Artificial intelligence has quietly moved from the fringes of speculative technology into the operational core of institutions that shape human lives — courts, hospitals, banks, and government agencies. As algorithmic systems take on an expanding share of consequential decision-making, a fundamental legal question has moved to the forefront: when an AI system causes harm, who bears responsibility?

The Problem of Diffused Accountability

Traditional legal frameworks are built around the concept of identifiable human agents. Tort law, contract law, and criminal liability all presuppose that a person or legal entity made a decision, took an action, or failed to act. Artificial intelligence, however, distributes decision-making across a chain of actors — the developers who build the model, the organisations that deploy it, the data providers who shape its behaviour, and the regulators who oversee the sector. In this diffuse architecture, accountability is easily passed from one actor to the next, leaving those harmed without a clear path to remedy.

This challenge is not merely theoretical. In India, algorithmic systems are already influencing bail decisions in certain jurisdictions, determining creditworthiness for millions of borrowers, and filtering job applicants across corporate India. The harms that flow from erroneous, biased, or opaque algorithmic outputs are real — and so far, largely unaddressed by the law.

"When a machine makes a consequential decision, the law must ask not only who built the machine, but who authorised its use, who benefited from it, and who failed to exercise adequate oversight."

Comparative Regulatory Approaches

The European Union's AI Act, which came into full force in 2024, represents the most comprehensive attempt to date to regulate artificial intelligence on a risk-tiered basis. Systems classified as high-risk — including those used in credit scoring, employment decisions, and biometric surveillance — face stringent conformity assessments, mandatory human oversight requirements, and clear obligations on providers and deployers. Crucially, the Act attempts to assign liability along the deployment chain, recognising that the harm may originate from a model trained years before its deployment in a specific context.

The United States has taken a more sectoral, guidance-led approach. The NIST AI Risk Management Framework and executive orders from the Biden and Trump administrations have attempted to coordinate federal responses to AI risk, but legislative action has remained fragmented. The result is a patchwork of state-level initiatives — most notably California's series of AI transparency bills — and sector-specific agency guidance from bodies such as the FTC, OCC, and HHS.

India's Legislative Gap

India currently lacks a comprehensive AI regulatory framework. The Digital Personal Data Protection Act 2023 addresses data privacy but does not specifically regulate automated decision-making. The proposed National Data Governance Framework Policy signals awareness of the issue, but legislative articulation of AI liability remains absent. In the interim, affected individuals must rely on general tort principles, consumer protection law under the Consumer Protection Act 2019, and, in financial services, sector-specific RBI and SEBI guidance.

This gap creates practical difficulties. A borrower denied a loan by an algorithmic credit-scoring system has limited recourse under current law. A job applicant screened out by a recruitment AI has no statutory right to explanation. A defendant whose risk assessment was influenced by a predictive policing tool has no clear mechanism to challenge the algorithm's output in court.

Towards a Framework for AI Liability in India

Drawing on comparative experience and the specificities of the Indian legal and institutional context, any viable AI liability framework for India should incorporate at least three elements: mandatory explainability requirements for high-stakes AI systems; a clear allocation of liability between developers, deployers, and operators; and an accessible redress mechanism for individuals harmed by algorithmic decisions. The Parliamentary Standing Committee on Communications and Information Technology has previously recommended a dedicated AI regulatory body — the moment for legislative action is now.

As AI systems become more capable and more pervasive, the urgency of these questions will only intensify. The challenge for Indian legal scholarship is to develop frameworks that are both technically informed and rooted in constitutional values of dignity, equality, and the right to remedy.

Environmental, Social, and Governance (ESG) reporting has undergone a dramatic transformation in India over the past five years. What was once a voluntary, largely symbolic exercise for India's largest listed companies has become a regulatory mandate with significant implications for capital access, investor relations, and long-term strategic planning. The Securities and Exchange Board of India's Business Responsibility and Sustainability Report (BRSR) framework is at the centre of this shift — and understanding it is increasingly essential for management scholars, practitioners, and policymakers alike.

From BRR to BRSR: The Regulatory Journey

India's ESG disclosure journey began with the Business Responsibility Report (BRR), introduced by SEBI in 2012 for the top 100 listed companies by market capitalisation. The BRR was based on the National Voluntary Guidelines on Social, Environmental and Economic Responsibilities of Business, and required companies to report against nine principles covering ethics, product responsibility, employee welfare, and environmental stewardship. While pioneering for its time, the BRR suffered from vague disclosure standards, inconsistent adoption, and limited investor utility.

Recognising these limitations, SEBI introduced the BRSR framework in May 2021, mandating it for the top 1,000 listed companies from FY 2022-23. The BRSR is structurally more rigorous: it requires quantitative disclosures across a comprehensive set of metrics, is aligned with international standards including the GRI, SASB, and TCFD frameworks, and introduces a distinction between "essential" indicators (mandatory) and "leadership" indicators (voluntary but encouraged). From FY 2023-24, SEBI further introduced BRSR Core — a set of high-value, assurance-backed disclosures requiring third-party verification.

