Open mobile menu

Benefits

Specifications

How-to

Contact Us

Learn More

Phone

RBI FREE AI

Framework

India's landmark AI governance framework for banks, NBFCs, fintechs, and financial institutions — anchored in 7 Sutras, structured across 6 Pillars, and operationalised through 26 targeted Recommendations.

Book Demo

Get Started

Phone

The foundational principles

The 7 Sutras

Guiding principles woven through the entire AI lifecycle — for every institution that builds, deploys, or governs AI in the Indian financial sector

Sutra 01

Trust is the Foundation

Trust is non-negotiable and should remain uncompromised

AI systems should enhance — not erode — public trust in the financial system. Trust must be the guiding force behind all actions taken across the entire AI lifecycle..

Sutra 02

People First

AI should augment human decision-making but defer to human judgment and citizen interest

Final authority must rest with humans. Citizens must be informed when interacting with AI. Human safety and interest are paramount.

Sutra 03

Innovation over Restraint

Foster responsible innovation with purpose

Responsible AI innovation aligned with societal values should be actively encouraged. All other things being equal, responsible innovation should be prioritised.

Sutra 04

Fairness and Equity

AI outcomes should be fair and non-discriminatory

AI systems must be designed and tested to ensure unbiased outcomes that do not discriminate against individuals or groups. AI should advance financial inclusion, not perpetuate exclusion.

Sutra 05

Accountability

Accountability rests with the entities deploying AI

Regulated entities remain fully accountable for all AI-driven decisions and outcomes, regardless of automation level. Accountability cannot be delegated to the model or algorithm.

Sutra 06

Understandable by Design

Ensure explainability for trust

Understandability is fundamental to trust and must be a core design feature, not an afterthought. AI systems must have disclosures and outputs that can be understood by the entities deploying them.

Sutra 07

Safety, Resilience and Sustainability

AI systems should be secure, resilient and energy efficient

AI systems must operate safely and be resilient to physical, infrastructural, and cyber risks. They should detect anomalies, provide early warnings, and prioritise energy efficiency.

Framework

6 Pillars, 26 Recommendations

Two complementary sub-frameworks — innovation enablement and risk mitigation — structured across six pillars

Infrastructure

  1. Financial Sector Data Infrastructure
  2. AI Innovation Sandbox
  3. Incentives and Funding Support
  4. Indigenous Financial Sector AI Models
  5. Integrating AI with DPI

Policy

  1. Adaptive and Enabling Policies
  2. Enabling AI-Based Affirmative Action
  3. AI Liability Framework
  4. AI Institutional Framework

Capacity

  1. Capacity Building within REs
  2. Capacity Building for Regulators and Supervisors
  3. Framework for Sharing Best Practices
  4. Recognise and Reward Responsible AI Innovation

Protection

  1. Consumer Protection
  2. Cybersecurity Measures
  3. Red Teaming
  4. Business Continuity Plan for AI Systems
  5. AI Incident Reporting Framework

Governance

  1. Board-Approved AI Policy
  2. Data Lifecycle Governance
  3. AI System Governance Framework
  4. Product Approval Process

Assurance

  1. AI Inventory within REs and Sector-Wide Repository
  2. AI Audit Framework
  3. Disclosures by REs
  4. AI Toolkit

Implementation timeline

Your AI Agents Are:

R14: Board-Approved AI Policy

R15: Data Lifecycle Governance (DPDP Act alignment)

R16: AI System Governance Framework

R18: Consumer Protection Framework

R20: Red Teaming (at least semi-annual for high-risk)

R24: AI Audit Framework

R26: AI Compliance Toolkit

When Things Go Wrong:

R1: Financial Sector Data Infrastructure

R2: AI Innovation Sandbox

R9: AI Institutional Framework (Standing Committee)

R23: AI Inventory within REs

R25: Disclosures by REs (annual reports, websites)

Who must comply?

The FREE-AI framework applies to all RBI Regulated Entities that develop, deploy, or use AI systems

1

Scheduled Commercial Banks

PSBs, private banks, foreign banks, small finance banks

2

NBFCs

All NBFC categories — lending, investment, infrastructure finance

3

Urban Cooperative Banks

Tier 2, 3, 4 UCBs using any AI or ML systems

4

All India Financial Institutions

NABARD, NHB, EXIM Bank, SIDBI and equivalents

5

Payment System Operators

UPI, card networks, payment aggregators and gateways

6

FinTechs and Tech Partners

Technology Service Providers supplying AI to REs

Important: Outsourcing does not transfer accountability

The FREE-AI framework explicitly states that when REs employ AI technologies developed by third parties, this does not diminish the RE's accountability. If your organisation uses an AI tool from a vendor — a credit scoring API, an LLM chatbot, a fraud detection platform — you remain responsible for its governance, validation, and compliance with the Sutras. The framework requires AI-specific due diligence clauses in outsourcing agreements.

