Can India govern AI it does not own?
The recently released Guidance on Regulatory Principles for Model Risk Management by RBI is a concrete step towards AI governance in the banking & finance
The recently released Guidance on Regulatory Principles for Model Risk Management by RBI is a concrete step towards AI governance in the banking & finance sector. The guidelines set out how entities should govern not only AI models, but any predictive system used for decision making. The guidelines put accountability squarely on businesses through an entity specific model risk management framework (MRMF) that would hold businesses accountable even for 3rd party models.While such guidance was overdue, lack of sovereign models could limit the control that India exerts on its tech stack, despite the stringency that RBI is pushing for. The release of the guidelines therefore poses a bigger question: Can India truly govern the AI models that it does not own?RBI’s guidelines are centred around MRMF, which are board-approved framework applicable to all models, whether built in house or not. The MRMF has a wide scope, including model taxonomy, governance, usage scope, risk tiering and critical lifecycle activities.Also read | Beijing’s warning reveals real stakes of Modi–Takaichi summitResponsibility is divided across three levels: The entity’s board, a specially created risk management committee and the senior management. Furthermore, the core machinery of the governance attaches obligations at each stage of the model lifecycle, starting from deployment and ending at model decommissioning.What stands out in the guidance is the accountability laid on users relying on third party models. Financial entities must not only independently validate model accuracy, bias, suitability and risks, but also obtain technical documentation on the model's design, along with audit rights and exit arrangements.The motivations behind these requirements are straightforward.
Generative AI, or more generally neural networks, are notorious for lacking explainability, making technical documentation necessary to understand the model's functioning and limitations.Similarly, audit rights allow users to assess whether the model was developed within a sound governance framework, while exit arrangements safeguard against sudden loss of model access.Despite being principally ideal, these requirements could be too ambitious for India, not because they are impractical but because of the broader ecosystem context.Also read | Ethanol 'experiment': Govt moves to contain falloutConsider, for instance, the requirement for minimum technical documentation, which expects vendors to disclose model performance benchmarks, known use cases, limitations and other relevant information.Yet, the model's design will never be fully within the user's control. Model weights, training data and other proprietary specifications remain with the vendor due to their intellectual and commercial value.Even if some of this information is disclosed, model opacity cannot be entirely eliminated because contemporary AI models remain fundamentally black boxes.Regulators, including RBI, are aware of these limitations, making empirical validation a practical alternative. Rather than understanding every internal mechanism of the model, its usability, accuracy and safety are assessed across a sufficiently large number of instances.If the model performs reliably, it can be deployed despite its limited explainability. Such trade-offs are necessary because if only fully interpretable models were permitted, every GenAI model would fail to qualify.While empirical validation may reasonably overcome the lack of explainability, the problems associated with such opacity reemerge in another way.