NEW DELHI — India may be preparing to take its most consequential step yet in regulating artificial intelligence: drafting a law designed specifically for AI.
The possibility emerged after S. Krishnan, Secretary of the Ministry of Electronics and Information Technology, indicated at a Confederation of Indian Industry event that the government could begin examining a separate legislative framework for the technology.
“Probably the time has come now to look at a separate legislation for AI.”
The statement does not mean that an AI Bill has been approved, introduced in Parliament or even formally published. But it represents the clearest indication so far that the Union government is reconsidering its long-standing preference for governing artificial intelligence through existing technology, privacy, criminal, consumer-protection and sectoral laws.
Until now, India’s approach has largely been to regulate the consequences of AI rather than the technology itself. Harmful online content may be addressed under the Information Technology Act and intermediary rules. Personal information used by AI systems falls within the emerging data-protection regime. Fraud, impersonation and harassment may trigger criminal laws, while misleading AI products can potentially attract consumer-protection action.
That distributed model allowed India to avoid introducing an expansive AI law while it invested in domestic computing infrastructure, datasets, startups and foundational models through the IndiaAI Mission.
The government’s latest signal suggests that policymakers increasingly believe this patchwork may not be sufficient for a technology capable of generating convincing false evidence, making automated decisions about individuals and assisting cyberattacks at enormous scale.
Why existing laws may no longer be enough
The difficulty with regulating AI through general laws is that responsibility is often fragmented.
When an AI-generated deepfake circulates online, liability could be distributed among the person who created it, the developer of the model, the application that provided access to the model and the social-media platform on which it was published. Existing laws can punish certain harmful outcomes, but they do not always clearly define the preventive duties of every participant in that chain.
Similar ambiguity arises when an AI recruitment system discriminates against applicants, a medical algorithm produces an unsafe recommendation, a lending model rejects customers without a meaningful explanation or a chatbot exposes confidential information.
India’s existing laws were not necessarily written to answer questions such as:
Who must test an AI system before it reaches users?
Who is responsible when a third-party model causes harm?
When must a person be told that an automated system made a decision?
Should high-risk AI systems undergo independent audits?
Can certain AI applications be prohibited altogether?
The government has already begun filling some of these gaps through targeted regulation. Amendments to the Information Technology Rules that took effect on February 20, 2026 introduced specific obligations relating to “synthetically generated information”—realistic algorithmically created or altered audio, visual and audiovisual material.
The rules require covered intermediaries to use technical measures against unlawful synthetic content, label such material and preserve provenance metadata that can help identify it. Significant social-media intermediaries must also seek declarations from users about synthetic content and deploy reasonable measures to verify those declarations.
Yet those provisions primarily focus on synthetic media and intermediary responsibility. They do not constitute a comprehensive law governing the development, testing and deployment of AI systems across healthcare, finance, employment, education, defence, public administration and consumer services.
India already regulates several outcomes produced by AI. A dedicated law would begin regulating the systems, institutions and decisions that produce those outcomes.
Deepfakes have become the immediate pressure point
Deepfakes are likely to be among the strongest arguments for a standalone framework.
Generative-AI tools can now reproduce a person’s face or voice with relatively little source material. The same technology can be used for entertainment, accessibility and creative production—or for financial fraud, political manipulation, non-consensual sexual imagery and impersonation.
India’s 2026 amendments define synthetically generated information broadly enough to cover deepfakes, voice cloning and realistic AI-altered media. The government’s accompanying guidance specifically identifies non-consensual intimate imagery, synthetic nudity and AI-generated sexually explicit depictions of identifiable people as forms of unlawful content.
Authorities have also shortened the deadline for platforms to remove certain unlawful content after official notification from 36 hours to as little as three hours. Electronics and Information Technology Minister Ashwini Vaishnaw said in February that stronger regulation of deepfakes was necessary and that discussions had begun with the technology industry.
