India's Third Path: A Governance Framework Built on Graded Liability, Not Prescription
The Ministry of Electronics and Information Technology has published an AI governance framework that does not look like the EU AI Act and does not look like Washington's executive-order patchwork. It looks like something neither has tried.
The most consequential governance debate of this decade has been organised around a binary. Brussels has built the European Union AI Act — a prescriptive product-safety regime that classifies AI systems by risk tier and imposes documentation, evaluation, and human-oversight obligations corresponding to each tier. Washington, after a brief 2023 executive-order moment, has settled into a fragmented state-by-state pattern with no binding federal law. The conventional framing is that the world's third-largest AI market must, eventually, choose between the European model and the American one.
India has now indicated that it intends to do neither.
The Ministry of Electronics and Information Technology has published the India AI Governance Guidelines — a framework drafted by a committee that began its work in July 2025 and tabled the result through the IndiaAI Mission. The framework is not a statute. It does not create new criminal or administrative penalties. It does not classify AI systems into prescribed tiers with associated compliance obligations. And it explicitly disclaims the European approach of treating AI as a product-safety problem.
What it does instead is propose a "graded liability" regime anchored in seven guiding principles — the document calls them sutras — that allocate responsibility along three axes: function performed, level of model autonomy, and demonstrated due diligence at deployment.
This is a third path, and it deserves to be read carefully — not because India has solved the AI governance problem, but because the framework rests on a set of assumptions that the European and American debates have largely refused to make.
What graded liability actually proposes
The framework's central idea is that responsibility for an AI system's harms cannot be assigned categorically — to "the model" or "the developer" or "the deployer" — but must be apportioned by examining what each party in the chain actually did and whether they exercised reasonable care.
Three illustrative cases make this concrete.
A foundation-model laboratory that trains a general-purpose model and releases it under licence to downstream developers carries a different responsibility than a sectoral application company that deploys the model in healthcare with patient data. The framework would assign primary liability to the deployer for use-case-specific harms, but would also impose a continuing obligation on the laboratory to disclose known risks, document training-data provenance, and respond to incident reports.
An automated decision system used by a bank for credit underwriting would carry heavier obligations than a chatbot used by the same bank for customer service. The risk to a consumer of a wrong credit decision is materially larger than the risk of a wrong chatbot answer. Graded liability scales the regulatory burden to the realised consequence, not to a category code.
A start-up that fine-tunes an open-weights model and deploys it without any evaluation would face stronger downstream liability than one that documents its evaluations, monitors deployment, and maintains a clear incident-response process. Demonstrated due diligence reduces exposure. Absence of due diligence increases it.
This is, in shape, the structure of common-law negligence applied to a new technical domain — and that is intentional. The framework leans heavily on existing Indian statutory instruments — the Information Technology Act of 2000, the Digital Personal Data Protection Act of 2023, sectoral regulators in finance, healthcare, and telecommunications — to do the actual enforcement. The Guidelines are the connecting tissue, not a new code.
Why this is a different bet from the European one
The European AI Act treats AI as a product. Products have defined risk tiers. High-risk products carry conformity-assessment obligations before they may be placed on the market. The state's role is to verify, ex ante, that a product meets specified safety requirements.
The Indian framework treats AI as a practice. Practices have practitioners who exercise — or fail to exercise — reasonable care. The state's role is to ensure that when harm occurs, responsibility can be allocated honestly, and that the existing legal infrastructure is capable of doing so.
The two stances rest on different intuitions about what AI actually is.
The European stance assumes that AI systems are sufficiently stable and well-understood that a regulator can write down ex-ante criteria for what counts as safe. This is plausible for narrow systems with bounded behaviour. It strains for general-purpose foundation models whose capability profile changes with each release.
The Indian stance assumes that AI systems are sufficiently dynamic that ex-ante product-safety regulation will always be one model generation behind, and that the more durable lever is to ensure ex-post liability assignment is rigorous, predictable, and cheap to invoke. This is plausible for general-purpose systems in evolving deployment contexts. It is harder to reconcile with strict-liability harms that cannot be undone after the fact.
Neither stance is obviously correct. They are different bets on which failure mode of AI governance is worse: under-regulating an emerging technology and accepting harms, or over-regulating a fast-moving one and accepting reduced beneficial deployment. Brussels has bet that under-regulation is the worse failure. Delhi has bet the opposite.
