AI Governance in the Indian Boardroom

From Blind Spot to Competitive Advantage

The Uncomfortable Question Every Board Must Ask

Is your board governing AI (Artificial Intelligence) - or simply allowing it to happen?

For most organisations, the honest answer is the latter. AI is being deployed across functions - credit decisions, customer service, fraud detection, trading, hiring, compliance monitoring - often without a board-level framework, without adequate oversight, and without the leadership awareness needed to manage what can go wrong.

I have sat in boardrooms where AI was discussed as a future priority. In many of those same boardrooms today, AI is already making decisions - and the board has no governance framework for it.

The consequences are no longer theoretical.

According to IMD's 2025 Winning with AI Playbook, Generative AI (Gen AI) represents a strategic inflection point comparable to the advent of the internet - with a potentially shorter adoption cycle. The organisations that move decisively now will create advantages that will be difficult to close.

The latest EY Global Responsible AI Pulse Survey - covering 975 C-suite leaders across organisations with over US$1 billion in revenue, spanning 21 countries - delivers a finding that every board member in India should read carefully.

Almost every company surveyed - 99% - reported financial losses from AI-related risks. Nearly two-thirds suffered losses exceeding US$1 million. On average, the financial loss is conservatively estimated at US$4.4 million per company, representing an estimated total loss of US$4.3 billion across the survey sample alone.

This is not a technology problem. It is a governance problem. And it is arriving at Indian boardroom doors faster than most boards are prepared for.

The C-Suite Blind Spot

What makes this finding particularly sobering is not the scale of loss - it is the ignorance that underlies it.

When asked to identify appropriate controls against five common AI-related risks, only 12% of C-suite leaders answered correctly. Chief Executive Officers (CEOs) and Chief Operating Officers (COOs) - the very leaders responsible for strategy and operations - scored just 6% each, the lowest of all roles surveyed.This is not a reflection of incompetence. It is a reflection of a governance gap that has grown quietly as AI adoption outpaced leadership awareness. Most boards were built for a world where risk was financial, operational, or reputational in the traditional sense. AI introduces a new category of risk - one that is probabilistic, systemic, and often invisible until it is too late.

IMD's research makes a critical distinction between AI adoption and AI absorption. All companies can access AI. But leading firms absorb it - through advanced skills, strong leadership, and modern organisational practices. The differentiator is not access to technology but human adaptability.

Firms that suffered losses exceeding US$10 million due to AI risks had, on average, only 4.5 out of 10 correct controls in place. Firms that lost US$1 million or less had 6.4 controls in place. The data is unambiguous - the quality of governance controls directly determines the scale of loss.

India's Regulators Are Already Acting

What is particularly significant for Indian boards is that regulators are not waiting. Over the past twelve months, three major regulatory frameworks have been released specifically addressing AI governance in India - each with direct implications for boards.

Securities and Exchange Board of India (SEBI) - June 2025

On June 20, 2025, the Securities and Exchange Board of India (SEBI) released a consultation paper providing a framework for the ethical application of AI and machine learning in Indian securities markets. Built on six pillars - ethics, accountability, transparency, auditability, data privacy, and fairness - the framework notably requires firms to create a board-approved AI Governance Framework to provide top-level accountability and institutional monitoring.

With algorithmic trading now accounting for over 67% of equity derivatives volume on Indian exchanges, the stakes of inadequate oversight are systemic - not merely institutional.

Reserve Bank of India (RBI) - Framework for Responsible and Ethical Enablement of AI (FREE-AI) - August 2025

The Reserve Bank of India (RBI) released its Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in August 2025 - alandmark framework for AI governance in India's financial sector. It advises all regulated entities to develop AI-related governance capabilities at the Board level through structured and ongoing training, upskilling, and reskilling programmes for employees involved in AI use.

The RBI FREE-AI framework's recommendations are unambiguous: regulated entities must adopt a boardapproved AI governance policy immediately, establish AI risk management frameworks, and conduct AI impact assessments before launching new AI-enabled products or use cases.

Yet the RBI's own survey of financial institutions reveals the distance between policy intent and ground reality: only 20% of surveyed institutions have adopted AI - mostly in basic rule-based scenarios. Fewer than 15% conduct postdeployment monitoring for bias or performance drift. Board-level AI governance structures and accountability frameworks remain markedly scarce.

Ministry of Electronics and Information Technology (MeitY) - November 2025

India has adopted a deliberate hands-off regulatory approach, relying on sectoral regulators rather than blanket technology legislation. While the Ministry of Electronics and Information Technology (MeitY) provides national philosophical direction through Seven Sutras, binding compliance mandates flow from sector-specific regulators like RBI and SEBI.

