India’s financial sector just received one of its most significant technology governance directives in decades. On June 23–24, 2026, the Reserve Bank of India released its Draft Guidance on Regulatory Principles for Model Risk Management, 2026 — a sweeping new framework that introduces mandatory AI kill switches, human oversight requirements, explainability standards, and risk-based model tiering across every bank, non-banking financial company (NBFC), and regulated entity (RE) under the RBI’s jurisdiction.
The framework effectively replaces the RBI’s 2002 credit risk model guidance, signalling that the central bank views today’s AI-driven financial infrastructure as a categorically different — and more consequential — risk landscape than anything that came before it.
The draft is open for public comment until July 24, 2026, after which final guidelines are expected to be formalised and enforced across all regulated entities.
The headline provision — and the one generating the most discussion across India’s banking and fintech sectors — is the mandatory AI kill switch. Under the draft guidelines, every regulated entity must establish mechanisms to instantly override, suspend, or completely deactivate any AI or machine learning model deployed in their operations.
This means no AI system running inside an Indian bank can be beyond the reach of immediate human shutdown. Not a fraud detection model. Not a credit scoring algorithm. Not an automated trading or treasury management tool. Every model must have a clearly documented deactivation pathway that can be triggered immediately if the model begins behaving outside expected parameters.
The India Today report noted that the urgency behind this specific provision was partly accelerated by broader global concerns about the unpredictable behaviour of advanced AI systems — including fears raised in India’s cybersecurity community about what powerful frontier models could do if deeply integrated into critical financial infrastructure without adequate override controls.
📺 YouTube — RBI Forces Every Bank to Install AI Kill Switch: https://www.youtube.com/watch?v=aqbLzQz_I9U
📺 YouTube — ALERT: RBI Warns Indian Banks on AI Vulnerabilities: https://www.youtube.com/watch?v=f2EiYzp3Kew
The Five Pillars of the Framework
The RBI’s draft guidelines are structured around five interconnected requirements that together form what analysts are calling India’s most comprehensive AI governance framework for finance ever published.
The first pillar is a Board-Approved Model Risk Management (MRM) Framework. Every regulated entity — from the largest public sector banks to the smallest NBFCs — must have a formal, board-approved policy covering the entire lifecycle of every AI and ML model they use.
This includes models built in-house as well as third-party models procured from vendors, meaning banks cannot outsource AI risk by purchasing models from external providers and treating them as a black box they are not responsible for. The board-level accountability requirement is deliberate: it pushes AI risk out of the IT department and into the boardroom, where it sits alongside credit risk, market risk, and operational risk as a first-class governance concern.
The second pillar is Risk-Based Model Tiering. Not all AI models carry the same risk, and the RBI’s framework acknowledges this through a tiered classification system based on three dimensions: the materiality of the model’s outputs (how much a wrong answer matters), its complexity (how difficult it is to understand or validate), and its autonomy (how much it operates without human intervention).
High-risk models — those that are material, complex, and autonomous — face the strictest requirements, including mandatory pre-deployment risk assessment. This tiering approach means proportionality is built into the framework: a simple rule-based model used for internal reporting is treated differently from an autonomous credit decisioning AI that approves or rejects loan applications affecting millions of customers.
The third pillar is Human-in-the-Loop Oversight. The draft guidelines explicitly require that all AI-driven decision-making processes incorporate human oversight mechanisms. This is a direct challenge to the “set it and forget it” deployment pattern that has become common in financial services, where AI systems make millions of consequential decisions — on loan approvals, fraud flags, transaction monitoring alerts — with no human reviewing individual outputs.
Under the new framework, high-risk automated decisions must have defined human review checkpoints. No decision that significantly affects a customer’s financial life can be made entirely by an AI system without a human oversight mechanism in place.
The fourth pillar is Explainability — No More Black Boxes. Credit scoring AI systems, in particular, can no longer function as opaque algorithms that produce outputs without explanation. The RBI is embedding Explainable AI (XAI) as a design principle across all high-risk models.
This means that when a bank’s AI model rejects a loan application or flags a transaction as suspicious, the model must be capable of producing a human-readable explanation of why it reached that conclusion — one that regulators, auditors, and affected customers can scrutinise. This provision directly addresses one of the most persistent criticisms of AI in finance: that automated decisions affecting people’s financial lives are made by systems that nobody — including the banks operating them — can fully explain.
The fifth pillar is Independent Validation. AI models cannot be validated by the same teams that built and deployed them. The framework requires independent model validation functions, separate from model development, to test, stress-test, and challenge AI systems on a regular basis. This mirrors established risk management practice for financial models and extends it explicitly to AI and ML systems.
The Backdrop: Why Now?
India’s financial sector has absorbed AI at remarkable speed. UPI recorded 106 billion transactions in the first half of 2025 alone, and AI-driven fraud detection, credit assessment, and customer service automation are now embedded across virtually every major bank and NBFC in the country.
The RBI’s own earlier FREE-AI Framework — a 26-point roadmap released previously — had already positioned the central bank as an active regulator of AI in finance rather than a passive observer. The new Model Risk Management draft is the enforcement-facing complement to that strategic roadmap: where FREE-AI described principles, the MRM framework mandates specific, auditable controls.
The catalyst for the accelerated timeline was a combination of factors. The global emergence of increasingly autonomous and powerful AI systems raised cybersecurity concerns specifically around financial institutions.
India Today’s reporting noted that the release of advanced frontier AI models with agentic capabilities had triggered alarm among Indian banking regulators about what happens when such systems are integrated into critical financial infrastructure without adequate override mechanisms. The kill switch requirement is the direct regulatory answer to that concern.
Safeguard or Setback? The Debate Inside India’s Fintech Sector
The draft framework has split opinion across India’s financial technology community, and the debate is genuinely substantive rather than simply pro- or anti-regulation.
Supporters argue that the RBI is doing exactly what a responsible central bank should do: getting ahead of systemic AI risk before a crisis forces reactive intervention. The 2008 financial crisis demonstrated what happens when complex, poorly understood quantitative models are allowed to operate inside the global financial system without adequate governance.
AI models are arguably more complex, faster-moving, and harder to validate than the quant models of that era. Board-level accountability, human oversight, and kill switches are not obstacles to innovation — they are the conditions under which innovation can be trusted to scale.
Critics within the fintech sector raise a different concern. India’s digital financial infrastructure has grown fastest precisely because regulators allowed experimentation at speed.
Requirements for board-approved frameworks, independent validation units, and pre-deployment risk assessments for high-risk models will add compliance overhead that larger banks can absorb but that could slow smaller fintech companies and NBFCs significantly.
The concern is not that the controls are wrong in principle but that the compliance burden may be disproportionate for smaller regulated entities operating on thinner margins.
The RBI has sought to address this through the tiering system — not every model faces the full suite of requirements — and by opening the guidelines for public comment until July 24, precisely to hear this kind of feedback before finalising the framework.
What Happens Next
The public comment window closes on July 24, 2026. The RBI will review submissions from banks, NBFCs, fintech companies, and industry bodies before issuing final guidance. Vinod Kothari Consultants, who published one of the earliest detailed analyses of the draft, noted that the framework represents a fundamental shift in how AI model accountability is distributed across India’s financial system — moving it from being an operational IT question to a boardroom governance obligation.
For India’s banks and regulated entities, the message from the RBI is clear: the era of deploying AI models without board-level accountability, without human override capability, and without the ability to immediately shut them down is over. Whether that represents a brake on financial innovation — or the foundation on which genuinely trustworthy AI-powered finance can be built at scale — is the question the industry is now actively debating.
Quick Links:
