
Benefits
Specifications
How-to
Contact Us
Learn More

RBI FREE AI
Framework
India's landmark AI governance framework for banks, NBFCs, fintechs, and financial institutions — anchored in 7 Sutras, structured across 6 Pillars, and operationalised through 26 targeted Recommendations.
Book Demo
Get Started
The foundational principles
The 7 Sutras
Guiding principles woven through the entire AI lifecycle — for every institution that builds, deploys, or governs AI in the Indian financial sector
Sutra 01
Trust is the Foundation
Trust is non-negotiable and should remain uncompromised
AI systems should enhance — not erode — public trust in the financial system. Trust must be the guiding force behind all actions taken across the entire AI lifecycle..
Sutra 02
People First
AI should augment human decision-making but defer to human judgment and citizen interest
Final authority must rest with humans. Citizens must be informed when interacting with AI. Human safety and interest are paramount.
Sutra 03
Innovation over Restraint
Foster responsible innovation with purpose
Responsible AI innovation aligned with societal values should be actively encouraged. All other things being equal, responsible innovation should be prioritised.
Sutra 04
Fairness and Equity
AI outcomes should be fair and non-discriminatory
AI systems must be designed and tested to ensure unbiased outcomes that do not discriminate against individuals or groups. AI should advance financial inclusion, not perpetuate exclusion.
Sutra 05
Accountability
Accountability rests with the entities deploying AI
Regulated entities remain fully accountable for all AI-driven decisions and outcomes, regardless of automation level. Accountability cannot be delegated to the model or algorithm.
Sutra 06
Understandable by Design
Ensure explainability for trust
Understandability is fundamental to trust and must be a core design feature, not an afterthought. AI systems must have disclosures and outputs that can be understood by the entities deploying them.
Sutra 07
Safety, Resilience and Sustainability
AI systems should be secure, resilient and energy efficient
AI systems must operate safely and be resilient to physical, infrastructural, and cyber risks. They should detect anomalies, provide early warnings, and prioritise energy efficiency.
Framework
6 Pillars, 26 Recommendations
Two complementary sub-frameworks — innovation enablement and risk mitigation — structured across six pillars
Infrastructure
Policy
Capacity
Protection
Governance
Assurance
Implementation timeline
Your AI Agents Are:
R14: Board-Approved AI Policy
R15: Data Lifecycle Governance (DPDP Act alignment)
R16: AI System Governance Framework
R18: Consumer Protection Framework
R20: Red Teaming (at least semi-annual for high-risk)
R24: AI Audit Framework
R26: AI Compliance Toolkit
When Things Go Wrong:
R1: Financial Sector Data Infrastructure
R2: AI Innovation Sandbox
R9: AI Institutional Framework (Standing Committee)
R23: AI Inventory within REs
R25: Disclosures by REs (annual reports, websites)
Who must comply?
The FREE-AI framework applies to all RBI Regulated Entities that develop, deploy, or use AI systems
1
Scheduled Commercial Banks
PSBs, private banks, foreign banks, small finance banks
2
NBFCs
All NBFC categories — lending, investment, infrastructure finance
3
Urban Cooperative Banks
Tier 2, 3, 4 UCBs using any AI or ML systems
4
All India Financial Institutions
NABARD, NHB, EXIM Bank, SIDBI and equivalents
5
Payment System Operators
UPI, card networks, payment aggregators and gateways
6
FinTechs and Tech Partners
Technology Service Providers supplying AI to REs
Important: Outsourcing does not transfer accountability
The FREE-AI framework explicitly states that when REs employ AI technologies developed by third parties, this does not diminish the RE's accountability. If your organisation uses an AI tool from a vendor — a credit scoring API, an LLM chatbot, a fraud detection platform — you remain responsible for its governance, validation, and compliance with the Sutras. The framework requires AI-specific due diligence clauses in outsourcing agreements.
Test your application
How Trusys maps to FREE-AI compliance
Trusys covers the evaluation, discovery, guardrail, and monitoring obligations across the FREE-AI framework. Use TruScout to discover your AI inventory and TruEval to test against the Sutras.