"ESG is no longer a CSR addendum. It is increasingly a lens through which institutional investors, credit rating agencies, and global supply chain partners assess the long-term viability of Indian enterprises."

The Investor Pressure Dimension

Regulatory mandate alone does not explain the urgency with which Indian corporates are approaching ESG. Global institutional investors — who collectively manage tens of trillions of dollars in assets — have increasingly embedded ESG criteria into their investment mandates. For Indian companies seeking foreign direct investment, listing on international exchanges, or access to green bond markets, credible ESG disclosure is no longer optional. Major index providers including MSCI and FTSE Russell have expanded their ESG ratings coverage of Indian companies, and a low ESG score can result in exclusion from key sustainability indices, with direct consequences for passive fund flows.

Challenges in Implementation

Despite genuine progress, significant implementation challenges persist. Smaller companies within the top-1,000 threshold often lack the internal capacity and data infrastructure to produce credible, auditable ESG disclosures. Supply chain ESG mapping — required under Scope 3 emissions reporting — remains nascent for most Indian businesses. The quality of third-party assurance providers in the Indian market is uneven, raising concerns about the reliability of verified disclosures. And there is a persistent tension between standardised reporting templates and the sector-specific materiality of ESG risks, which varies enormously between a pharmaceutical company, a steel manufacturer, and a software firm.

Looking forward, the integration of ESG considerations into core business strategy — rather than treating them as a compliance exercise — is the defining challenge for Indian management practice. Companies that develop robust ESG data systems, embed sustainability metrics into executive compensation, and engage meaningfully with their stakeholder ecosystems will be better positioned to attract capital, manage regulatory risk, and build durable competitive advantage in an economy where environmental and social performance is increasingly material.

In November 2023, a deepfake video of a prominent Bollywood actress went viral across Indian social media platforms, triggering a national debate about the adequacy of India's legal framework for synthetic media. The incident was not an isolated one — deepfake-based electoral disinformation, non-consensual intimate imagery, and fraudulent voice cloning have all surfaced in India with increasing frequency. Yet as the technology proliferates, the legislative response has remained tentative, reactive, and structurally ill-equipped to address the scale of the problem.

What Are Deepfakes and Why Do They Matter?

Deepfakes are synthetic media — video, audio, or images — generated using deep learning techniques, particularly generative adversarial networks (GANs) and diffusion models. Unlike earlier forms of digital manipulation, modern deepfake tools require minimal technical expertise and are increasingly accessible through consumer applications. The resulting content can be extraordinarily convincing, making detection difficult even for trained observers.

The harms associated with deepfakes span a wide spectrum: non-consensual intimate imagery (a predominantly gendered harm), electoral disinformation, financial fraud through CEO impersonation, reputational damage, and the destabilisation of epistemic trust — the social capacity to distinguish true from false. In a democracy like India, where over 700 million people access the internet and social media plays an outsized role in political communication, the implications for democratic integrity are profound.

"The threat posed by synthetic media is not merely technological — it is fundamentally a challenge to the evidentiary and epistemic foundations of law, democracy, and public trust."

The Current Legal Framework: A Patchwork Response

India does not have deepfake-specific legislation. The Information Technology Act 2000 and its 2008 amendments provide some relevant provisions — Section 66E (violation of privacy), Section 67 (obscene material), and Section 67A (sexually explicit content) — but these were drafted long before synthetic media became a practical reality. The applicability of these provisions to AI-generated content involves significant interpretive uncertainty.

The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 require platforms to take down flagged content within specified timeframes, and the 2023 amendments introduced tighter obligations around synthetic and misleading content. The Ministry of Electronics and Information Technology (MeitY) issued advisories to platforms in late 2023, directing them to label AI-generated content and remove deepfakes that violate existing law. However, advisories are not law — they carry no penalties for non-compliance and do not create enforceable rights for victims.

Comparative Approaches: Learning from Global Regulation

Several jurisdictions have moved more decisively. China introduced specific deepfake regulations in 2022, requiring providers of deep synthesis services to label AI-generated content and obtain user consent for identity replication. The EU's AI Act classifies certain deepfake-generating systems as high-risk and requires mandatory disclosure when AI is used to generate or manipulate content. In the United States, California, Texas, and Virginia have enacted state-level legislation criminalising non-consensual deepfake pornography, while the federal DEEPFAKES Accountability Act has been repeatedly introduced in Congress.

India's response must be calibrated to its own context — including the scale of its social media user base, the capacity of its enforcement institutions, and the political sensitivity of regulating content in the run-up to elections. But inaction carries its own risks. The 2024 general elections saw multiple instances of AI-generated political content circulating on social media, with limited recourse under existing law. As generative AI capabilities continue to improve, the window for effective regulatory intervention is narrowing. A dedicated deepfake regulatory framework — covering mandatory labelling, victim redress mechanisms, and platform liability — is an urgent legislative priority.