New Delhi: The Reserve bank of India has moved to place some of the toughest guardrails yet around the use of AI in financial services, mandating that banks and other regulated entities build ‘kill-switch’ mechanisms into AI-driven systems while introducing a sweeping framework to manage risks arising from models used across business operations.
The banking regulator’s latest guidance comes at a time when lenders, non-banking finance companies (NBFCs) and credit institutions are rapidly deploying AI and machine learning tools for credit underwriting, fraud detection, customer service, risk management and operational decision-making. While these technologies promise efficiency gains and faster decision-making, the central bank has made clear that accountability for outcomes will remain firmly with regulated entities, regardless of whether models are developed internally or sourced from third-party vendors.
The framework, titled Guidance on Regulatory Principles for Model Risk Management, 2026, lays down governance, validation, monitoring and oversight requirements for all models used by regulated entities, including AI and machine learning systems. The guidance applies to commercial banks, cooperative banks, small finance banks, payment banks, NBFCs, asset reconstruction companies and credit information companies.
Governance Overhaul
The RBI’s move reflects growing global concern that increasingly sophisticated AI systems could introduce new risks into financial markets if left unchecked. The regulator noted that institutions are relying more heavily on models because of the growing complexity of financial activities, rapid digitalisation, advances in computing power and the emergence of technologies such as AI and machine learning.
Under the new RBI-proposed framework, every regulated entity will be required to establish a board-approved ‘model risk management framework’ covering all models, irrespective of whether they are internally developed or purchased from external providers. Boards will be responsible for defining risk appetite, approving model-risk policies and overseeing implementation through risk management committees.
The guidance introduces a risk-based classification system under which models will be tiered according to their materiality, complexity and potential impact on customers and business operations. High-risk models will require approval from board-level risk committees before deployment.
The RBI has also mandated a three-lines-of-defence structure, with model owners acting as the first line of defence, independent validation functions serving as the second, and internal audit providing the third layer of oversight. Institutions will have to maintain comprehensive inventories of active, inactive and decommissioned models and ensure that no model is deployed unless it is formally documented and recorded.
“An RE (regulated entity) is accountable for the outcomes of all models used by it, irrespective of whether the models are developed internally, sourced from third-parties, or a combination thereof,” the RBI said. “This principle effectively closes any possibility of banks shifting responsibility to technology vendors when AI-driven decisions go wrong.”
The regulator also underscored consumer protection. “An RE should not use any model that harms consumer,” it said, adding that grievance-redress mechanisms must specifically address complaints arising from customer-facing models. The requirement could significantly increase scrutiny of AI-powered lending, pricing and customer-service applications.
‘Kill Switch’ Mandate
The most consequential provisions relate to AI-specific controls. The RBI has directed institutions to assess whether risks arising from AI models can be adequately identified, measured, monitored and managed before deployment. AI systems should only be used in business processes where risks can be effectively controlled, the regulator said.
In a direct response to concerns around autonomous decision-making, the guidance requires institutions to establish robust human oversight mechanisms. These must include “override, suspension, or deactivation mechanisms, including kill-switch arrangements,” ensuring that AI systems can be halted immediately if they begin producing problematic outcomes.
The RBI has also moved aggressively on explainability, a long-standing challenge for advanced AI models. “It should define the explainability and transparency thresholds for all AI models and ensure that their outputs are explainable to the extent required for the business process,” the guidance said. For models involved in material decision-making or those with significant customer impact, lenders will be required to maintain even higher explainability standards.
Recognising the growing adoption of generative AI, the regulator warned institutions about risks such as hallucinations, biased outputs and adversarial manipulation. Banks will be required to implement safeguards against inaccurate content generation, conduct fairness assessments to identify discriminatory outcomes and establish structured challenge processes, including red-teaming exercises.
“Appropriate control boundaries” must be introduced to mitigate hallucination risks, particularly where AI-generated outputs influence customer interactions or decision-making, the RBI said. Institutions will also need to test AI behaviour under stressed and abnormal scenarios to identify vulnerabilities before they become operational risks.
The guidance extends beyond AI itself to cover third-party dependencies. Regulated entities will be required to independently validate external models, regardless of assurances provided by vendors. They must also assess risks arising from dependence on a limited number of AI providers, including supply-chain vulnerabilities, provider-driven updates and constraints on independent validation.
For customers, the framework introduces new transparency requirements. AI-powered systems interacting directly with users must disclose that customers are engaging with an AI-based service, explain the limitations of such systems and provide an option to switch to human assistance on request.
The RBI’s framework marks a shift from promoting AI adoption to tightly regulating its use. As banks deploy AI across critical operations, the regulator is making it clear that innovation must be matched by accountability, transparency and robust risk controls, with humans retaining ultimate oversight.
(Cover photo by Nahrizul Kadri on Unsplash)