TruScout
Board-Approved AI Policy (R14)
TruScout discovers all AI systems across your estate and generates inventory data for policy framing.
TruScout + TruEval
AI System Governance Framework (R16)
TruScout maps AI models, vendors, data flows and risk classification. TruEval validates model behaviour before deployment.
TruEval
Red Teaming (R20)
TruEval runs adversarial red-team campaigns — prompt injection, jailbreaks, policy violations — across all AI applications.
TruScout
AI Inventory within REs (R23)
TruScout automatically discovers and catalogues every AI model, tool, LLM call, and third-party dependency in your stack.
TruEval
AI Audit Framework (R24)
TruEval provides structured audit-ready test results, pass/fail evidence, and bias evaluation reports for internal and third-party audits.
TruEval
Consumer Protection — Fairness and Bias (R18)
TruEval benchmarks AI outputs for demographic fairness, bias detection, and discriminatory outcome testing across your use cases.
TruGuard
Runtime Guardrails — Consumer Interaction (R18)
TruGuard enforces real-time policy controls, PII masking, and AI disclosure triggers for every customer-facing AI interaction.
TruPulse
Continuous Monitoring and Drift Detection (R16, R24)
TruPulse provides production observability, model drift detection, and continuous monitoring against established quality baselines.
Frequently Asked Questions
01.
Is Trusys a LangSmith alternative?
The FREE-AI Committee Report (August 2025) is a framework and set of recommendations submitted to the Governor of the RBI. The recommendations are addressed to Regulated Entities, RBI, regulators, and industry bodies. Some short-term recommendations are already progressing at the regulatory level. REs should treat the framework as the direction of imminent regulatory expectations — particularly obligations like AI inventory, board policy, red-teaming, and disclosures — and begin implementation now.
02.
Which RBI Regulated Entities does this apply to?
The framework explicitly covers all entities supervised by RBI: Scheduled Commercial Banks (public, private, foreign, small finance), Urban Cooperative Banks (Tier 2+), NBFCs, All India Financial Institutions (NABARD, NHB, EXIM, SIDBI), and Payment System Operators. It also applies indirectly to Technology Service Providers (TSPs) who supply AI to these entities — REs must now include AI-specific governance clauses in outsourcing agreements with TSPs.
03.
When should a team use Trusys?
Recommendation 23 (AI Inventory) and Recommendation 14 (Board-Approved AI Policy) are the foundational actions. Without an accurate inventory of what AI systems are running, risk classification is impossible. Without a board policy, there is no governance framework. These should be pursued in parallel — TruScout addresses the discovery component, which feeds directly into the board policy's risk classification framework.
04.
How does the framework handle third-party AI (e.g., using OpenAI, Anthropic, or vendor AI)?
The framework is explicit: using a third-party AI model is not outsourcing (where the AI is used internally), but if a vendor uses AI to deliver an outsourced service to the RE, that is outsourcing and must be governed accordingly. In both cases, the RE remains fully accountable. The framework requires AI-specific clauses covering algorithmic bias, AI disclosure by vendors, data confidentiality, and governance in outsourcing agreements.
05.
What is the difference between LLM observability and AI assurance?
The framework requires structured adversarial testing — prompt injection, data leakage probes, bias stress-tests, policy violation scenarios — conducted at periodic intervals. For medium and high-risk AI applications, red teaming must be at least semi-annual. It must also be triggered before major model updates, after vulnerabilities are detected, when the operational environment changes, or when regulatory requirements evolve. Results must be documented and accessible to audit and supervisory teams.
06.
Does FREE-AI cover GenAI (ChatGPT, Claude, Gemini) used internally by bank staff?
Yes. The framework explicitly covers the use of third-party or off-the-shelf AI tools (such as generative AI applications) for official purposes — drafting documents, report summarisation, data analysis — and requires this to be governed by the organisation's board-approved AI policy. REs must ensure that internal AI policy is compliant with national AI governance frameworks.
Trusys Advantage
Is your AI application FREE-AI ready?
Leverage MITRE ATLAS intelligence to identify vulnerabilities, test defenses, and protect your ML systems from adversarial attacks.
