Why this matters now
RBI's approach to AI has two parts. The FREE-AI framework (2025) sets the strategic and ethical direction; the draft Model Risk Management (MRM) guidance (2026) adds the control layer. Together they make AI governance a board-level obligation for every regulated entity using AI, machine-learning or decision-making models. The core expectations are clear enough to begin now — institutions that wait for the final circular will compress a year of work into an enforcement window.
Who is covered
- Directly: commercial/foreign banks, small-finance/payments/local-area banks, RRBs and cooperative banks, NBFCs (all layers), AIFIs, ARCs, credit-information companies.
- Indirectly: FinTechs whose models are used by regulated entities, Lending Service Providers, and cloud/AI vendors — but the regulated entity always remains accountable for model outcomes.
What the board must ensure exists
Board-approved model risk framework
A framework covering all models (internal, third-party, AI/ML, GenAI, embedded), with the board setting risk appetite and approving tiering, and the Risk Committee approving high-risk models.
Model inventory
No model in use unless inventoried, with named owner, developer, validator and approver. Decommissioned models retained at least ten years.
Independent validation
Pre- and post-deployment validation, on change/drift/incident and periodically by tier — vendor certification alone is not sufficient — reporting to the Board Risk Committee.
AI-specific controls
Explainability thresholds (highest for credit, pricing, fraud, AML, collections); bias and proxy-discrimination testing; hallucination controls for GenAI; robustness against drift and adversarial inputs; structured red-teaming for customer-facing and generative models.
Human oversight and continuity
Human-in/on/-in-command oversight, manual override and kill switch; fallbacks (manual, rule-based, backup models); formal decommissioning with audit-trail preservation.
The minimum documentation pack
A defensible RBI AI file includes roughly 25 artefacts: board-approved AI & MRM policy, acceptable-use policy, model inventory, risk-classification methodology, use-case approval forms, AI and data/privacy impact assessments, bias/fairness and explainability assessments, independent validation report, security and red-team report, third-party due-diligence and contract-control checklists, model/system cards, incident-response procedure, change register, human-oversight procedure, customer-disclosure notice, grievance/appeal procedure, monitoring dashboard, drift report, business-continuity plan, decommissioning procedure, internal-audit checklist and the board reporting pack.
The board's decision
The strategic question is not whether to comply but when to start. Model inventories, validation programmes and the documentation pack take months to build well. Starting now converts a compliance scramble into a governed, defensible capability.
