Governance

AI Content Moderation Rules in India: Navigating the 2026 IT Rules Amendment

May 18, 2026

49 Min Read

AI Generated Image

The Great Re-Regulation of the Indian Internet

India’s digital policy environment didn’t just evolve on February 20, 2026; it lurched forward. Enter the AI content moderation rules in India that came with the IT Rules Amendment in 2026

For years, platforms operating in India had been working under the 2021 version of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules. Social networks, messaging apps, and content platforms all more or less played by the same script: wait for a complaint, assess it within the prescribed window, and act if the law demanded it. The system was reactive by design. Someone posted harmful content, someone reported it, and the machinery moved from there.

That model made sense in an internet shaped largely by human behavior—human uploads, human edits, human intent.

That internet feels distant now.

Generative AI has changed the economics of deception in a way policymakers can’t ignore. What once took specialist software, expensive hardware, or even a production team can now happen on a mid-range laptop in a bedroom. Deepfakes, voice clones, non-consensual intimate images, and synthetic impersonation, stuff that used to feel fringe, now show up in everyday moderation queues.

Against that backdrop, the Ministry of Electronics and Information Technology (MeitY) issued the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, through Gazette Notification G.S.R. 120(E), formally moving India beyond the 2021 “due diligence” era and into something far more interventionist—what many legal practitioners are already calling the Active Moderation era.

And that distinction matters.

Because if you’re running an AI-enabled platform in India today, compliance isn’t something your legal team revisits once a quarter with a spreadsheet and a checklist. It’s product architecture. It’s engineering. It’s trust and safety. It’s what happens before content ever reaches a user.

In practical terms, that means moderation logic, labelling systems, escalation workflows, provenance tracking, and incident-response protocols can’t be bolted on later. They need to exist before your first piece of AI-generated content goes live.

This isn’t just regulation catching up.

It’s regulation moving directly into the product stack.

At A Glance: India’s 2026 AI Content Moderation Rules

The Shift: The 2026 IT Rules Amendment shifts India from a reactive “due diligence” model to a proactive “Active Moderation” mandate for all AI-integrated platforms serving Indian users, effective February 20, 2026.
Defining SGI: The rules introduce a legal definition for Synthetically Generated Information (SGI)—audio, visual, or audio-visual content algorithmically created or altered to appear real. (Pure generative text is currently excluded).
The 2-Hour Takedown: Platforms face drastically compressed takedown windows. Upon receiving a court order or government notice, unlawful general content must be removed within 3 hours, while high-risk categories like non-consensual intimate imagery (NCII) and deepfakes carry a strict 2-hour window.
Labeling & Traceability: Mandatory “clear and prominent” labeling (visual or audio prefixed) for lawful SGI is required. Intermediaries must also, where technically feasible, embed permanent provenance metadata (unique identifiers) to trace SGI origins.
SSMI Obligations: Significant Social Media Intermediaries (over 5 million users) must implement pre-publication user declaration checkpoints for SGI uploads and deploy technical verification measures.
Safe Harbour Risk: Non-compliance can strip platforms of Section 79 Safe Harbour protection under the IT Act, exposing them to direct civil damages and criminal prosecution for third-party content.

The Legal Framework: From IT Rules 2021 to the 2026 Amendments

Evolution of the Information Technology (Intermediary Guidelines) Rules

India’s approach to regulating online platforms hasn’t arrived in one dramatic sweep. It’s been built in layers, sometimes cautiously, sometimes abruptly, usually in response to whatever technological shift forced the government’s hand.

The starting point was the Information Technology Act, 2000. At the time, the internet looked very different—email chains, static websites, early forums, maybe the odd chat room. Section 79 of that Act gave “intermediaries” a critical shield: if you were hosting or transmitting third-party content rather than creating it yourself, you generally weren’t liable for what users posted, provided you exercised what the law called “due diligence.”

Simple in theory. Messier in practice.

That broad principle was later operationalized through the Information Technology (Intermediary Guidelines) Rules, 2011. Then, as platforms became bigger, faster, and much more socially consequential, those rules were replaced by the far more detailed IT Rules 2021.

That’s when things got serious.

The 2021 rules introduced a tiered compliance framework. Smaller intermediaries still had obligations- publish terms of service, appoint grievance contacts, respond to complaints within fixed timelines, but “Significant Social Media Intermediaries” (SSMIs), meaning platforms with over five million registered users in India, faced a much heavier burden.

They had to maintain traceability mechanisms. Publish monthly compliance reports. Appoint resident compliance officers in India. Build systems that looked less like startups and more like regulated institutions.

The full text of the 2021 IT Rules remains available directly from MeitY.

But there was one thing those 2021 rules didn’t really anticipate:

Generative AI at scale.

