AI Governance and DPDPA: What Indian Enterprises Must Know in 2026
Date Published

AI governance has become one of the most searched terms in enterprise technology this year, and for good reason. Every large Indian enterprise is running some form of AI now, whether that is a customer service copilot, an underwriting model, or an internal tool built on a vendor's API. What most of those enterprises have not done yet is connect that AI use to their obligations under the Digital Personal Data Protection Act.
This is not a future problem. The DPDP Rules, 2025 were notified on 13 November 2025, with most substantive obligations taking effect around May 2027. AI governance and DPDPA compliance are not two separate programmes running in parallel. Wherever an AI system touches personal data, and most do, the two are the same programme.
What AI Governance Actually Means
AI governance is the set of policies, controls, and oversight mechanisms that ensure an AI system behaves the way an organisation intends, stays within legal and ethical bounds, and can be explained and audited when something goes wrong. It covers questions like who approved a model for production use, what data it was trained on, how its outputs are monitored, and what happens when it makes a mistake.
For an enterprise operating in India, AI governance cannot be treated as a separate discipline from data protection. Most AI systems that matter to a business process personal data somewhere in their pipeline, whether that is a customer's chat history, an applicant's resume, or a patient's medical record. The moment personal data enters an AI workflow, DPDP obligations apply to that workflow exactly as they would apply anywhere else.
Where DPDPA Already Touches AI
The DPDP Act does not contain a chapter labeled "artificial intelligence." It does not need one, because AI systems are processing engines, and the Act governs processing regardless of the technology doing it. This is one of the areas where India's approach, compared against global frameworks like the GDPR, applies existing principles to new technology rather than legislating AI separately.
- Notice and consent. If personal data collected for one purpose gets reused to train or prompt a model, the original consent governance may not cover that use.
- Purpose limitation. Feeding customer data into a new AI tool for a use the customer was never told about can exceed the stated purpose.
- Security safeguards. Rule 6 requires encryption, access controls, and logging for personal data, including data processed by vendor AI tools on the enterprise's behalf. A vendor AI tool does not move the obligation off the enterprise's books. The data fiduciary is still accountable for what that tool does with personal data, which means every vendor AI tool needs its own risk assessment: what data it receives, where that data goes, whether the vendor trains its own models on it, what the vendor's retention policy is, and whether the contract includes Rule 6-equivalent security commitments. A vendor that cannot answer these questions clearly is itself a risk signal.
- Breach reporting. A model that leaks personal data in its outputs can meet the legal definition of a breach, triggering the 72-hour reporting timeline.
- Data Principal rights. Once personal data sits inside model training sets, embeddings, or logs, honouring an access or erasure request becomes significantly harder.

Significant Data Fiduciaries And Algorithmic Due Diligence
Enterprises designated as Significant Data Fiduciaries carry heavier obligations than ordinary Data Fiduciaries, and AI is where those obligations get sharpest. SDFs face annual Data Protection Impact Assessments, independent audits, and a requirement to conduct algorithmic due diligence, which means evaluating whether an algorithm or AI system poses risks to a Data Principal's rights and documenting that evaluation with evidence.
This is a meaningful shift from how most enterprises currently treat AI deployment. A model getting shipped to production today usually goes through a technical review and a security review. Algorithmic due diligence under DPDP asks a different question: not just whether the model works, but whether its use of personal data could harm the people whose data it touches, and whether the organisation can prove it checked.
Enterprises should start identifying now which of their AI systems would fall under this scope if they are designated an SDF, since these assessments take months to build properly and cannot be assembled retroactively under deadline pressure.
Building An AI Governance Framework That Holds Up
A genuine AI governance framework for the Indian regulatory context needs to do more than state good intentions. It needs four things working together.
Visibility into where AI touches personal data. This means a current map of every AI tool, internal model, and vendor API that processes personal data, not a one-time inventory taken during a security review eighteen months ago.
A lawful basis check for every AI use case. Before any AI tool processes personal data for a new purpose, someone has to confirm the consent or legal basis covers that exact use, not just the original collection.
Continuous monitoring, not periodic audits. AI systems change constantly, new prompts, new integrations, new vendors. A governance framework built around quarterly reviews will always be reviewing a version of the system that no longer exists.
An evidence trail a regulator can use. When the Data Protection Board or an auditor asks how an AI system was governed, the answer needs to be a record, not a description of intent. This is the same discipline that good incident management practice already requires for breach response, applied to AI oversight instead.
An AI audit, in the practical sense rather than the academic one, is what ties these four together. It is the exercise of checking an AI system's data use, its outputs, and its controls against what the organisation actually committed to, and keeping that check running rather than treating it as a one-off exercise.
Who Owns AI Governance Inside the Enterprise
The DPDPA does not name a single role as accountable for AI governance. In practice, 3 functions share the work, and the gaps between them are where most compliance failures happen.
The DPO owns the legal basis, the consent mapping, and the data principal rights and obligations that apply to AI systems. They are accountable to the Data Protection Board and should be signing off on any AI use case that processes personal data for a new purpose.
The CISO owns security safeguards: encryption, access controls, logging, and vendor security obligations under Rule 6. They are accountable for ensuring vendor AI tools are assessed and contracted appropriately before they touch personal data.
