult with different ministries and provide "strategic guidance" on AI regulation. A sub-committee, convened by MeitY and reporting to the PSA, has prepared a draft report on "AI Regulation," though it has not yet been published.
MeitY, for its part, is considering various regulatory options, including amending the Information Technology Act, 2000 (henceforth IT Act) which would be less time-consuming than adopting new legislation such as the proposed Digital India Act.
Meanwhile, sectoral regulators such as the Reserve Bank of India (RBI) and the Telecom Regulatory Authority of India (TRAI) have begun to articulate the risks of AI. Going forward, they are likely to play an important role in shaping policy and regulation.
Lastly, the Prime Minister's Office (PMO) and National Security Council Secretariat (NSCS) will be highly influential in AI policymaking, given their cross-agency mandate and strong leadership.
The technology industry, as a whole, does not have a single view on what India's approach to AI regulation should be. As one lawyer put it, "This is a fragmented ecosystem consisting of big tech companies, startups, industry bodies, and VCs [venture capital firms] ... there is no one position."
That said, the predominant view is that any strict regulation would stifle innovation and make it difficult for India to achieve the ambitious goals of the India AI mission, launched in March 2024 with an initial budget of Rs. 10,300 crores ($1.3 billion) over five years, spanning strategic initiatives across compute, foundational models, datasets, skilling, and safe and trustworthy AI. For example, none of the industry representatives we spoke to expressed support for a new standalone AI law. One cautioned that it was more important for India to "get it right rather than to act swiftly." Another said that "urgency will create problematic regulation." Instead, one startup founder suggested that India adopt an "iterative, light-touch, and collaborative" approach to AI regulation.
There are also some extreme positions in the industry. One tech policy executive said that there was no need for new regulations at all, arguing that AI presents no novel risks, a view not shared by many others. On the other end, some have explicitly called for some form of regulation. Google president Kent Walker has previously stated, "AI is too important not to regulate, and too important not to regulate well." Similarly, Microsoft president Brad Smith has also observed, "there has never been an industry that has successfully regulated itself entirely... we need more laws, more regulation."
Some companies have advanced specific regulatory proposals for AI regulation in India. Microsoft has advocated for new laws targeted at "highly capable AI foundation models" IBM has called on governments to "recognize co-regulatory mechanisms" and Google has called for a "a risk-based and proportionate approach to AI regulation [in India] focused on use cases," a model supported by several companies.
Overall, industry stakeholders in India favor a two-level approach to regulation:
Here, civil society refers to the third sector of society, distinct from government and business. This includes activists, scholars, academics, and lawyers.
Some civil society representatives have called for greater representation of women, gig workers and other marginalized groups in the debate on AI regulation because they are most likely to be impacted by the negative effects of AI deployments.
Some activists also expressed distrust for industry lobbying efforts on self-regulation. One scholar called the argument that regulation would stifle innovation a "convenient oversimplification" that benefits incumbent commercial actors. One scholar argued that voluntary commitments are inadequate because they "merely outlined a set of principles," and that it encourages "experimentation" which could cause harm to individuals and communities.
Most representatives did, however, agree that India should not adopt a comprehensive AI law, at least for the time being. One scholar argued that an omnibus law might lack the nuance and context required to regulate AI. Another academic put it succinctly: "India needs more guidelines, less hard-coded legislation." Academics are also wary of overbearing regulation and worry that new rules could restrict their access to AI systems required for public interest research in areas such as disaster management and cybersecurity.
At the same time, the academics we spoke to believe that AI presents new risks which, according to them, existing laws are ill-equipped to handle. They want regulators to intervene in areas where AI could cause irreversible harm and violate fundamental rights.
According to one activist, "the government's use of AI requires immediate intervention since there is a greater likelihood of impact on legal rights." They called for a review of public procurement guidelines and the use of facial recognition technologies in public services.
In the legal community, there are broadly two camps. One group believes that there is an unnecessary rush to "create and circulate legislative drafts," when in fact, only a narrow range of issues are a matter for rule-making. Lawyers in this camp believe that the focus should be on applying existing laws to AI to mitigate risks. The other group believes that a separate law for AI is required to deal with the unintended, downstream risks of AI being deployed across India in potentially harmful ways.
