The Reserve Bank of India has proposed a sweeping model risk management framework that places ultimate accountability for artificial intelligence (AI), machine learning (ML) and automated decision-making systems squarely on banks, NBFCs and other regulated entities, regardless of whether the models are developed in-house or procured from third parties.
The draft, titled “Guidance on Regulatory Principles for Model Risk Management, 2026,” sets out broad principles covering model governance, risk tiering, lifecycle management, third-party models, and AI/ML-specific safeguards, and is intended to apply in a manner commensurate with the scale and complexity of each entity's operations.
Applicability
The Guidance applies to a wide sweep of regulated entities, including commercial banks, small finance banks, payments banks, regional rural banks, urban and rural co-operative banks, NBFCs across all layers, All-India Financial Institutions such as NABARD, NaBFID and SIDBI, asset reconstruction companies, and credit information companies. Regulated entities are required to apply these principles to every model they use, whether built internally, sourced from third parties, or developed through a combination of both.
Governance Structure
At the core of the framework is a requirement for each regulated entity to put in place a Board-approved Model Risk Management Framework (MRMF) covering all models, including AI/ML systems. The Board is made responsible for overseeing this framework and approving the entity's risk appetite for model risk, while the Risk Management Committee of the Board (RMCB) is tasked with reviewing validation reports for high-risk models, approving their deployment, and monitoring models that have been approved subject to exceptions. Senior management is expected to operationalise the framework on the ground, including maintaining model inventories and implementing the risk-tiering structure.
Risk-Based Tiering And Inventory
Entities are required to classify every model in their inventory based on its materiality, complexity, and other relevant factors, with the risk tier determining the intensity of validation, the approval authority required, and the scope of ongoing monitoring. Models carrying “high” or equivalent risk would need RMCB approval before deployment. The Guidance also requires a comprehensive, continuously updated model inventory, with decommissioned models retained in that inventory for at least ten years, and mandates that no model be used unless it features in the inventory.
Model Lifecycle Management
The draft lays down requirements spanning the entire lifecycle of a model, from selection and development through to validation, approval, deployment, change management, and eventual decommissioning. Independent validation is required both before and after deployment, and validation reports must be placed before the RMCB within three months of completion. A “three lines of defence” structure is prescribed, with model owners as the first line, an independent model risk management and validation function as the second, and internal audit as the third.
Third-Party Models
Where models are acquired from external vendors, the regulated entity remains accountable for the outcomes. The Guidance requires independent validation by the entity itself, irrespective of any certification provided by the vendor, along with enhanced RMCB oversight regardless of the model's risk tier. Entities are also required to conduct due diligence on vendor credibility and model soundness, and to build in contractual rights to technical documentation, audit access for the entity and its supervisor, and continuity and exit arrangements.
AI And Machine Learning Safeguards
A dedicated chapter addresses models employing AI and ML, including foundational and frontier AI models. Entities are required to assess whether risks from such models can be adequately identified and managed before deployment, and to define explainability and transparency thresholds, with stricter thresholds for models used in material decision-making. Where full explainability cannot be achieved, the Guidance calls for compensating controls such as enhanced validation, usage restrictions, and frequent monitoring.
The draft also requires safeguards against hallucinations in generative AI models, fairness assessments to detect bias and discriminatory outputs, testing against overfitting and spurious correlations, and structured challenge processes such as red-teaming for models involving customer interaction. For customer-facing AI systems, entities must implement controls against prompt injection and adversarial inputs, disclose to users that they are interacting with an AI system, and provide an option to switch to human assistance on request.
Human Oversight
The Guidance places significant emphasis on human oversight of AI-driven decision-making, requiring human-in-the-loop or equivalent arrangements, override and kill-switch mechanisms, and periodic human review of model-driven decisions to catch anomalies. Entities are also required to guard against automation bias and over-reliance on model outputs, and to ensure that personnel responsible for oversight have the expertise to challenge or escalate concerns about model behaviour.
What Happens Next
The document notes that further requirements specific to AI models may be issued separately at a later stage. Once finalised following public consultation, the Guidance will supersede Chapter 3 on Credit Risk Models in RBI's existing Guidance Note on Credit Risk Management dated October 12, 2002.
![Administrative policy decision of banks or rate of interest can't come under purview of Consumer Commission: SC [Read Judgment]](/secure/uploads/2024/12/lj_8841_Bank_Interest_Rates_Beyond_Consumer_Court_Jurisdiction.jpg)
![E-KYC must be made accessible to persons with disabilities: SC [Read Judgment]](/secure/uploads/2025/04/lj_3412_E_KYC_must_be_made.webp)