In 2021, a deepfake upload still felt unusual—something niche, technically involved, maybe even a bit experimental. By 2025, it had become something any teenager with a smartphone app could generate between lunch and dinner.

That changed the risk profile overnight.

A growing stream of government advisories followed, including a notable 2023 advisory warning platforms about deepfakes, and the direction of travel became hard to miss. MeitY wasn’t just nudging platforms anymore. It was preparing to legislate.

That momentum eventually culminated in the 2026 amendment, analyzed in detail by Chambers and Partners.

What Are the New Social Media Rules in India 2026?

One thing that’s easy to misunderstand: the 2026 amendment does not replace the 2021 rules.

It sits on top of them.

Legally, the amendment derives its authority from Section 87(1) and Section 87(2)(z) and (zg) of the IT Act, 2000. In practical terms, that means all your existing compliance obligations under the 2021 framework still exist. The new SGI-related obligations- labeling, provenance, takedowns, automated detection- are additive and not alternative.

That distinction matters because a platform can be fully compliant with the 2021 framework and still fail the 2026 compliance test.

That’s the trap.

Another major shift is the move from advisory guidance to binding statutory obligation.

Before 2026, much of the government’s communication around AI harms—deepfakes especially—came through advisories. Those mattered politically, but legally they were softer. More pressure than enforcement.

The 2026 rules change that equation.

These obligations now carry statutory force. Failure to comply can trigger penalties under the IT Act, and in certain situations, exposure under provisions of the Bharatiya Nyaya Sanhita, 2023 as well.

For compliance teams, the clause-by-clause legislative breakdown from Shardul Amarchand Mangaldas is close to essential reading.

And India isn’t acting in isolation here.

Globally, regulators are all trying to answer the same uncomfortable question: what happens when synthetic content becomes indistinguishable from reality?

India’s answer is noticeably different from the EU’s.

Where the EU AI Act leans heavily into ex-ante risk classification and pre-deployment controls, India’s model is more incident-driven, platform-focused, and operationally reactive, at least for now.

For a useful comparative analysis, the RSIS International paper provides a broader policy lens.

Whether India eventually moves toward a more preventive framework remains to be seen.

But for now, the message is pretty clear:

If your platform touches AI-generated content and serves Indian users, compliance has officially moved out of policy decks and into production systems.

Defining “Synthetically Generated Information” (SGI)

What Counts as a Deepfake Under Indian Law?

One of the most important changes introduced by the 2026 amendment is that, for the first time, Indian law actually gives a formal name, and a legal definition, to a category of AI-generated content that regulators consider uniquely risky.

That category is Synthetically Generated Information, or SGI.

At its core, SGI covers audio, visual, or audio-visual content that has been artificially created, generated, modified, or altered using a computer resource in a way that makes it appear real, authentic, or truthful, and that portrays a person or an event in a way that could reasonably be mistaken for reality.

It sounds technical. Because it is.

But the policy logic behind it is pretty straightforward: regulators aren’t trying to control all AI content. They’re trying to control content that convincingly imitates reality, especially when that imitation can mislead, manipulate, embarrass, extort, or cause reputational harm.

Freshfields provides a detailed breakdown of the definition here.

And once you unpack the language, three implications stand out.

First, SGI is medium-specific.

The definition explicitly targets audio, visual, and audio-visual material.

That means text, at least for now, is outside this framework.

AI-generated articles, chatbot responses, product descriptions, even long-form LLM outputs they may raise other legal concerns, sure: defamation, fraud and harmful misinformation. But under the SGI definition itself? They’re not included.

That wasn’t an accident.

India’s lawmakers seem to have zeroed in on the category of synthetic content that tends to create the strongest emotional and social impact: things people see and hear, especially when those things appear indistinguishable from real human behaviour.

Second, the legal test is perception-based.

The question isn’t simply was AI involved?

The question is closer to:

Would an ordinary person believe this is real?

That’s a major distinction.

If an app sharpens an image, adjusts brightness, cleans background noise, or stabilizes shaky footage, AI might technically be involved, but unless those edits materially change reality or create a false impression, they don’t automatically become SGI.

Third, and this is where product teams start sweating a little, the law doesn’t rely purely on technical architecture. It relies on user perception.

Which means context matters.

A synthetic celebrity interview? High risk.

A fantasy avatar in a clearly fictional setting? Probably less so.

A cloned voice used in a prank call? Different story entirely.

The Legal Distinction: AI-Enhanced vs. AI-Generated Content

To avoid dragging every AI-assisted workflow into the compliance net, the amendment also creates explicit carve-outs.

That matters because without them, half the internet would probably need disclosure labels.