Test your application

How Trusys maps to FREE-AI compliance

Trusys covers the evaluation, discovery, guardrail, and monitoring obligations across the FREE-AI framework. Use TruScout to discover your AI inventory and TruEval to test against the Sutras.

TruScout

Board-Approved AI Policy (R14)

TruScout discovers all AI systems across your estate and generates inventory data for policy framing.

TruScout + TruEval

AI System Governance Framework (R16)

TruScout maps AI models, vendors, data flows and risk classification. TruEval validates model behaviour before deployment.

TruEval

Red Teaming (R20)

TruEval runs adversarial red-team campaigns — prompt injection, jailbreaks, policy violations — across all AI applications.

TruScout

AI Inventory within REs (R23)

TruScout automatically discovers and catalogues every AI model, tool, LLM call, and third-party dependency in your stack.

TruEval

AI Audit Framework (R24)

TruEval provides structured audit-ready test results, pass/fail evidence, and bias evaluation reports for internal and third-party audits.

TruEval

Consumer Protection — Fairness and Bias (R18)

TruEval benchmarks AI outputs for demographic fairness, bias detection, and discriminatory outcome testing across your use cases.

TruGuard

Runtime Guardrails — Consumer Interaction (R18)

TruGuard enforces real-time policy controls, PII masking, and AI disclosure triggers for every customer-facing AI interaction.

TruPulse

Continuous Monitoring and Drift Detection (R16, R24)

TruPulse provides production observability, model drift detection, and continuous monitoring against established quality baselines.

Frequently Asked Questions

01.

Is Trusys a LangSmith alternative?

The FREE-AI Committee Report (August 2025) is a framework and set of recommendations submitted to the Governor of the RBI. The recommendations are addressed to Regulated Entities, RBI, regulators, and industry bodies. Some short-term recommendations are already progressing at the regulatory level. REs should treat the framework as the direction of imminent regulatory expectations — particularly obligations like AI inventory, board policy, red-teaming, and disclosures — and begin implementation now.

02.

Which RBI Regulated Entities does this apply to?

The framework explicitly covers all entities supervised by RBI: Scheduled Commercial Banks (public, private, foreign, small finance), Urban Cooperative Banks (Tier 2+), NBFCs, All India Financial Institutions (NABARD, NHB, EXIM, SIDBI), and Payment System Operators. It also applies indirectly to Technology Service Providers (TSPs) who supply AI to these entities — REs must now include AI-specific governance clauses in outsourcing agreements with TSPs.

03.

When should a team use Trusys?

Recommendation 23 (AI Inventory) and Recommendation 14 (Board-Approved AI Policy) are the foundational actions. Without an accurate inventory of what AI systems are running, risk classification is impossible. Without a board policy, there is no governance framework. These should be pursued in parallel — TruScout addresses the discovery component, which feeds directly into the board policy's risk classification framework.

04.

How does the framework handle third-party AI (e.g., using OpenAI, Anthropic, or vendor AI)?

The framework is explicit: using a third-party AI model is not outsourcing (where the AI is used internally), but if a vendor uses AI to deliver an outsourced service to the RE, that is outsourcing and must be governed accordingly. In both cases, the RE remains fully accountable. The framework requires AI-specific clauses covering algorithmic bias, AI disclosure by vendors, data confidentiality, and governance in outsourcing agreements.

05.

What is the difference between LLM observability and AI assurance?

The framework requires structured adversarial testing — prompt injection, data leakage probes, bias stress-tests, policy violation scenarios — conducted at periodic intervals. For medium and high-risk AI applications, red teaming must be at least semi-annual. It must also be triggered before major model updates, after vulnerabilities are detected, when the operational environment changes, or when regulatory requirements evolve. Results must be documented and accessible to audit and supervisory teams.

06.

Does FREE-AI cover GenAI (ChatGPT, Claude, Gemini) used internally by bank staff?

Yes. The framework explicitly covers the use of third-party or off-the-shelf AI tools (such as generative AI applications) for official purposes — drafting documents, report summarisation, data analysis — and requires this to be governed by the organisation's board-approved AI policy. REs must ensure that internal AI policy is compliant with national AI governance frameworks.

Trusys Advantage

Is your AI application FREE-AI ready?

Leverage MITRE ATLAS intelligence to identify vulnerabilities, test defenses, and protect your ML systems from adversarial attacks.

