RBI AI Guidelines 2026: FREE-AI & the Draft Model Risk Management Rules — What Banks & NBFCs Must Do Now
Most banks we talk to think RBI’s AI rules are something that will arrive "someday", giving them time to experiment freely with copilots, credit models and chatbots in the meantime. That reading is wrong on two counts. First, the strategic framework already exists — RBI released the FREE-AI Framework on 13 August 2025, and it is not a think-piece; it carries 26 recommendations across six pillars. Second, the detailed rulebook is already on the table: the Draft Guidance on Regulatory Principles for Model Risk Management (2026) is in public consultation with comments reportedly due by 24 July 2026. The draft will get sanded at the edges, but its core expectations — board-approved frameworks, model inventories, independent validation, explainability thresholds, red-teaming — are not going to disappear. If your AI programme cannot meet them today, the consultation window is preparation time you are wasting.
This guide walks through both components — what is final, what is draft, who is covered, and the specific artefacts an RBI-regulated entity should be able to put on the table when the final circular lands. It is written from the perspective of people who sit in RBI IT examination rooms with clients, not from a press-release summary.
The two-layer picture: FREE-AI plus draft Model Risk Management guidance
| Instrument | Status (14 July 2026) | What it does |
|---|---|---|
| FREE-AI Framework | Released 13 August 2025 | Strategic and ethical framework for AI adoption in financial services — 7 guiding "Sutras", 26 recommendations under 6 pillars |
| Draft Guidance on Regulatory Principles for Model Risk Management (2026) | Draft under public consultation; comments reportedly due 24 July 2026 | Detailed governance and control expectations for AI, machine-learning and other decision-making models; final guidance to follow consultation |
A point worth being precise about: the 2026 Model Risk Management guidance is a draft, not a binding direction — yet. But drafts from RBI are rarely abandoned; they are refined. Institutions that waited for SEBI’s CSCRF or RBI’s outsourcing directions to become final before starting learned the same lesson: the implementation period is never as generous as you hoped.
Who is covered — and why fintechs cannot relax
The draft applies across essentially the entire regulated perimeter:
- Commercial banks and foreign banks
- Small Finance Banks, Payments Banks, Local Area Banks
- Regional Rural Banks
- Urban and rural cooperative banks
- NBFCs in Base, Middle, Upper and Top Layers
- All-India Financial Institutions
- Asset Reconstruction Companies
- Credit Information Companies
Fintechs, Lending Service Providers, cloud AI vendors and technology providers are not directly named — but they are indirectly covered wherever their models or services are used by an RBI-regulated entity. The regulated entity remains accountable for the model’s outcome. In practice this means every credit-scoring API, fraud engine and GenAI assistant a fintech sells to a bank will be pulled into the bank’s due-diligence, contract and validation machinery. If you sell AI into BFSI, these are now your requirements too.
Board-approved Model Risk Management Framework (MRMF)
The centrepiece expectation is a Board-approved Model Risk Management Framework covering every model in the house — internally developed, third-party, AI/ML, generative AI, automated decision systems, and models embedded quietly inside applications, APIs and business workflows. The framework must define model taxonomy, governance, inventory, risk classification, validation, approval, deployment, monitoring, change management, continuity and decommissioning. "We have a data science policy" will not pass; the framework has to reach the Board.
| Body | Responsibilities under the draft |
|---|---|
| Board | Approve and periodically review the MRMF; define model-risk appetite and tolerance; approve the risk-tiering methodology; oversee material AI risks; review scenario analysis and stress-testing results |
| Board Risk Management Committee | Approve high-risk models; review validation results; monitor third-party and AI models; review breaches and material incidents |
The model inventory: no entry, no production
The draft’s simplest rule is also its most disruptive: no model should be used unless it is recorded in the approved inventory. The inventory must span models under development, in testing, active in production, inactive, third-party and retired — and decommissioned models stay on the register for at least 10 years (longer where another law requires it). For each model, expect to capture:
- Model name, unique identifier, business purpose and use case
- Owner, developer, validator and approver — four named humans, not a team alias
- Risk classification and validation/monitoring status
- Data sources, model version, upstream and downstream dependencies
- Third-party dependencies, known limitations, audit findings, approval and exception status
When we run discovery exercises at mid-size lenders, the model count is usually 3–5× what the risk team believed — spreadsheets doing pricing, vendor scores buried in LOS workflows, an experiment someone promoted to production during a quarter-end crunch. Building the inventory is the single most time-consuming step, which is exactly why it should start now.
Risk-based classification: not all models are equal
Every model gets a risk tier, driven by factors including financial, customer and regulatory impact; complexity; use of personal or sensitive data; explainability; unstructured data use; degree of automation; reliance on output; autonomous-decision capability; third-party dependency; and potential systemic impact. High-risk models earn stronger controls, more frequent validation, enhanced monitoring and Board Risk Committee approval. Classifications are reviewed at least annually and on material change.