The principles, in plain language
The seven sutras of the framework can be paraphrased without much loss as follows.
One. AI development and deployment should serve societal benefit and not be optimised purely for commercial advantage.
Two. Existing legal frameworks remain authoritative. New AI-specific obligations should be additive, not replacements.
Three. Liability should follow function and risk, not categorical labels.
Four. Institutional coordination across ministries and sectoral regulators is preferable to a single dedicated AI regulator.
Five. Innovation should not be sacrificed in pursuit of theoretical safety.
Six. Techno-legal solutions — meaning compliance mechanisms that combine law with technical tools such as watermarking, audit logs, and capability evaluations — are preferred over purely legal solutions.
Seven. The framework itself should be revised iteratively as the technology evolves.
A sympathetic reader will see in this a coherent regulatory philosophy that takes AI seriously without fetishising it. A sceptical reader will see a framework with significant interpretive latitude that may be hard to enforce consistently across the Indian state's many regulatory layers.
Both readings have merit, and the framework will be judged less on its words than on its first three or four enforcement actions over the next two years.
What this means beyond India
The Indian framework is not a global proposal. It is, at this stage, a unilateral national choice. But because India is the world's third-largest AI deployment market and because its diaspora staffs a meaningful portion of the world's frontier AI laboratories, the framework will exert influence well beyond its borders.
Three specific transmissions are likely.
To other middle-income economies considering their own framework. Indonesia, Brazil, Mexico, South Africa, Egypt, and Vietnam are all in early stages of drafting AI governance instruments. The Indian framework offers a model that does not require the institutional capacity of the European Commission and does not invite the political fragmentation of the American state-by-state approach. For middle-income economies that share India's structural problem — limited regulatory capacity, large informal economy, fast-moving deployment — the Indian template will be easier to adopt than either Western alternative.
To multilateral AI governance forums. The G20, the OECD, the United Nations General Assembly's AI resolutions, and the AI Safety Summit series have all been working toward consensus on what "responsible AI governance" looks like. Until now, that conversation has been organised around the European model with American dissent. The Indian framework introduces a third reference point that is likely to anchor the position of many Global South negotiators.
To Western frontier laboratories themselves. The graded-liability approach places real obligations on deploying entities, but it places lighter ex-ante obligations on foundation-model providers. For a laboratory that wishes to make its model available in the Indian market without facing the European AI Act's conformity-assessment regime, the Indian framework is structurally friendlier. This will, on the margin, accelerate AI deployment within India relative to Europe.
The honest critique
The framework deserves a sympathetic reading and also a critical one. Three concerns deserve airtime.
The first is enforcement capacity. Graded liability requires courts and regulators capable of distinguishing reasonable due diligence from negligent deployment in a domain that requires technical sophistication. India's existing courts and regulators are excellent in some sectors and considerably less so in others. The framework's reliance on existing statutory instruments is only as strong as the institutions that operate those instruments.
The second is harms that resist ex-post correction. Some AI harms — large-scale election manipulation, autonomous-system-driven financial market disruption, biosafety-relevant model misuse — cannot be adequately addressed by ex-post liability. They require ex-ante prevention because the harm, once realised, cannot be undone. The Indian framework acknowledges this in the seven sutras but does not provide a clear mechanism for it.
The third is interpretive ambiguity in early enforcement. The first two or three enforcement actions under the framework will set precedent that determines whether "graded liability" becomes a coherent legal doctrine or a regulatory free-for-all. Those early cases will be politically charged and the institutional incentives to interpret narrowly will be strong.
These critiques do not invalidate the framework. They identify the work that must follow it.
The Federation's reading
The Indian framework is the most interesting AI governance instrument published in 2026, and not primarily because it is good. It is interesting because it forces the international debate to acknowledge that there are more than two viable approaches.
For the global civic conversation, that is a useful expansion. Governance frameworks that travel are typically the ones that solve a real local problem in a way that other societies recognise as legible. The European AI Act has not yet travelled well — it requires institutional capacity that few non-EU jurisdictions possess. The Indian framework, if it works at home, may travel further.
We will be watching the first enforcement actions. Their character will tell us whether the third path is a real road or a wish.
The Global Federation covers AI governance with the conviction that good governance is built on honest accounting of what each model can be reasonably asked to do.