Book a FREE-AI compliance walkthrough

RBI FREE AI

Framework

India's landmark AI governance framework for banks, NBFCs, fintechs, and financial institutions — anchored in 7 Sutras, structured across 6 Pillars, and operationalised through 26 targeted Recommendations.

Book Demo

Get Started

Phone

The foundational principles

The 7 Sutras

Guiding principles woven through the entire AI lifecycle — for every institution that builds, deploys, or governs AI in the Indian financial sector

Sutra 01

Trust is the Foundation

Trust is non-negotiable and should remain uncompromised

AI systems should enhance — not erode — public trust in the financial system. Trust must be the guiding force behind all actions taken across the entire AI lifecycle..

Sutra 02

People First

AI should augment human decision-making but defer to human judgment and citizen interest

Final authority must rest with humans. Citizens must be informed when interacting with AI. Human safety and interest are paramount.

Sutra 03

Innovation over Restraint

Foster responsible innovation with purpose

Responsible AI innovation aligned with societal values should be actively encouraged. All other things being equal, responsible innovation should be prioritised.

Sutra 04

Fairness and Equity

AI outcomes should be fair and non-discriminatory

AI systems must be designed and tested to ensure unbiased outcomes that do not discriminate against individuals or groups. AI should advance financial inclusion, not perpetuate exclusion.

Sutra 05

Accountability

Accountability rests with the entities deploying AI

Regulated entities remain fully accountable for all AI-driven decisions and outcomes, regardless of automation level. Accountability cannot be delegated to the model or algorithm.

Sutra 06

Understandable by Design

Ensure explainability for trust

Understandability is fundamental to trust and must be a core design feature, not an afterthought. AI systems must have disclosures and outputs that can be understood by the entities deploying them.

Sutra 07

Safety, Resilience and Sustainability

AI systems should be secure, resilient and energy efficient

AI systems must operate safely and be resilient to physical, infrastructural, and cyber risks. They should detect anomalies, provide early warnings, and prioritise energy efficiency.

Framework

6 Pillars, 26 Recommendations

Two complementary sub-frameworks — innovation enablement and risk mitigation — structured across six pillars

Infrastructure

  1. Financial Sector Data Infrastructure
  2. AI Innovation Sandbox
  3. Incentives and Funding Support
  4. Indigenous Financial Sector AI Models
  5. Integrating AI with DPI

Policy

  1. Adaptive and Enabling Policies
  2. Enabling AI-Based Affirmative Action
  3. AI Liability Framework
  4. AI Institutional Framework

Capacity

  1. Capacity Building within REs
  2. Capacity Building for Regulators and Supervisors
  3. Framework for Sharing Best Practices
  4. Recognise and Reward Responsible AI Innovation

Protection

  1. Consumer Protection
  2. Cybersecurity Measures
  3. Red Teaming
  4. Business Continuity Plan for AI Systems
  5. AI Incident Reporting Framework

Governance

  1. Board-Approved AI Policy
  2. Data Lifecycle Governance
  3. AI System Governance Framework
  4. Product Approval Process

Assurance

  1. AI Inventory within REs and Sector-Wide Repository
  2. AI Audit Framework
  3. Disclosures by REs
  4. AI Toolkit

Implementation timeline

Medium-term — Plan and implement

R14: Board-Approved AI Policy

R15: Data Lifecycle Governance (DPDP Act alignment)

R16: AI System Governance Framework

R18: Consumer Protection Framework

R20: Red Teaming (at least semi-annual for high-risk)

R24: AI Audit Framework

R26: AI Compliance Toolkit

Short-term — Act now

R1: Financial Sector Data Infrastructure

R2: AI Innovation Sandbox

R9: AI Institutional Framework (Standing Committee)

R23: AI Inventory within REs

R25: Disclosures by REs (annual reports, websites)

Who must comply?

The FREE-AI framework applies to all RBI Regulated Entities that develop, deploy, or use AI systems

1

Scheduled Commercial Banks

PSBs, private banks, foreign banks, small finance banks

2

NBFCs

All NBFC categories — lending, investment, infrastructure finance

3

Urban Cooperative Banks

Tier 2, 3, 4 UCBs using any AI or ML systems

4

All India Financial Institutions

NABARD, NHB, EXIM Bank, SIDBI and equivalents

5

Payment System Operators

UPI, card networks, payment aggregators and gateways

6

FinTechs and Tech Partners

Technology Service Providers supplying AI to REs

Important: Outsourcing does not transfer accountability

The FREE-AI framework explicitly states that when REs employ AI technologies developed by third parties, this does not diminish the RE's accountability. If your organisation uses an AI tool from a vendor — a credit scoring API, an LLM chatbot, a fraud detection platform — you remain responsible for its governance, validation, and compliance with the Sutras. The framework requires AI-specific due diligence clauses in outsourcing agreements.