In March, the government separately proposed giving greater legal force to advisories and clarifications issued to internet platforms. Non-compliance could affect the safe-harbour protection that shields intermediaries from liability for user-generated content, under the proposal.
These measures demonstrate that India is already moving from voluntary guidance towards enforceable duties. A dedicated AI law could consolidate those obligations, establish uniform definitions and clarify when liability belongs to a user, platform, developer or deployer.
What a dedicated AI law could regulate
No official draft has yet been published, so the eventual scope remains uncertain. However, India’s AI governance discussions and international regulatory models point towards several areas that could receive attention.
Risk-based classification
India could classify AI systems according to the potential severity of harm.
Low-risk tools—such as spam filters, grammar assistants or entertainment applications—may face limited obligations. Systems used in healthcare, financial services, recruitment, law enforcement, critical infrastructure or government benefits could be placed in a high-risk category and subjected to stricter testing, documentation and oversight.
India’s governance guidelines have already identified six broad groups of AI risk: malicious use, bias and discrimination, transparency failures, systemic risks, loss of control and national-security threats. Examples include deepfakes, model poisoning, biased recruitment systems, misuse of personal data and AI-assisted cyberattacks against critical infrastructure.
Transparency and disclosure
Businesses could be required to tell users when they are interacting with an AI system or when an important decision has been automated.
Developers might also need to disclose a model’s intended purpose, known limitations and types of data used during its development. Generative-AI services could face more extensive watermarking, labelling or content-provenance requirements.
Transparency, however, will require careful definition. A vague requirement to “explain AI” could become either meaningless or technically impossible. Rules may therefore need to distinguish between public disclosure, regulator access and confidential technical documentation.
Testing and audits
High-risk systems could be required to undergo assessments for safety, cybersecurity, reliability, bias and data protection before deployment.
Organisations may also have to maintain records of model performance, incidents, human overrides and major changes. Independent audits could become necessary for systems that affect employment, credit, insurance, healthcare or access to government services.
Responsibility across the AI supply chain
One of the most important questions will be how the law divides responsibility among foundation-model companies, cloud providers, application developers, distributors and organisations using AI.
A startup building a customer-support product on top of a third-party model may not control how that underlying model was trained. At the same time, the startup controls the instructions, data connections and safeguards used in its own application.
A practical law would therefore need proportional, role-based duties rather than treating every company in the supply chain as equally responsible.
Protection against discrimination
Automated systems can reproduce historical bias contained in training data or design assumptions.
A dedicated law could require organisations to assess whether high-impact AI systems unfairly disadvantage people based on gender, caste, disability, language, region or other protected characteristics. It could also grant individuals a right to challenge consequential automated decisions.
Cybersecurity and frontier-model risks
AI can improve cyber defence, but it can also accelerate phishing, vulnerability discovery, malware development and social engineering.
Rules may require developers of advanced models to conduct adversarial testing, restrict particularly dangerous capabilities and report serious incidents. Systems deployed in electricity, telecom, defence, banking and other critical sectors could face enhanced security requirements.
India’s governance framework has specifically recognised AI-enabled disinformation campaigns, attacks on critical infrastructure and autonomous weapons as national-security risks.
What it could mean for startups
For India’s AI startup ecosystem, a dedicated law would produce both opportunity and anxiety.
Clear rules can encourage investment. Enterprises are more willing to purchase AI products when responsibilities, audit standards and data requirements are predictable. Startups that build compliance tools, deepfake detection, model monitoring, identity verification, privacy technology and AI-security services could see strong demand.
A national framework could also reduce the uncertainty created by multiple regulators issuing overlapping or inconsistent directions.
But compliance costs could be significant.
A young company may struggle to fund external audits, legal reviews, cybersecurity testing, documentation systems and grievance mechanisms. A regulation written primarily for global platforms could unintentionally create barriers that only the largest corporations can afford to cross.