Across India's government, industry, and civil society, there is broad agreement that:
However, there is disagreement about:
This raises some important follow-up questions -- What are the risks of AI? Are they novel? What are the gaps in existing laws? What aspect of AI should we regulate?
We explore these questions in Part II.
To answer the question of how AI should be regulated in India, it may be useful to reason by analogy. In a recent paper for RAND, Michael J. D. Vermeer compares AI with four other general-purpose technologies: nuclear technology, the internet, encryption, and genetic engineering. He lists out various factors that would inform their governance, such as the risks posed, consensus on these risks, and the role of public-private partnerships in its development. Based on a similar analog, we suggest that for a dual-use, general-purpose technology such as AI, three fundamental aspects of regulation need to be clear upfront:
Based on the above analysis, we recommend the following:
A risk-based approach to AI regulation is the most popular. Though implementation varies across jurisdictions, its core objective is to mitigate harm to individuals and society. A risk-based approach is also supported by senior officials in the Indian government, including the IT minister, the IT secretary, and several big tech companies.
In the current discourse, there is a general tendency to conflate the notions of risk and harm. A key difference exists between the two. As explained in a report prepared by a group of scientists led by professor Yoshua Bengio, considered one of the "godfathers" of AI, risk is derived from the "probability of an occurrence of harm and the severity of that harm." In other words, risk has a "future-orientation" and "looks at the aggregate impacts of the system on groups of people and tries to (often controversially) quantify these harms." For that reason, as one legal expert put it, "AI regulation should be risk-based, not harm-based because the harm has already occurred."Therefore, an important exercise in a risk-based approach to regulation is to gather evidence of harm in order to measure and anticipate the associated level of risk.
Next is the question of how to classify these risks. A report commissioned by the UK government classifies AI risks into three types: malicious use risks, risks from malfunctions, and systemic risks. Risks can also be categorized as safety risks and fundamental rights risks, with overlaps between the two. Risks may also vary based on stages (for example, during design, development, or deployment); scope (systemic risks); time-scale (short, medium, or long-term); and the source of risk (inputs vs. outputs). Even as our understanding of AI risk continues to evolve, scholars at the Massachusetts Institute of Technology (MIT) have developed a repository of more than seven hundred AI risks as of 2024. Some governments have also incorporated these risk taxonomies into their legislative frameworks. For example, the EU's Artificial Intelligence Act (AI Act) classifies risk into four levels: "unacceptable, high, limited, and minimal."
In the table below, we synthesize the available literature and present our own risk classification framework to inform future AI policy debates.
Table 1: AI risk classification
The table below summarizes key AI risks with examples of harm to inform future policy debates. For the purpose of this analysis, "AI" includes general-purpose AI, generative AI, and artificial general intelligence.
Currently, there is no credible AI risk classification framework for India that is based on empirical evidence of harm. There are some examples of standalone risk assessments, but they are incomplete and unsubstantiated. For example, a 2021 NITI Aayog report outlines certain "risks and considerations" to operationalize responsible AI practices but doesn't spell out these risks. Another report by TRAI briefly mentions certain risks -- "low quality data, data biases, data security, data privacy, inaccurate or biased algorithm, and unethical use of AI" -- but jumps straight into regulatory principles without analyzing the risks. Similarly, the Telecom Engineering Center has published a draft AI risk assessment framework but focuses entirely on fairness outcomes.
Therefore, to support future policymaking, we have identified five categories of risks that are most relevant from a regulatory perspective:
We recommend that these specific categories of risks be studied in detail in an effort to develop an appropriate AI risk classification framework for India. Moreover, since the general consensus is that India should regulate "high-risk use cases," we suggest analyzing proposed AI deployments based on these risk vectors. Although there is no standard definition, "high-risk" applications generally include those in critical infrastructure, lending, credit scoring, insurance, product safety, consumer rights, law enforcement, and justice delivery. A regulatory approach focused on "high-risk use cases" is likely to find favor in India, though it will have to be an iterative exercise grounded in scientific research.
