A loan gets approved at 2:17 a.m., no human on shift, no second pair of eyes. An AI model read the bank statements, guessed income, priced risk, and moved money. That speed is powerful, but dangerous. When models drift or learn the wrong lesson, the damage is instant: unfair denials, bad assets, and angry regulators. AI auditing is the control that proves these systems are fit to decide — how they’re built, what data they learn from, what tests they pass, and how they’re watched in production. The question is simple: if this model were a trader, would we let it trade without a rulebook and a supervisor?
That 2:17 a.m. decision needs a rulebook and a supervisor, and that is what AI auditing provides. Think of it as model-risk management upgraded for learning systems. It began with simple scorecards (document the data, test the model, log overrides). Today’s systems read documents, learn from feedback, run on vendor platforms, and can fail differently across languages and segments. So, AI auditing is an independent, evidence-based review of an AI system through its life, design, testing, deployment, and monitoring. It asks five plain questions: (1) What is the system for, and who uses it? (2) What data were used, with what provenance and consent? (3) What tests prove it works accuracy with uncertainty, robustness under data shifts and attacks, privacy and fairness by segment? (4) How are decisions explained to risk teams, frontline staff, and customers? (5) How is it watched in production, paused safely, and improved?
The essential blueprint: FREE-AI and the global playbook
Set against those five questions, the familiar Indian rulebooks show clear gaps. For instance, the DPDP Act protects data rights, but because AI models use data to learn and predict, it says little about complex model behavior like fairness by segment, model drift over time, or the need for human override in automated decisions. This is where RBI’s FREE-AI framework adds substance for the banking sector. FREE-AI grounds AI governance in practical requirements that address these gaps, such as establishing clear model ownership, ensuring data provenance, conducting rigorous lifecycle testing, and enforcing strong third-party accountability. In short, FREE-AI gives banks a practical reference to turn those five fundamental questions into AI auditable controls.
So, where should banks look for a playbook, do we really need to reinvent the wheel? The answer is no; a complementary playbook already exists in the triad of RBI’s FREE-AI Framework, NIST’s AI RMF, and CSA’s AICM. FREE-AI establishes the ‘why’ (ethical principles) and the vision for what banks must achieve: a fair, ethical, and responsible structure. The NIST AI RMF suggests the ‘how’ by proposing a continuous risk management cycle (GOVERN, MAP, MEASURE, MANAGE), which embeds safety into the model development culture. Finally, the CSA’s AICM delivers the specific ‘what’ by listing exact, vendor-agnostic technical controls across key domains like data, security, and governance. Collectively, these frameworks provide banks with the necessary principles, process, and checklist to translate AI trust into auditable checks. In our view, these three frameworks together fit hand in glove.
It takes a village to audit a machine; who leads, and who follows?
We believe establishing AI auditing controls in the Indian banking sector will be a critical, multi-stakeholder effort. The FREE-AI already set the guidelines, essentially defining the ‘what’, and it demands that all AI systems demonstrate assurance, fairness, and clear explainability. We believe, the real heavy lifting, the ‘how’, falls to the regulated banks, NBFCs and their auditors. Their challenge, and their vital contribution, is converting these mandates into practical, daily operations. This involves constantly checking AI-driven decisions for ethical fairness and, frankly, getting a firm grip on the inherent risks that complex models bring. Critically, the bank’s internal technical units will serve as the technical backbone. They are tasked with implementing the actual control systems. This includes ensuring that AI data is meticulously tracked and secured, thereby preserving the complete audit trail. This collective effort, in our view, is what will ensure that AI adoption is fully auditable.
Accepting imperfection: Pragmatic AI guardrails
So, the immediate issue is practical and let’s be frank, some controls we want aren’t hard to achieve today. For instance, deep models won’t be fully explainable; GenAI won’t be hallucination-free; bias cannot be zero; provenance and vendor transparency are patchy.
The workable path, therefore, isn’t about chasing perfection; it’s about establishing pragmatic guardrails. This demands that banks prioritise interpretable models for high-stakes use, cap and constantly monitor model behaviour by segment, and meticulously document any data gaps. Furthermore, banks must establish pragmatic guardrails by aggressively testing and staged model updating for stability and security. Defensively, they must use targeted data privacy methods and demand vendor accountability. We conclude the minimum standard for today’s deployment is continuous monitoring, always backed by a tested ‘kill-switch’ capability.
(Pramod C Mane is with National Institute of Bank Management Pune and Sidharth Mahapatra with Data & Analytics Centre (DnA), Canara Bank, Bengaluru)
Published – October 28, 2025 06:30 am IST