The law excludes three broad categories, provided they’re done in good faith and not intended to create false or misleading records.

Routine or good-faith editing

This includes things like formatting, compression, colour correction, transcription, or technical cleanup, basically edits that improve usability without changing the substance of the content.

So, if a social media app auto-enhances a photo before upload, that alone doesn’t make it SGI.

Routine or good-faith document creation

This includes presentations, PDFs, training decks, research materials and educational content.

If AI is helping generate these materials, but they’re not pretending to depict real people or real-world events, then they generally fall outside the SGI framework.

Accessibility improvements

This is a big one.

It includes caption generation, audio cleanup, translation, search indexing and voice-to-text conversion.

If AI is being used to make content easier to access or understand, without materially altering what’s being communicated, it’s explicitly protected.

Kan & Krishme reproduces the full carve-out language here.

Technical Deep Dive: Style Transfer, Face Swaps, and Generative Text

For product managers, ML engineers, trust-and-safety teams, this is usually where the real questions start.

Not what does the law say?

But where exactly does our product cross the line?

Here’s how that likely plays out:

Style Transfer

This includes turning a photo into a watercolor painting, adding anime filter and applying artistic effects.

These are usually safe.

As long as the content doesn’t impersonate a real person or fabricate a real event, it generally falls under routine editing.

Face Swaps / Deepfake Video

No ambiguity here.

If one person’s face is digitally inserted onto another person’s body or performance in a way that makes it look authentic, that’s squarely within SGI territory.

Honestly, this is almost the textbook example lawmakers had in mind.

Voice Cloning

Same principle appliers here.

If cloned audio makes it sound like a real, identifiable person said something they never said, that triggers SGI obligations.

AI-Generated Images of Real People

This is also high-risk.

If the image realistically depicts a real person and could be mistaken for an authentic photograph, it’s very likely SGI.

Fully Synthetic Characters

This gets murkier.

If the person doesn’t exist at all, the law becomes less explicit.

But from a compliance perspective, most platforms would be smart to label that content anyway. Regulators tend to care less about your technical argument than your risk posture.

Generative Text (LLM Outputs)

Still outside SGI.

But not outside the law.

Text outputs can still trigger obligations under existing IT Act provisions if they involve unlawful content, harassment, misinformation, or other regulated harms.

The ESYA Centre’s work on AI and copyright, especially around training data and synthetic content creation, adds another useful layer here.

At the operational level, the takeaway is simple:

Don’t ask only whether AI was used.

Ask whether AI was used in a way that makes fiction feel like fact.

That’s where SGI begins.

Mandatory AI Labeling and Technical Provenance

The Metadata Mandate: Embedding Persistent Disclosure

If the earlier sections define what SGI is, this part answers the harder question:

What exactly does a platform have to do once it identifies content as SGI?

And this is where the 2026 amendment stops sounding like policy language and starts sounding like engineering requirements.

The law introduces what’s essentially a two-layer disclosure model for lawful AI-generated content—content that may be synthetic, but isn’t prohibited.

Think of it as visibility on the outside, traceability underneath.

Layer 1 — Visible or Audible Labeling

The first requirement is public-facing.

If content qualifies as SGI, users need to know.

Not buried in metadata, not hidden behind an info icon, and not tucked away in some hover tooltip nobody taps.

The rules say the label must be “clear and prominent.”

That phrase sounds flexible, and it is, but don’t mistake flexibility for softness. Regulators love standards that sound broad because they leave room for interpretation later.

For visual content, that means a disclosure visible on-screen.

For audio content, it means an audible disclosure at the beginning of the clip.

What’s interesting is that earlier drafts of the amendment were much more prescriptive. The October 2025 draft reportedly proposed a visual watermark covering 10% of the content surface area. That number didn’t survive into the final rules.

Instead, lawmakers shifted to a functional standard: if a reasonable viewer can easily miss it, it probably doesn’t count.

Freshfields confirms this drafting change here.

So yes, platforms have design freedom.

But with that freedom comes risk.

A tiny grey label in the corner might look elegant in a product review meeting. It may look much less defensible in front of a regulator.

Layer 2 — Persistent Metadata / Provenance

The second requirement is less visible to users, but potentially more consequential legally.

Platforms must, where technically feasible, embed persistent metadata, or some equivalent provenance mechanism, into SGI content.

That metadata needs to include at least two things:

A unique identifier for the content.
Information identifying the intermediary’s computer resource used to create, generate, modify, or alter it.

That phrase—where technically feasible—is already attracting attention.

Some teams hear it and think exemption.

That’s risky.

Because “technically feasible” usually gets interpreted against prevailing industry standards, not your internal engineering backlog.