Independent validation — vendor certificates do not count
All models, explicitly including third-party and vendor-provided ones, must undergo independent validation: before deployment, after deployment, after material changes, after data or concept drift, following incidents, on risk triggers, and periodically per risk tier. Validation covers data quality and representativeness, assumptions, conceptual soundness, design, performance, fairness and bias, explainability, robustness, intended use, output stability, security and regulatory compliance. Findings must be documented — and the draft requires validation reports to reach the Board Risk Committee (or delegated authority) within three months of completing validation. The sentence vendors will dislike most: vendor certification alone is not sufficient; the regulated entity must conduct its own independent validation.
AI-specific controls: explainability, bias, hallucination, robustness
Explainability thresholds
Entities must define explainability and transparency thresholds per AI model, with higher bars where the model touches customers’ money or rights: credit decisions, loan pricing, fraud blocking, eligibility, customer risk classification, AML alert disposition, recovery and collections, insurance or investment recommendations, complaints and regulatory reporting. Where full explainability is genuinely impossible, compensating controls are expected — enhanced validation, output corroboration, usage restrictions, frequent reviews and continuous monitoring.
Bias and discrimination
- Test for bias in training data and discriminatory variables
- Hunt proxy discrimination — pincode standing in for community is the classic Indian example
- Measure unequal outcomes between customer groups, geographic or demographic exclusion
- Run fairness assessments; recalibrate, redesign or restrict affected models
Hallucination controls for generative AI
RBI specifically expects system-level or model-design controls to mitigate hallucination risk — not a disclaimer at the bottom of a chatbot. The toolbox: restricted knowledge sources, retrieval from approved internal repositories, output verification, confidence thresholds, human approval, prohibited-response rules, citation and source validation, transaction-level restrictions, and blocking AI from directly executing sensitive actions.
Robustness testing
Models must be tested against edge cases, abnormal and adversarial inputs, manipulated data, stress scenarios, out-of-sample data, changing customer behaviour and economic conditions, data drift, concept drift and provider-driven model updates — and shown not to rely on spurious correlations or to produce unexplained variation for similar inputs.
Generative AI security: the new attack surface
For customer-facing or externally accessible generative AI, the draft layers on cybersecurity expectations covering prompt-injection attacks, adversarial inputs, unauthorised access, data leakage, malicious API calls, session and context persistence, anomalous usage patterns, third-party interfaces, integration pipelines, model manipulation and unauthorised model changes. The principle: AI systems must not introduce vulnerabilities into the institution’s production environment, and external APIs and integration points need strong access control.
Human oversight: someone must be able to pull the plug
- Human-in-the-loop, human-on-the-loop and human-in-command patterns as appropriate
- Manual override, suspension capability, model deactivation and a kill switch
- Escalation procedures and periodic human review of outputs, incidents and near misses
- Oversight personnel who actually understand the model and have authority to challenge, override or stop it
Customer protection: disclosure, appeal, and the right to a human
An institution should not use a model that harms consumers — the draft translates that into concrete product requirements for customer-facing AI: clear disclosure that the customer is talking to AI, information about material limitations, access to human assistance, complaint and grievance mechanisms, review or appeal of AI-driven decisions, fair and non-discriminatory treatment, protection of customer data, and appropriate explanations for material decisions. RBI specifically proposes that customers be allowed to switch to human assistance on request — design your chatbot flows accordingly.
Third-party AI: accountability does not outsource
Using OpenAI, Google, Microsoft, AWS, an AI fintech or a credit-scoring provider does not transfer accountability away from the regulated entity. Before adoption, assess vendor credibility, model methodology, data quality, limitations, security and privacy controls, concentration and supply-chain risk, update practices and exit arrangements. Contracts must secure:
- Access to adequate technical documentation and model-validation information
- Audit rights for the regulated entity — and audit or access rights for RBI
- Incident-notification obligations
- Data ownership and protection terms
- Business-continuity, exit and transition arrangements
Monitoring, change management and self-updating models
Continuous monitoring must track performance deterioration, bias, accuracy, false positives and negatives, drift, hallucinations, customer complaints, security incidents, unexpected behaviour, provider-capability and data-source changes, and override and exception rates. Every model change needs impact assessment, testing, approval, version control, a change log, a rollback mechanism and revalidation where material. Models that update themselves dynamically — increasingly common with vendor LLMs — require stricter controls, clearly defined automatic-update boundaries and more frequent monitoring.
Red-team testing is now a regulatory expectation
The draft expressly calls for structured challenge processes and red-teaming for customer-facing and generative models. A credible test plan covers prompt injection, jailbreaking, data extraction, harmful output generation, identity manipulation, fraud scenarios, adversarial data, bias scenarios, hallucination testing, business-rule bypass, privilege escalation, API abuse and model poisoning. This is precisely where AI governance meets classic offensive security — and where most in-house teams need external help.