Risk classification should also be grounded in tangible evidence of harm and account for local factors, such as AI adoption, consumer awareness, and digital literacy levels in India. Market studies, like the one being conducted by the Competition Commission of India, are useful references to identify specific market failures in India's AI ecosystem.
From a regulatory standpoint, a well-considered AI risk assessment would also help identify risks for which regulation is not warranted. In some cases, risks can be addressed through industrial policy (for example, enabling access to compute through subsidies and reskilling individuals to mitigate job displacement). Long-term risks may not warrant immediate regulation (for example, existential threats to humanity). Many other risks can be addressed through existing regulations -- an issue that we analyze in more detail in the next section.
India has a complex legal system of laws and regulations, comprising the Constitution, statutory laws, rules, regulations, and guidelines. From an AI perspective, the relevant areas of law are privacy law, intellectual property law, competition law, media law, employment law, consumer law, criminal law, contract law, and tort law.
The common view across government, industry, and civil society groups is that this existing legal framework can be applied to address many of the AI risks outlined in this paper. The table below illustrates how existing statutory laws can be applied to deal with some AI risks.
Table 2: Applicability of existing statutory laws to certain AI risks (illustrative)
One legal expert suggested that policymakers should spend the next six to twelve months applying existing laws to AI use cases to understand potential gaps in the current framework, and that the Department of Legal Affairs, Ministry of Law and Justice, Government of India, should be entrusted with this task.
Another important factor will be the role of courts in interpreting, adapting and enforcing existing provisions of law. So far, Indian courts have dealt with only a handful of cases involving modern AI systems, focused primarily on AI-generated content involving the likeness of public figures. A cursory review of cases indicates that Indian courts are content to apply existing legal provisions to provide redress for now.
Table 3: Applicability of existing Indian laws to deepfakes (illustrative)
The table below illustrates which existing statutory laws would apply in the case of a deepfake image or video being circulated without the permission of the individual.
Experts have, however, warned that additional regulations are required because "there are fundamentally new risks and harms emerging from AI that existing laws are not equipped to deal with." One expert gave the example of a hospital collecting sensitive health data for a medical diagnosis, which was then repurposed to train AI models without the person's knowledge -- an example of how "consent-based regimes break down completely in the AI context." Multiple experts also said that new legal rights are required to protect individuals and society given the pervasiveness of AI systems, the lack of transparency, and the disproportionate impact of these systems on vulnerable communities.
Therefore, on the question of whether new regulations are required to deal with the risks of AI, we suggest the following approach to guide future policymaking:
1. No additional regulations are required in cases where:
2. Clarifications or targeted amendments are required in cases where advisories, guidelines or targeted legal amendments can sufficiently address risks, instead of adopting new and comprehensive rules. For example, the risks relating to the circulation of deepfakes can be broadly addressed through existing laws. However, regulators should clarify to whom these existing rules apply and in which cases they can be held liable.
3. New regulations should be considered to address market failures and protect consumers. For example, introducing a right to compensation in the case of misuse of AI and the right to object to automated decision-making to protect fundamental rights. New transparency obligations for certain AI systems should also be considered to address the risks relating to information asymmetry.
It is beyond the scope of this paper to conduct a comprehensive analysis of all the relevant laws and regulations and where they fall short in the context of AI systems. Therefore, we recommend that a comprehensive regulatory gap analysis be conducted to help inform future policymaking in India.
In Part II, we identified certain AI risks for which new regulations may be warranted, subject to evidence of harm. In Part III, we examine the different regulatory approaches that can be adopted to address these risks.
Across the globe, three approaches to AI regulation have been adopted so far:
Each of these approaches have distinct advantages and disadvantages. According to a report prepared by the Stanford Cyber Policy Center, self-regulation helps tap into industry expertise, provides flexibility, and encourages rapid innovation, but lacks sufficient accountability and enforceability. Co-regulation enables collaboration between companies and regulators, allowing for an iterative approach, but often lacks the necessary enforcement mechanisms required to address market failures. Binding regulation provides clear accountability mechanisms and government oversight but could stifle innovation due to bureaucratic delays and the lack of expertise and adaptability.
Therefore, policymakers should carefully evaluate the relative cost and benefit of each approach before adopting them into domestic frameworks.
