Agentic AI adoption drives stronger governance oversight, risk controls

With artificial intelligence (AI) rollout gaining traction across organisations, a majority of Indian enterprises are prioritizing domestic, industry-specific guidelines and regulatory compliance over global frameworks, finds the ET-Cisco AI Readiness & Adoption survey. They foresee implementing stronger controls around ethics, identity management and privacy in step with the wider deployment of agentic AI.

While the sectoral and regulatory expectations are the immediate focus, industry officials believe they are broadly aligned with the global framework. For instance, Ratan Kumar Kesh, chief operating officer at Bandhan Bank, considers Reserve Bank of India's (RBI) Framework for Responsible and Ethical Enablement of AI (FREE-AI) as a starting point for a responsible, comprehensive, scalable and ethical deployment.

"While the possibilities of AI are vast, we are being extra careful to ensure that we do not take undue risks related to customer protection or risk management. Moreover, we are investing in an AI governance layer to ensure that in a scaled AI scenario we don’t lose sight of these essential guardrails. Cyber security and data protection are paramount at all times," Kesh said.


The Bank has already deployed or is in the process of deploying applications with embedded AI capabilities including digital collection system, onboarding deposit accounts, wealth management, gold loan, integrated underwriting rule engines, and fraud and transaction monitoring solutions, among others, he added.

Aligned with global benchmarks

Local frameworks like DPDP or RBI regulations are structurally aligned with global benchmarks like NIST, ISO and the General Data Protection Regulation (GDPR), Europe's landmark privacy law, Sandeep Agarwal, chief technology officer - security at Cisco India and South Asia said.

"While the nomenclature may differ on the surface, the underlying controls largely remain the same. For enterprises, the challenge is less about rebuilding infrastructure and more about ensuring the right visibility, security, policy enforcement, and governance capabilities are in place," Agarwal said.

The global standards such as AI Risk Management Framework (AI RMF) created by the US National Institute of Standards and Technology (NIST) and the IEC 42001 brought out by the International Organization for Standardization (ISO) inform life insurance firm Aviva India's AI framework, but it remains anchored in the Insurance Regulatory and Development Authority of India's (IRDAI) consumer-protection mandates, said Gaurav Banka, chief risk officer at Aviva India.

"The frameworks are strengthened by human oversight for decisions with significant customer impact. This ensures that AI enhances decision-making while safeguarding rights, privacy, and confidence," Banka said.

Despite the focus on meeting local regulations, Indian firms continue to lag in updating the necessary infrastructure. Indian firms remain slow in migrating their workloads from global to localized cloud and AI systems, said Piyush Somani, managing director at sovereign cloud services provider ESDS.

"The footprint of Indian data centre providers is expanding fast in India, and a host of options are now available to firms at competitive prices. But many businesses in India are yet to fully place their trust on the government's vision, and grasp the country's strategic concerns," Somani, whose company opened its fifth and sixth data centres last year, said.

Compliance reality

According to the survey of tech leaders across 214 companies on trust, governance and the digital personal data protection (DPDP) regime, a majority of enterprises stress they are ready for the currently under-implementation DPDP regime, when it comes to AI.

But Harsh Walia, partner at legal firm Khaitan & Co, advises caution. "Many organisations may feel reasonably confident they are aligned with the core principles of the DPDP framework, such as consent, purpose limitation and data minimisation. But given how nascent and nuanced the framework still is, regulatory expectations remain difficult to predict with confidence," Walia said.

About cross-border data processing, he said, the regulatory position is still not fully settled in practical terms for global organisations, if their AI systems or models process data outside India. Similarly on security standards, the DPDP framework refers to “reasonable security safeguards” and prescribes safeguards which “at the minimum” must be adhered to, but what is considered reasonable will depend on the nature of the organisation, the type of data being processed and the scale of processing involved, he said.

Agentic future

Firms are also adopting a range of measures to control autonomous agentic AI, but widely differing views remain. “While broader industry practice and regulations emerge on this, enterprises should treat autonomous agents like employees. Best practices like enforcing strict identity management and access control should be implemented, immutable audit logs and real-time kill-switches should be built in. Furthermore, there must always be a human in the loop," said Shahana Chatterji, partner at legal firm Shardul Amarchand Mangaldas & Co. Low focus on third-party risk is a serious concern, as securing internal systems matters little if external APIs or models are compromised, she added.

(This article is part of the AI Vantage series, developed in partnership with Cisco)