The Reserve Bank of India (RBI) on Wednesday proposed a comprehensive framework for managing risks arising from the use of models, including artificial intelligence (AI) and machine learning (ML) systems, across banks, NBFCs and other regulated entities. The draft guidance requires regulated entities to establish board-approved model risk management frameworks, including kill-switch mechanism, independent validation mechanisms and human oversight arrangements for AI-driven decision-making.
The draft “Guidance on Regulatory Principles for Model Risk Management, 2026” applies to commercial banks, small finance banks, payments banks, cooperative banks, NBFCs, all-India financial institutions, asset reconstruction companies and credit information companies.
RBI said regulated entities are increasingly relying on models for business processes, customer services, risk management and cyber defence, but warned that inadequate management of model risks could lead to flawed decisions, financial losses, operational disruptions and compliance failures.
Framework to cover banks, NBFCs and other regulated entities
Under the proposed framework, all models—including those developed internally, sourced from third parties or based on AI/ML—must be covered under a board-approved Model Risk Management Framework (MRMF). The framework should cover model governance, risk tiering, inventory management, validation, approval, monitoring, change management, business continuity and decommissioning. The RBI has proposed a risk-based model tiering structure, with models classified based on factors such as materiality, complexity and potential impact on consumers and operations. High-risk models would require approval from the Risk Management Committee of the Board (RMCB).
The draft also mandates that all models be independently validated before and after deployment, following modifications and at periodic intervals. Third-party models must undergo independent validation by the regulated entity, irrespective of any validation or certification provided by the vendor.
AI and ML systems face additional safeguards
For AI and ML models, RBI has in its draft proposed additional safeguards. Regulated entities would be required to assess whether risks can be adequately identified, measured, monitored and managed before deploying such models. They must also consider the level of reliance placed on AI outputs and the autonomy given to such systems in decision-making. The guidance requires entities to define explainability thresholds for AI models and apply higher standards where model outputs influence material decisions or have significant customer impact. Where full explainability is not possible, entities would need to implement enhanced validation, monitoring, output verification and usage restrictions.
RBI has also proposed controls to address hallucinations in generative AI systems, risks arising from bias and discriminatory outputs, overfitting, spurious correlations, data quality issues, data drift and concept drift. The draft calls for structured challenge processes, including red-teaming or equivalent testing, particularly for customer-facing and generative AI models.
The proposed framework requires enhanced controls for automatically updating AI models, including stricter monitoring, defined update scopes, and stronger data quality checks. AI models would also require enhanced documentation to support traceability, reproducibility and auditability.
Human oversight and kill-switch arrangements proposed
For customer-facing AI systems, RBI has proposed additional cybersecurity controls against prompt injection and adversarial inputs. Regulated entities would also need to inform users that they are interacting with an AI-based system and provide an option to switch to human assistance on request.
A key provision in the draft requires regulated entities to establish robust human oversight mechanisms for AI models. These should include human-in-the-loop or human-on-the-loop arrangements, periodic human review of model outputs and decisions, and mechanisms to override, suspend or deactivate models, including kill-switch arrangements.
The RBI said the final guidance, after public consultation, will replace the chapter on credit risk models in its 2002 Guidance Note on Credit Risk Management.
