The Reserve Bank of India (RBI) has ushered in a new era of artificial intelligence governance through its Framework for Responsible and Ethical Enablement of AI (FREE-AI). At the heart of this paradigm shift lies a seemingly procedural but crucial requirement for regulated entities: the creation and maintenance of an exhaustive inventory of AI systems. Far from being a mere compliance exercise, this inventory forms the bedrock for every other governance and risk management process in the realm of AI. 

Under the FREE-AI framework, the RBI’s definition of an AI system is notably broad and inclusive. It characterises AI as any machine-based system—regardless of complexity—that processes inputs to generate outputs, such as predictions, recommendations, content, or decisions, which in turn influence physical or virtual environments. This sweeping definition ensures that not only sophisticated machine learning models and generative AI technologies are covered, but also rule-based systems, statistical models, and even simple automation tools, provided their outputs have a tangible impact on the environment. As a result, crafting and maintaining an accurate AI inventory has become a complex and vital task for Indian banks and other regulated entities. 

The RBI expects this inventory to capture a detailed list of all AI models and algorithms in use, including their versions. It must also document the use cases and applications of these models, specify dependencies such as data sources and third-party components, and include risk categorisation based on the inherent risks posed by each system. Furthermore, the framework requires entities to track customer grievances linked to AI-driven decisions. The inventory is not a static record; it must be updated semi-annually and kept ready for audits, supervisory inspections, and ongoing risk monitoring. 

A significant aspect of the FREE-AI framework is its graded liability structure, which allows for tolerance in the event of first-time compliance lapses, provided regulated entities can demonstrate the presence of robust safety mechanisms. These mechanisms include incident reporting, thorough audits, red teaming exercises, and effective remediation processes. Crucially, the existence of a comprehensive AI inventory is a prerequisite for implementing such controls, as entities must first know where and how AI is being deployed before they can manage risks effectively. 

Banks should approach the creation of a comprehensive inventory as a strategic initiative rather than merely a regulatory requirement handled by technology or compliance teams. Establishing an inventory is more straightforward when retrospective coverage is limited; conversely, extensive coverage increases both complexity and cost. A well-maintained inventory enables the institution to identify and leverage existing capabilities, promoting the reuse of machinery and models rather than duplicating development efforts and capital expenditure. Additionally, it helps pinpoint common areas of use and recurring issues, supporting the development of standardised solutions that drive economies of scale and operational efficiencies. Ultimately, maintaining such an inventory represents a valuable investment for banks. 

Indian banks can look to the international banking sector for lessons in model inventory management. Global institutions have been honing these practices since the introduction of regulations like SR 11-7 over a decade ago. Their approach has evolved from managing only risk models to encompassing every system that influences decision-making—including complex, black-box AI and even deterministic calculators. These institutions typically follow a lifecycle approach, beginning with discovery and onboarding, followed by classification and integration of control activities. The level of oversight and validation is determined by the inherent risk associated with each system. 

For Indian banks, the path forward involves implementing a robust model discovery mechanism that identifies AI models across diverse business units and technology platforms. Once identified, these models must be onboarded into governance systems with metadata that aligns with RBI standards. Classification comes next, with risk scores assigned based on the impact, complexity, and sensitivity of the data handled by each AI application. Finally, the inventory must be tightly integrated with validation, monitoring, and audit workflows to ensure continuous compliance. 

The urgency behind this mandate cannot be overstated. Without a robust AI inventory, regulated entities will struggle to demonstrate compliance during inspections, apply risk-based controls effectively, or benefit from the tolerant liability stance offered by the RBI. In essence, the inventory is far more than a regulatory checkbox; it is the strategic foundation for responsible, transparent, and accountable AI governance in India’s rapidly evolving financial landscape. 

(The author is Partner – Financial Services Risk Consulting, EY India. Views are personal.)