Regulatory approaches in different countries reflect their own socio-economic priorities, legal traditions, and governance models. For example, the EU's rights-based approach, in the form of a comprehensive statutory law, seeks to "protect health, safety, and fundamental rights." On the other hand, China, with its strong desire for state control, prioritizes social order and the protection of "Socialist Core Values" in its rules on AI-generated content. Japan, on its part, has professed a "human-centric" approach to AI that aligns with its broader societal goals. Singapore and the United Kingdom have adopted a principle-based approach that reflects a pragmatic style, tailoring rules to specific industries. The table below provides an overview of these different global approaches.
Table 4: Summary of approaches to AI regulation in different jurisdictions
The table below provides a summary of the different approaches to AI regulation in various jurisdictions as of the date of publication of this paper.
Self-Regulation
Based on our research and discussions with experts, there are four key reasons for supporting self-regulation. Firstly, industry stakeholders support self-regulation for AI because they have already been proposed by NITI Aayog and the Indian Council of Medical Research. Secondly, according to one executive, there are strong market incentives for companies to comply with self-regulation, for example, to secure valuable procurement contracts. This applies even to startups, for whom self-regulatory frameworks are "low-effort promises" to signal seriousness in the market. Third, voluntary commitments can co-exist with other regulatory models, such as co-regulation, so it is not a binary decision. Lastly, India has successfully implemented self-regulation in other parts of the digital sector, such as in digital advertising.
On the other hand, there are some strong skeptics of self-regulation. "The future trajectory of these technologies and their social impacts cannot be decided by the very individuals who stand to profit from them," asserted one expert. Some industry executives also point to the failure of recent industry efforts to adopt generative AI guidelines, because they were "too broad in scope" and prescriptive. Another executive claimed that "the Indian government does not trust big tech companies enough to make self-regulation work. Moreover, according to one expert, self-regulation "doesn't do much to separate good actors from bad actors." This skepticism is also shared by some government officials who said that binding rules are necessary to contain some AI risks.
Co-regulation
Many experts said that co-regulatory models were urgently needed in India to reduce the burden on public institutions while providing a higher degree of accountability, especially when compared to self-regulation. They also agreed that co-regulation may also be the most effective way to deal with "high risk use cases" for which government oversight is necessary.
However, at present, there are three key issues with co-regulatory models in India:
For these reasons, we recommend that co-regulatory models should not be adopted for AI governance in India until they have been proven to work in other domains.
Binding rules
Many experts believe it would be premature for India to adopt binding rules for AI for several reasons. First, there is no comprehensive risk assessment on the basis of which new rights and obligations can be developed. Second, there is no empirical evidence of market failure to justify the increased compliance cost of new regulations. Third, existing laws can address many of the anticipated risks of AI, and a gap analysis is required to identify areas where new rules are required. And fourth, less expensive methods such as self-regulation may be sufficient to address the anticipated risks.
In the next section, we examine India's broader policy agenda on AI and analyze various socio-economic factors that influence the choice of regulatory architecture.
In this section, we analyze three factors that should inform India's approach to AI regulation -- economic opportunity, cost of regulation, and state capacity.
There is significant economic upside to the successful implementation of India's national AI strategy. According to the Indian government, AI is expected to add nearly $500 billion to India's gross domestic product (GDP) by 2025. The government has also identified potential applications of AI in agriculture, healthcare, disaster management, transportation, law, and finance that could have a transformative social impact.
The private sector is also bullish on the AI opportunity for India. Accenture anticipates that AI will increase the annual growth rate of India's economy by 1.3 percent by 2035, while a Google-commissioned report estimates that at least Rs 33.8 lakh crore of economic value will be generated by 2030 through AI adoption.
For these reasons, some researchers from the Global South have identified a new type of AI risk for developing countries -- "the risks or opportunity costs of not implementing AI, [and] missing out on potential benefits." Indeed, this view is shared by many in India, as demonstrated in a survey conducted by Ipsos, which finds that "Indian respondents are more optimistic about AI than their global counterparts."
Therefore, we recommend that India adopt a light touch and pro-innovation approach that is aligned with its broader AI strategy to help fully realize the socio-economic benefits of AI.