This is particularly important because many Indian startups do not train foundational models. They build specialised applications using models supplied through overseas cloud platforms. Requiring every small developer to provide detailed information about the underlying training data or model architecture could impose duties that the developer has no practical ability to fulfil.
The central policy challenge is not whether AI should be accountable, but whether accountability can be imposed without making scale and legal budgets prerequisites for innovation.
A proportionate regime could protect smaller companies through regulatory sandboxes, simplified compliance templates, phased implementation and exemptions for genuinely low-risk systems.
The government could also distinguish between an experimental prototype, a consumer chatbot and a system used to make employment or healthcare decisions. Applying the same rules to all three would create compliance without necessarily producing greater safety.
Could regulation slow innovation?
The answer will depend less on whether India introduces a law and more on how that law is written.
A principles-based framework could give companies flexibility while requiring them to demonstrate safety, fairness and accountability. A highly prescriptive framework could provide greater certainty but become outdated as model architectures and applications change.
The European Union’s AI Act is built around risk categories and imposes detailed obligations on high-risk and general-purpose AI systems. The United Kingdom has preferred to rely largely on existing sectoral regulators, while China has introduced targeted rules for recommendation algorithms, deep-synthesis services and generative AI. India has so far followed a lighter, sector-oriented approach.
India must decide how much of those models fits its own environment.
Rules that are too weak may fail to protect citizens or create trust. Rules that are too rigid may push domestic startups to launch products elsewhere, deter experimentation and increase dependence on large foreign technology companies with established compliance departments.
There is also a risk of regulatory duplication. AI systems already intersect with the Digital Personal Data Protection Act, IT Rules, consumer law, intellectual-property law and regulations issued by bodies such as the Reserve Bank of India and the Securities and Exchange Board of India. A new statute will need to explain which regulator leads, how investigations are coordinated and which obligations take precedence.
What it could mean for ordinary users
For users, a well-designed law could provide several practical protections.
People could gain clearer rights to know when content is synthetic, when they are communicating with a machine and when AI has materially influenced a decision about them.
Victims of deepfake impersonation might receive faster grievance mechanisms and clearer routes for takedown, correction and compensation. Consumers could be protected from exaggerated claims about the accuracy of AI products. Employees and loan applicants might gain a right to question important automated decisions.
However, enforcement will be as important as legislation.
Labels can be removed. Watermarks can be degraded. Malicious models can operate outside regulated platforms. Deepfakes can spread through encrypted or decentralised networks before authorities act.
The law will therefore need to combine platform obligations with digital-literacy programmes, law-enforcement capability, forensic infrastructure and cross-border cooperation.
It must also protect legitimate expression. Satire, filmmaking, parody, research and accessibility tools often use synthetic media without attempting to deceive. Rules written too broadly could result in excessive takedowns or discourage lawful creativity.
No Bill yet—but the policy direction is changing
India does not currently have a comprehensive statute directly regulating artificial intelligence, and the proposed Digital India Act has not yet replaced the Information Technology Act.
The technology secretary’s remarks should therefore be read as a policy signal, not an announcement that an AI law is imminent or finalised.
Any legislation would likely require drafting, inter-ministerial consultation, stakeholder feedback, Cabinet approval and parliamentary consideration. Its final form could differ substantially from the ideas now being discussed.
Nevertheless, the direction is significant.
India’s regulatory position is moving from the assumption that existing laws can absorb AI-related harms towards the possibility that artificial intelligence requires its own legal architecture.
The decisive test will be whether that architecture is risk-based, technologically neutral and proportionate—or whether it becomes a dense compliance system that protects established companies more effectively than it protects citizens.
India has an opportunity to develop a model suited to a vast, multilingual digital economy: strict where AI threatens safety, dignity or democratic trust, but flexible where experimentation presents limited risk.
Getting that balance right could determine not only how safely India adopts artificial intelligence, but whether its next generation of AI companies is built domestically or driven elsewhere by the weight of regulation.