The AI product or engineering lead owns the model inventory: which models are in production, what data they process, and what their outputs are. They are the only function that can actually answer the DPOs' and CISO's questions in time to act on them.
All 3 need a shared operating layer. A DPO who cannot get a current model inventory from engineering cannot write an accurate notice. A CISO who does not know which vendor AI tools the product team adopted last quarter cannot assess whether Rule 6 is being met. An engineering lead who has no view into which processing purposes are covered by existing consent cannot make sound deployment decisions. The governance framework is only as strong as the handoffs between these 3 roles.
What This Looks Like Across Sectors
The DPDPA obligations apply uniformly, but what AI governance actually demands varies considerably by sector. BFSI and fintech. A fintech using an AI underwriting tool reads income statements, credit history, and alternate data to generate a risk score. The enterprise needs to confirm the applicant's consent covers automated decision-making of this kind, ensure the model vendor is bound by Rule 6 security obligations, and be able to explain the basis for a rejected application to a Data Principal who asks. For NBFCs and banks, this sits alongside RBI's data governance expectations, which require documented data lifecycle management for customer data independently of DPDPA.
Healthcare. A hospital or diagnostics platform using AI to assist with triage or read scan outputs processes health data, which is sensitive personal data under the Act. The obligations are the same as elsewhere, but the stakes of a breach or a mishandled rights request are higher, and a Data Principal's ability to understand and contest an automated clinical decision is a live question for any enterprise running AI at scale in this space.
Retail and ecommerce. A large retailer running personalisation models on browsing and purchase history is processing personal data continuously. If that model feeds a pricing algorithm that produces different outputs for different users based on inferred characteristics, the purpose limitation question becomes real: was the customer told their browsing data would be used to personalise prices, or only recommendations?
HR and workforce management. Enterprises using AI to screen resumes, score candidates, or monitor employee productivity are processing sensitive personal data in contexts where the data principal has limited bargaining power. Algorithmic due diligence under DPDP, particularly for SDFs, applies directly to these systems.
None of this requires the fintech to slow down its AI adoption. It requires the fintech to build the visibility and evidence layer alongside the AI deployment, rather than retrofitting it after a regulator asks a question nobody can answer cleanly.
How Privy By IDfy Supports AI Governance Under DPDPA
Privy by IDfy is a full-stack DPDP compliance and privacy governance platform built for Indian enterprises, with a connected consent, risk, and governance solution where AI governance runs through nearly every module rather than sitting in a separate corner of the platform. InspectAI continuously scans digital journeys, apps, and AI-driven touchpoints to detect where personal data is collected, flag consent misalignments, and surface gaps before they become incidents. Data Compass gives enterprises visibility into where personal data lives across structured and unstructured systems, including the data flowing into AI pipelines. Privacy Impact Assessment workflows support the algorithmic due diligence Significant Data Fiduciaries need to document, with audit trails built in from the start rather than assembled after the fact.
The connecting thread across all of this is evidence. A platform that scans, flags, and routes risk continuously builds the audit trail a Board or regulator will eventually ask for, as a byproduct of running well, not as a separate compliance exercise bolted on afterward.
Conclusion
AI governance and DPDPA compliance are converging, not running on separate tracks, and 2026 is the year most Indian enterprises will need to treat them that way. The obligations that matter, notice and consent, purpose limitation, security safeguards, breach reporting, and Data Principal rights, all apply to AI systems exactly as they apply elsewhere. The enterprises that build visibility and evidence into their AI deployments now will be the ones who can answer a regulator's questions in 2027 instead of scrambling to reconstruct an answer under deadline pressure. If you want to talk through where your AI systems stand against DPDPA, or you would like a demo of how Privy connects AI governance to the rest of your compliance programme, write to shivani@idfy.com.
FAQ's
What is AI governance under DPDPA?
AI governance under DPDPA means applying the Act's existing obligations, notice, consent, purpose limitation, security safeguards, and Data Principal rights, to any AI system that processes personal data, since the law governs processing regardless of the technology involved.
Does DPDPA have specific rules for AI?
No. The DPDP Act does not have a dedicated AI chapter. Instead, its existing obligations apply to AI systems because they are processing engines handling personal data, and Significant Data Fiduciaries face an added algorithmic due diligence requirement.
What is algorithmic due diligence?
It is the obligation, applicable to Significant Data Fiduciaries, to evaluate whether an algorithm or AI system risks harming a Data Principal's rights and to document that evaluation as part of annual audits and assessments.
Why does AI increase DPDPA compliance risk?
AI widens the surface area where personal data is processed through prompts, vector stores, vendor APIs, and model logs, while reducing visibility over where that data actually goes, which makes existing obligations harder to fulfil without dedicated tooling.
How can an enterprise start building AI governance for DPDPA?
Start with visibility: map every AI system that touches personal data, confirm the lawful basis for each use case, set up continuous rather than periodic monitoring, and maintain an evidence trail that can support an audit or regulatory inquiry.
Can a compliance platform guarantee DPDPA compliance for AI systems?
No platform can guarantee compliance, since legal accountability remains with the Data Fiduciary. A good platform operationalises the controls and generates the evidence needed to demonstrate readiness.
Understand how AI inspection and AI governance tools are transforming AI and compliance. Learn how AI data privacy automation strengthens regulatory readiness.