We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

White Paper · BFSI

The CISO's Guide to RBI FREE-AI & Model Risk Management

What boards and CISOs of banks, NBFCs and payment operators must build before RBI's AI-governance regime becomes enforceable.

Why this matters now

RBI's approach to AI has two parts. The FREE-AI framework (2025) sets the strategic and ethical direction; the draft Model Risk Management (MRM) guidance (2026) adds the control layer. Together they make AI governance a board-level obligation for every regulated entity using AI, machine-learning or decision-making models. The core expectations are clear enough to begin now — institutions that wait for the final circular will compress a year of work into an enforcement window.

~25
Documentation artefacts expected per AI model
7
FREE-AI 'Sutras' (guiding principles)
6
FREE-AI pillars: infrastructure, policy, capacity, governance, protection, assurance
≥10 yrs
Retention for decommissioned models

Who is covered

  • Directly: commercial/foreign banks, small-finance/payments/local-area banks, RRBs and cooperative banks, NBFCs (all layers), AIFIs, ARCs, credit-information companies.
  • Indirectly: FinTechs whose models are used by regulated entities, Lending Service Providers, and cloud/AI vendors — but the regulated entity always remains accountable for model outcomes.

What the board must ensure exists

Board-approved model risk framework

A framework covering all models (internal, third-party, AI/ML, GenAI, embedded), with the board setting risk appetite and approving tiering, and the Risk Committee approving high-risk models.

Model inventory

No model in use unless inventoried, with named owner, developer, validator and approver. Decommissioned models retained at least ten years.

Independent validation

Pre- and post-deployment validation, on change/drift/incident and periodically by tier — vendor certification alone is not sufficient — reporting to the Board Risk Committee.

AI-specific controls

Explainability thresholds (highest for credit, pricing, fraud, AML, collections); bias and proxy-discrimination testing; hallucination controls for GenAI; robustness against drift and adversarial inputs; structured red-teaming for customer-facing and generative models.

Human oversight and continuity

Human-in/on/-in-command oversight, manual override and kill switch; fallbacks (manual, rule-based, backup models); formal decommissioning with audit-trail preservation.

The minimum documentation pack

A defensible RBI AI file includes roughly 25 artefacts: board-approved AI & MRM policy, acceptable-use policy, model inventory, risk-classification methodology, use-case approval forms, AI and data/privacy impact assessments, bias/fairness and explainability assessments, independent validation report, security and red-team report, third-party due-diligence and contract-control checklists, model/system cards, incident-response procedure, change register, human-oversight procedure, customer-disclosure notice, grievance/appeal procedure, monitoring dashboard, drift report, business-continuity plan, decommissioning procedure, internal-audit checklist and the board reporting pack.

The board's decision

The strategic question is not whether to comply but when to start. Model inventories, validation programmes and the documentation pack take months to build well. Starting now converts a compliance scramble into a governed, defensible capability.

Assess your RBI AI readiness

Model discovery + gap analysis vs FREE-AI and the draft MRM guidance.

RBI AI-readiness assessmentBook a Consultation