Three lines of defence, applied to models
| Line | Who | Role |
|---|---|---|
| First | Model owners, developers, business users | Build, operate and own model outcomes |
| Second | Independent model-risk management, compliance and validation | Challenge, validate, set standards |
| Third | Independent internal audit | Assess design and effectiveness of the entire AI governance and model-risk framework |
Business continuity and decommissioning
Plan for AI service unavailability, model failure, performance degradation, vendor outage, security compromise, corrupted data, failed updates and withdrawal of third-party models. Acceptable fallbacks include manual decision-making, rule-based processes, backup models, alternative vendors, restricted operations and emergency shutdown. Formal decommissioning requires stakeholder notification, dependency removal, data retention, audit-trail preservation and migration to replacement processes.
FREE-AI: the seven Sutras and six pillars
| # | Sutra |
|---|---|
| 1 | Trust is the Foundation |
| 2 | People First |
| 3 | Innovation over Restraint |
| 4 | Fairness and Equity |
| 5 | Accountability |
| 6 | Understandable by Design |
| 7 | Safety, Resilience and Sustainability |
The FREE-AI framework organises its 26 recommendations under six pillars — Infrastructure, Policy, Capacity, Governance, Protection and Assurance. Read together with the draft MRM guidance, the direction of travel is unambiguous: innovation is encouraged, but on rails, with the Board holding the accountability.
The minimum documentation pack — 25 artefacts to start building now
When RBI examiners ask "show me your AI governance", this is the pack an RBI-regulated organisation should be able to produce:
- Board-approved AI and Model Risk Management Policy + AI Acceptable Use Policy
- AI model inventory + risk-classification methodology + use-case approval form
- AI impact assessment + data/privacy impact assessment (DPDP-aligned)
- Bias & fairness assessment + explainability assessment
- Independent model-validation report + AI security and red-team report
- Third-party AI due-diligence checklist + vendor contract-control checklist
- Model card and system card per model
- AI incident-response procedure + change and version-control register
- Human-oversight and override procedure
- AI customer disclosure notice + grievance and appeal procedure
- AI monitoring dashboard + model drift and performance report
- AI business-continuity plan + decommissioning procedure
- Internal audit checklist + Board/Risk Committee reporting pack
Practical readiness: what to do before the final circular
Do not wait for the final circular. The core requirements — Board oversight, model inventory, risk tiering, independent validation, fairness, explainability, human control, cybersecurity, vendor accountability, customer disclosure and continuous monitoring — are already sufficiently clear in the draft and in FREE-AI to begin implementation now. A pragmatic 90-day sequence: (1) discover and inventory every model in the estate; (2) draft the Board policy and risk-tiering methodology; (3) classify models and shortlist the high-risk tier; (4) commission independent validation and a GenAI red-team on customer-facing systems; (5) remediate contracts with AI vendors for audit rights and incident notification. Institutions that arrive at the final guidance with this scaffolding in place will treat it as a confirmation exercise; everyone else will be running a fire drill.
FAQs
Is the RBI Model Risk Management guidance legally binding today?
Not yet. As of 14 July 2026 it is a draft under public consultation (comments reportedly due 24 July 2026), and RBI has stated final guidance will follow consultation. The FREE-AI Framework (August 2025) already sets the strategic expectations, and supervisors are known to probe AI governance in examinations even before rules are final.
We are a fintech, not a bank. Does any of this apply to us?
Indirectly but unavoidably. If your model, API or AI service is used by an RBI-regulated entity, that entity remains accountable for your model’s outcomes — so it will pass the draft’s due-diligence, documentation, audit-rights and independent-validation requirements through to you contractually. Fintechs that prepare model cards, validation evidence and security test reports in advance will close BFSI deals faster.
Do vendor certifications (SOC 2, ISO 42001, model cards) satisfy the validation requirement?
No. The draft is explicit that vendor certification alone is not sufficient — the regulated entity must conduct its own independent validation of third-party models, and contracts must give it (and RBI) audit and access rights.
What counts as a "model" — is our chatbot in scope? Our Excel pricing sheet?
The framework covers internally developed models, third-party models, AI/ML models, generative AI, automated decision systems and models embedded in applications, APIs and workflows. In practice, if it transforms inputs into decisions or scores that the business relies on, put it in the inventory and let risk-tiering decide how much control it needs. Under-scoping the inventory is the most common early failure.
How long must decommissioned models stay in the inventory?
At least 10 years under the draft, or longer where another applicable law requires it — with audit trails preserved through formal decommissioning.
Where should we start if we have no AI governance today?
Model discovery and inventory first — it takes the longest and everything else (tiering, validation, monitoring) hangs off it. In parallel, draft the Board-approved MRMF and AI acceptable-use policy. CyberSigma’s RBI AI-readiness assessment covers discovery, gap analysis against the draft guidance and FREE-AI, and a prioritised remediation roadmap.
Liked the post? Share on:





Leave A Comment