New AI regulation would entail a series of costs that will have to be weighed against the potential benefits to society.
First is the obvious industry cost of compliance. There are no estimates of what it would cost an Indian business to comply with a model AI law. However, for comparison, the European Commission estimates the cost of complying with the AI Act to be between €1.6 billion and €3.3 billion (Rs 143.5 billion to Rs 296.1 billion or $1.7 billion to $3.5 billion). Although this is a small fraction of the EU's overall GDP, which stood at $16.6 trillion in 2022, the new regulation has been criticized for going "too far" and setting the regulatory barrier "too high." Moreover, as India prepares to implement a new data protection law, new AI regulations will likely increase the cumulative cost for businesses.
Besides compliance costs, some industry executives fear the "psychological costs" associated with new regulations. They point to existing rules under the Apprentices Act, 1961, which grants officials wide discretionary powers to impose fines. In fact, one startup founder said that some new rules, such as the appointment of a local Data Protection Officer, only serve to increase compliance costs and create fear in the minds of entrepreneurs.
Other costs include the administrative expenses associated with implementing a new law. New regulations for AI could also increase litigation costs, especially if they are premature, unclear, or duplicative.
On the other hand, timely regulations could provide business clarity and promote innovation. Some say that the introduction of the Information Technology Act, 2000, helped propel the growth of India's e-commerce industry. Policymakers should also consider the costs of delayed regulation, though it is difficult to quantify the loss of legal rights and freedoms.
Multiple interviewees highlighted capacity constraints that, according to them, would prevent the Indian government from effectively implementing new AI regulations given the status quo. These limitations fall into five categories: (1) lack of technical expertise; (2) failure to issue clear and timely regulatory guidance; (3) lack of investigative powers; (4) ineffective or inconsistent enforcement; and (5) lack of grievance redressal mechanisms.
Addressing each of these issues will require a multi-fold approach. To promote effective AI governance, we recommend increasing state capacity in at least two respects:
Developing state capacity in these ways, we anticipate, would help separate policymaking from enforcement, promote industry compliance, and protect consumers.
Policymakers in India must better understand the current capabilities and unique risks posed by AI, the dynamic and evolving nature of the AI ecosystem, and the gaps in the existing legal framework. They will also need to adopt a balanced regulatory approach and be prepared to address market failures as and when the need arises.
Along these lines, below is a suggested policy action plan:
As India's policymakers carefully mull the next steps on AI regulation, the brief pause in this continuing advance offers an opportunity to reflect and readjust, lest policymakers get trapped in path dependency and a mindless rush to regulate.
As the sentiment analysis in Part I illustrates, there is broad agreement that India should not adopt a comprehensive AI law. Some new regulations are warranted to address the risks of AI, but the scope of new rules and the ideal regulatory approach remains contentious.
Part II explains the intricate relationship between risk and harm, and the need for empirical evidence grounded in the local context, to inform India's regulatory approach. We suggest focusing on five categories of AI risk and identifying high-risk use cases based on these risk vectors. We also offer some examples of areas where new regulations are required.
As the overview of different global approaches in Part III demonstrates, there is no one-size-fits-all approach to AI regulation. For a developing country like India, which is committed to reaping the full range of benefits from AI, we suggest self-regulation at least for the next six to twelve months (because binding regulation would entail significant costs, co-regulation is broken, and self-regulation is relatively efficient). However, as AI systems continue to evolve, the government should be empowered to prevent harm with clear legal mandates.
This paper suggests a few ways in which such provisions can be introduced. Regulation encompasses more than just laws. It also includes norms, standards, ethical practices, policy frameworks, institutional oversight, and soft laws. Therefore, we suggest a "whole of government" approach in which sectoral agencies, MeitY, and an inter-ministerial body collaborate in a dynamic fashion. An AISI, designed from the ground up keeping India's unique needs in mind, can also supplement state capacity.
Finally, and this is important, the process by which AI regulations are framed must be both participative and inclusive. Not only should the data, models, and applications that power India's AI ecosystem be representative of its culture, but so too should the policy frameworks that shape its future trajectory. To that end, it behooves the government to initiate a series of consultations on this topic before continuing its advance on AI regulation.