Book a FREE-AI compliance walkthrough

RBI FREE AI
Framework
India's landmark AI governance framework for banks, NBFCs, fintechs, and financial institutions — anchored in 7 Sutras, structured across 6 Pillars, and operationalised through 26 targeted Recommendations.
Book Demo
Get Started
The foundational principles
The 7 Sutras
Guiding principles woven through the entire AI lifecycle — for every institution that builds, deploys, or governs AI in the Indian financial sector
Sutra 01
Trust is the Foundation
Trust is non-negotiable and should remain uncompromised
AI systems should enhance — not erode — public trust in the financial system. Trust must be the guiding force behind all actions taken across the entire AI lifecycle..
Sutra 02
People First
AI should augment human decision-making but defer to human judgment and citizen interest
Final authority must rest with humans. Citizens must be informed when interacting with AI. Human safety and interest are paramount.
Sutra 03
Innovation over Restraint
Foster responsible innovation with purpose
Responsible AI innovation aligned with societal values should be actively encouraged. All other things being equal, responsible innovation should be prioritised.
Sutra 04
Fairness and Equity
AI outcomes should be fair and non-discriminatory
AI systems must be designed and tested to ensure unbiased outcomes that do not discriminate against individuals or groups. AI should advance financial inclusion, not perpetuate exclusion.
Sutra 05
Accountability
Accountability rests with the entities deploying AI
Regulated entities remain fully accountable for all AI-driven decisions and outcomes, regardless of automation level. Accountability cannot be delegated to the model or algorithm.
Sutra 06
Understandable by Design
Ensure explainability for trust
Understandability is fundamental to trust and must be a core design feature, not an afterthought. AI systems must have disclosures and outputs that can be understood by the entities deploying them.
Sutra 07
Safety, Resilience and Sustainability
AI systems should be secure, resilient and energy efficient
AI systems must operate safely and be resilient to physical, infrastructural, and cyber risks. They should detect anomalies, provide early warnings, and prioritise energy efficiency.
Framework
6 Pillars, 26 Recommendations
Two complementary sub-frameworks — innovation enablement and risk mitigation — structured across six pillars
Infrastructure
Policy
Capacity
Protection
Governance
Assurance
Implementation timeline
Medium-term — Plan and implement
R14: Board-Approved AI Policy
R15: Data Lifecycle Governance (DPDP Act alignment)
R16: AI System Governance Framework
R18: Consumer Protection Framework
R20: Red Teaming (at least semi-annual for high-risk)
R24: AI Audit Framework
R26: AI Compliance Toolkit
Short-term — Act now
R1: Financial Sector Data Infrastructure
R2: AI Innovation Sandbox
R9: AI Institutional Framework (Standing Committee)
R23: AI Inventory within REs
R25: Disclosures by REs (annual reports, websites)
Who must comply?
The FREE-AI framework applies to all RBI Regulated Entities that develop, deploy, or use AI systems
1
Scheduled Commercial Banks
PSBs, private banks, foreign banks, small finance banks
2
NBFCs
All NBFC categories — lending, investment, infrastructure finance
3
Urban Cooperative Banks
Tier 2, 3, 4 UCBs using any AI or ML systems
4
All India Financial Institutions
NABARD, NHB, EXIM Bank, SIDBI and equivalents
5
Payment System Operators
UPI, card networks, payment aggregators and gateways
6
FinTechs and Tech Partners
Technology Service Providers supplying AI to REs
Important: Outsourcing does not transfer accountability
The FREE-AI framework explicitly states that when REs employ AI technologies developed by third parties, this does not diminish the RE's accountability. If your organisation uses an AI tool from a vendor — a credit scoring API, an LLM chatbot, a fraud detection platform — you remain responsible for its governance, validation, and compliance with the Sutras. The framework requires AI-specific due diligence clauses in outsourcing agreements.
Test your application
How Trusys maps to FREE-AI compliance
Trusys covers the evaluation, discovery, guardrail, and monitoring obligations across the FREE-AI framework. Use TruScout to discover your AI inventory and TruEval to test against the Sutras.
TruScout
Board-Approved AI Policy (R14)
TruScout discovers all AI systems across your estate and generates inventory data for policy framing.