This means boards in every regulated industry - banking, insurance, securities, healthcare - already face AI governance obligations, whether or not their organisations have fully recognised this. The message from India's regulators, taken together, is clear: AI governance is no longer a technology team responsibility. It is a board responsibility.

The Growing Shadow - Citizen Developers

Beyond the known risks of deployed AI systems lies a more subtle and underappreciated threat - the rise of citizen developers.

Across organisations globally, employees are increasingly building their own AI tools using no-code and low-code platforms - automating workflows, generating reports, screening candidates, summarising contracts - entirely outside formal IT or governance structures.

IMD's research reinforces this concern, noting that a multitude of uncoordinated GenAI initiatives rarely generates a positive business return. When GenAI applications mushroom in every corner of an organisation without governance guardrails, the risks multiply faster than the benefits.

Among organisations that permit citizen development, only 60% have formal organisation-wide frameworks, and just half have real visibility into what is actually being built. Even among companies that prohibit the practice outright, 12% admit they lack visibility - meaning shadow AI can flourish undetected, entirely beyond the board's line of sight.

For Indian organisations, where digital adoption has accelerated dramatically and workforce experimentation with AI tools is widespread, this blind spot deserves urgent board attention. The question is not whether employees are using AI - they almostcertainly are. The question is whether the board has any governance line of sight over how, where, and with what data.

Responsible AI: The Competitive Advantage Boards Are Missing

It would be easy to read this article as a counsel of caution. It is not.

The same EY research that documents the scale of AIrelated losses also reveals something that deserves equal attention - the significant competitive advantage that responsible AI governance creates for those who get it right.

Companies that implemented realtime monitoring and AI oversight committees reported measurable improvements in revenue growth, cost savings, and employee satisfaction. Those that defined clear responsible AI principles experienced 30% fewer AI-related risks compared to those that had not.

Responsible AI is not a compliance exercise. It is a performance lever. The boards that understand this are not merely protecting their organisations - they are creating competitive distance from those that do not.

What This Means for Indian Boards - Five Practical Imperatives

Drawing from the EY survey, the IMD Playbook, SEBI's framework, and the RBI FREE-AI framework, I believe Indian boards must act on five imperatives - not at some future point, but now.

Diagram shows five interconnected imperatives with Board AI Governance at the centre:

1. Commission a board-approved AI governance policy

Both SEBI and the RBI FREE-AI framework now explicitly require this for regulated entities. But the principle extends beyond regulated industries. Every organisation deploying AI in decisions that affect customers, employees, or financial outcomes needs a board-level policy that defines governance structure, risk appetite, accountability, and escalation mechanisms.

2. Establish an AI oversight committee or designate clear board responsibility

AI governance cannot be delegated to the Chief Technology Officer (CTO) or the IT department and forgotten. It needs a named committee or designated director with a clear mandate to review AI deployments, monitor performance, and escalate risks to the full board.

3. Address the C-suite knowledge gap deliberately

The EY data showing CEOs and COOs scoring 6% on AI risk controls is not an indictment - it is an invitation. Boards should commission structured AI literacy programmes for all directors and senior leaders, tailored to governance and risk - not technology. The goal is not deep technical knowledge. It is the ability to ask better questions and recognise when the answers are insufficient.

4. Establish visibility over citizen developers

Regardless of whether an organisation permits or prohibits employee-led AI development, the board needs actual visibility - not just a stated policy - into what AI tools are being used, by whom, and with what data. Governance gaps here are growing faster than most boards realise.

5. Embed AI into existing risk and audit frameworks

AI risk does not need an entirely new governance architecture. It needs to be embedded into what already exists - risk committees, internal audit cycles, product approval processes, vendor due diligence frameworks. The organisations succeeding at AI governance are not building parallel structures; they are integrating AI oversight into established ones.

A Final Reflection

A few years ago, cybersecurity was considered an IT concern. Boards that treated it that way paid a heavy price when breaches occurred - not just financially, but reputationally and legally.

AI governance is at the same inflection point today. The boards that act now - building frameworks, closing knowledge gaps, establishing oversight - will be the ones that capture AI's full value without bearing its full risk.

The boards that wait will face a harder conversation later. With their regulators. With their shareholders. And with themselves.

The question is not whether AI governance belongs on your board agenda. It already does. The only question is whether your board knows it yet.I would be interested to hear from fellow directors and governance professionals - which of the five imperatives do you think Indian boards are furthest behind on?

Continue reading Back to Home