India chooses guidelines over a statute — a principle-based AI governance framework

The map of binding AI legislation in Asia has been filling in fast — South Korea and Vietnam now have standalone horizontal laws, and China has lifted AI into primary legislation. On 15 February 2026 the region's largest democracy made a deliberately different move. India's Ministry of Electronics and Information Technology (MeitY) released its AI Governance Guidelines — Enabling Safe and Trusted AI Innovation, and its defining feature is what it chooses not to do: it does not propose a new horizontal AI statute.

A principle-based framework, not a law

The guidelines are non-binding guidance, not legislation. They were prepared by a drafting committee that MeitY constituted in July 2025, mandated to draw on existing laws, review global developments and incorporate public feedback. The result is built in four parts — a set of guiding principles, an analysis of key issues with recommendations, an action plan, and practical guidelines for industry and regulators.

At the foundation sit seven principles, framed as sutras: Trust is the Foundation, People First, Innovation over Restraint, Fairness and Equity, Accountability, Understandable by Design, and Safety, Resilience and Sustainability. They are explicitly designed to be cross-sectoral and technology-neutral — a posture closer to the United Kingdom's principles-and-regulators approach than to the EU's prescriptive, risk-tiered statute.

The central bet: existing law can carry most of the load

The most consequential conclusion sits in the Policy & Regulation pillar. After reviewing the existing legal framework — constitutional provisions and statutes across information technology, data protection, intellectual property, competition, media, employment, consumer protection and criminal law — the committee finds that many AI-related risks can already be addressed under laws that are on the books. The implication is a deliberate restraint: rather than legislate a new horizontal regime, India would adapt existing law where gaps appear and govern through guidance, capacity and institutions. This is the opposite of the choice made by the EU, Korea and Vietnam, and a softer line even than China's promotional primary-law provision.

Six pillars and a whole-of-government architecture

The recommendations are organised under six pillars: Infrastructure, Capacity Building, Policy & Regulation, Risk Mitigation, Accountability and Institutions. The institutional pillar is where the framework asks for something new. Noting that responsibilities are today scattered across MeitY, CERT-In, sectoral regulators such as the RBI and SEBI, and NITI Aayog, it recommends a coordinated, whole-of-government structure: an AI Governance Group (AIGG) to steer national policy, a Technology & Policy Expert Committee (TPEC) to feed in technical expertise, and an AI Safety Institute (AISI) — placing India alongside the UK and other states that have built dedicated safety bodies rather than dedicated AI laws.

Risk mitigation through incidents, not prohibitions

Where the EU enumerates prohibited practices and Vietnam lists forbidden acts, India's Risk Mitigation pillar leans on learning rather than banning. It calls for a context-specific, evidence-based risk-assessment framework and a structured mechanism to collect and learn from AI-related incidents — an incident-reporting backbone to let regulators anticipate harms. The guidelines single out deepfakes as a present harm, noting that women are disproportionately targeted by AI-generated intimate imagery and that children are exposed through exploitative recommendation systems.

Another accent on the global map

India frames all of this around "AI for All" and the national ambition of Viksit Bharat 2047, with the IndiaAI Mission supplying compute, datasets and skilling underneath. The regulatory posture — innovation over restraint, no new horizontal statute, soft coordination over hard prohibition — adds yet another accent to the picture drawn in our Asia-Pacific comparison. The lesson for organisations operating across borders is the one that recurs across every jurisdiction: the stated goals converge on safety, transparency and accountability, but the instruments diverge sharply — and a guidelines-first order like India's must be read for what its existing laws already require, not for a single AI act that does not exist.