TruScout + TruEval
AI System Governance Framework (R16)
TruScout maps AI models, vendors, data flows and risk classification. TruEval validates model behaviour before deployment.
TruEval
Red Teaming (R20)
TruEval runs adversarial red-team campaigns — prompt injection, jailbreaks, policy violations — across all AI applications.
TruScout
AI Inventory within REs (R23)
TruScout automatically discovers and catalogues every AI model, tool, LLM call, and third-party dependency in your stack.
TruEval
AI Audit Framework (R24)
TruEval provides structured audit-ready test results, pass/fail evidence, and bias evaluation reports for internal and third-party audits.
TruEval
Consumer Protection — Fairness and Bias (R18)
TruEval benchmarks AI outputs for demographic fairness, bias detection, and discriminatory outcome testing across your use cases.
TruGuard
Runtime Guardrails — Consumer Interaction (R18)
TruGuard enforces real-time policy controls, PII masking, and AI disclosure triggers for every customer-facing AI interaction.
TruPulse
Continuous Monitoring and Drift Detection (R16, R24)
TruPulse provides production observability, model drift detection, and continuous monitoring against established quality baselines.
Frequently Asked Questions
01.
Is the FREE-AI framework mandatory or advisory?
The FREE-AI Committee Report (August 2025) is a framework and set of recommendations submitted to the Governor of the RBI. The recommendations are addressed to Regulated Entities, RBI, regulators, and industry bodies. Some short-term recommendations are already progressing at the regulatory level. REs should treat the framework as the direction of imminent regulatory expectations — particularly obligations like AI inventory, board policy, red-teaming, and disclosures — and begin implementation now.
02.
Which RBI Regulated Entities does this apply to?
The framework explicitly covers all entities supervised by RBI: Scheduled Commercial Banks (public, private, foreign, small finance), Urban Cooperative Banks (Tier 2+), NBFCs, All India Financial Institutions (NABARD, NHB, EXIM, SIDBI), and Payment System Operators. It also applies indirectly to Technology Service Providers (TSPs) who supply AI to these entities — REs must now include AI-specific governance clauses in outsourcing agreements with TSPs.
03.
What is the most urgent obligation for a bank or NBFC deploying AI?
Recommendation 23 (AI Inventory) and Recommendation 14 (Board-Approved AI Policy) are the foundational actions. Without an accurate inventory of what AI systems are running, risk classification is impossible. Without a board policy, there is no governance framework. These should be pursued in parallel — TruScout addresses the discovery component, which feeds directly into the board policy's risk classification framework.
04.
How does the framework handle third-party AI (e.g., using OpenAI, Anthropic, or vendor AI)?
The framework is explicit: using a third-party AI model is not outsourcing (where the AI is used internally), but if a vendor uses AI to deliver an outsourced service to the RE, that is outsourcing and must be governed accordingly. In both cases, the RE remains fully accountable. The framework requires AI-specific clauses covering algorithmic bias, AI disclosure by vendors, data confidentiality, and governance in outsourcing agreements.
05.
What is Red Teaming under FREE-AI (Recommendation 20)?
The framework requires structured adversarial testing — prompt injection, data leakage probes, bias stress-tests, policy violation scenarios — conducted at periodic intervals. For medium and high-risk AI applications, red teaming must be at least semi-annual. It must also be triggered before major model updates, after vulnerabilities are detected, when the operational environment changes, or when regulatory requirements evolve. Results must be documented and accessible to audit and supervisory teams.
06.
Does FREE-AI cover GenAI (ChatGPT, Claude, Gemini) used internally by bank staff?
Yes. The framework explicitly covers the use of third-party or off-the-shelf AI tools (such as generative AI applications) for official purposes — drafting documents, report summarisation, data analysis — and requires this to be governed by the organisation's board-approved AI policy. REs must ensure that internal AI policy is compliant with national AI governance frameworks.
Trusys Advantage
Is your AI application FREE-AI ready?
Use TruScout to discover every AI system in your estate. Use TruEval to test against the 7 Sutras. Generate audit-ready evidence for RBI inspections.
Book a FREE-AI compliance walkthrough