Test your application

How Trusys maps to FREE-AI compliance

Trusys covers the evaluation, discovery, guardrail, and monitoring obligations across the FREE-AI framework. Use TruScout to discover your AI inventory and TruEval to test against the Sutras.

TruScout

Board-Approved AI Policy (R14)

TruScout discovers all AI systems across your estate and generates inventory data for policy framing.

TruScout + TruEval

AI System Governance Framework (R16)

TruScout maps AI models, vendors, data flows and risk classification. TruEval validates model behaviour before deployment.

TruEval

Red Teaming (R20)

TruEval runs adversarial red-team campaigns — prompt injection, jailbreaks, policy violations — across all AI applications.

TruScout

AI Inventory within REs (R23)

TruScout automatically discovers and catalogues every AI model, tool, LLM call, and third-party dependency in your stack.

TruEval

AI Audit Framework (R24)

TruEval provides structured audit-ready test results, pass/fail evidence, and bias evaluation reports for internal and third-party audits.

TruEval

Consumer Protection — Fairness and Bias (R18)

TruEval benchmarks AI outputs for demographic fairness, bias detection, and discriminatory outcome testing across your use cases.

TruGuard

Runtime Guardrails — Consumer Interaction (R18)

TruGuard enforces real-time policy controls, PII masking, and AI disclosure triggers for every customer-facing AI interaction.

TruPulse

Continuous Monitoring and Drift Detection (R16, R24)

TruPulse provides production observability, model drift detection, and continuous monitoring against established quality baselines.

Frequently Asked Questions

01.

Is the FREE-AI framework mandatory or advisory?

The FREE-AI Committee Report (August 2025) is a framework and set of recommendations submitted to the Governor of the RBI. The recommendations are addressed to Regulated Entities, RBI, regulators, and industry bodies. Some short-term recommendations are already progressing at the regulatory level. REs should treat the framework as the direction of imminent regulatory expectations — particularly obligations like AI inventory, board policy, red-teaming, and disclosures — and begin implementation now.

02.

Which RBI Regulated Entities does this apply to?

The framework explicitly covers all entities supervised by RBI: Scheduled Commercial Banks (public, private, foreign, small finance), Urban Cooperative Banks (Tier 2+), NBFCs, All India Financial Institutions (NABARD, NHB, EXIM, SIDBI), and Payment System Operators. It also applies indirectly to Technology Service Providers (TSPs) who supply AI to these entities — REs must now include AI-specific governance clauses in outsourcing agreements with TSPs.

03.

What is the most urgent obligation for a bank or NBFC deploying AI?

Recommendation 23 (AI Inventory) and Recommendation 14 (Board-Approved AI Policy) are the foundational actions. Without an accurate inventory of what AI systems are running, risk classification is impossible. Without a board policy, there is no governance framework. These should be pursued in parallel — TruScout addresses the discovery component, which feeds directly into the board policy's risk classification framework.

04.

How does the framework handle third-party AI (e.g., using OpenAI, Anthropic, or vendor AI)?

The framework is explicit: using a third-party AI model is not outsourcing (where the AI is used internally), but if a vendor uses AI to deliver an outsourced service to the RE, that is outsourcing and must be governed accordingly. In both cases, the RE remains fully accountable. The framework requires AI-specific clauses covering algorithmic bias, AI disclosure by vendors, data confidentiality, and governance in outsourcing agreements.

05.

What is Red Teaming under FREE-AI (Recommendation 20)?

The framework requires structured adversarial testing — prompt injection, data leakage probes, bias stress-tests, policy violation scenarios — conducted at periodic intervals. For medium and high-risk AI applications, red teaming must be at least semi-annual. It must also be triggered before major model updates, after vulnerabilities are detected, when the operational environment changes, or when regulatory requirements evolve. Results must be documented and accessible to audit and supervisory teams.

06.

Does FREE-AI cover GenAI (ChatGPT, Claude, Gemini) used internally by bank staff?

Yes. The framework explicitly covers the use of third-party or off-the-shelf AI tools (such as generative AI applications) for official purposes — drafting documents, report summarisation, data analysis — and requires this to be governed by the organisation's board-approved AI policy. REs must ensure that internal AI policy is compliant with national AI governance frameworks.

Trusys Advantage

Is your AI application FREE-AI ready?

Use TruScout to discover every AI system in your estate. Use TruEval to test against the 7 Sutras. Generate audit-ready evidence for RBI inspections.

Book a FREE-AI compliance walkthrough