And right now, one of the biggest global reference points is C2PA (Coalition for Content Provenance and Authenticity), a framework that’s increasingly becoming the default conversation around content authenticity and provenance infrastructure.

In other words, if your competitors can do it, regulators may expect you to explain why you can’t.

How to Label AI-Generated Content Under India IT Rules

For engineering and product teams, compliance here isn’t a policy memo. It’s a workflow problem.

A practical implementation usually touches four stages.

At Creation

If your platform offers built-in AI tools that generate audio or video, provenance should be attached before content ever reaches the user.

Not later, not during moderation, but at generation.

That usually means automatically attaching C2PA-compatible metadata or an equivalent internal signature.

At Upload

Things get trickier when users upload externally generated content.

Your upload flow now needs some form of declaration checkpoint.

Did the user generate this synthetically?

If yes, or if your detection systems flag it as likely SGI, the platform needs to apply visible labelling before publication.

Not after it goes viral.

Before.

At Storage

This sounds boring until something breaks.

A lot of platforms unintentionally strip metadata during transcoding, compression, thumbnail generation, or CDN delivery.

That’s a compliance nightmare.

Because under the amendment, removing or obscuring labels isn’t just sloppy, it can create direct legal exposure.

Which means your storage pipeline, transcoding stack, and content delivery infrastructure all need to preserve SGI disclosures end-to-end.

No silent losses.

No accidental clean versions.

At Discovery

And then there’s the part most product teams overlook:

Labels shouldn’t disappear once content enters feeds, search, recommendations, previews, or thumbnails.

Because if users only see the label after clicking, the disclosure arguably failed its purpose.

The law doesn’t explicitly spell out every UX scenario here, but common sense probably will matter.

And so will enforcement trends.

The User-Declaration Rule: Implementing Checkpoints at the Point of Upload

For Significant Social Media Intermediaries (SSMIs), platforms with over five million registered users, the obligations go further.

Before content goes live, users must be asked whether what they’re uploading qualifies as SGI.

Sounds simple enough.

But the law doesn’t stop at asking.

Platforms also need to deploy “appropriate technical measures, including automated tools or equivalent mechanisms” to verify those declarations.

That language matters.

Because it means a checkbox alone won’t cut it.

Shardul Amarchand Mangaldas outlines this requirement here.

And here’s the uncomfortable reality:

No AI detection system today is consistently accurate enough to classify every image, every video, every voice sample, every edge case.

Not at scale, not across languages, not across compression formats and edits and memes and stitched videos and all the weird things users do online.

So, what’s the likely compliance model?

Most large platforms will end up with some version of a tiered review pipeline:

Automated detection for first-pass triage.
Confidence scoring for suspicious uploads.
Human escalation for borderline cases.
Audit trails documenting every override, exception, and dispute.

Messy? Yes.

Necessary? Absolutely.

The NASSCOM responsible AI survey notes that many Indian platforms are actively building these capabilities, but production-grade deployment is still a real challenge.

And honestly that may be the deeper story of this amendment.

The law is moving faster than the tooling.

Which means compliance, at least for now, won’t come from perfect detection.

It’ll come from defensible systems.

The 3-Hour Takedown Rule: Operationalizing Compliance

How Fast Must Platforms Remove Deepfakes in India?

Of everything introduced in the 2026 amendment, this may be the provision that hits operations teams the hardest.

Not because it’s conceptually complicated.

Because it changes the clock.

Under the 2021 IT Rules, platforms typically had 36 hours to act on unlawful content once they received a court order or an official government notice. That wasn’t leisurely by any means, but it gave moderation teams room to verify, escalate, document, and, if needed, argue internally before pulling the trigger.

That breathing room is gone.

Under the 2026 amendment, the timelines collapse dramatically as documented here.

Trigger	New Timeline	Old Timeline
Court order / government notice (unlawful content)	3 hours	36 hours
High-risk content (NCII, deepfakes, nudity, impersonation)	2 hours	24 hours
Complaints regarding content about individuals	36 hours	72 hours
General user grievances	7 days	15 days

Read that again for a second.

A platform hosting user-generated video, audio, or image content now has 120 minutes in certain cases to receive a complaint, verify the content, make a legal or policy determination, disable or remove it, notify relevant stakeholders, and preserve internal records.

That’s not just a policy update.

That’s an operating model rewrite.

MeitY’s official press release documenting the notification is available here.

And make no mistake, these are binding legal obligations, not aspirational service standards.

Miss the deadline, and you’re not just dealing with bad optics.

You could be looking at loss of safe harbour protection, regulatory scrutiny, or direct liability exposure.

Crisis Management: Workflow for NCII and Deepfake Removal

So, what does compliance actually look like when the clock is ticking?

In practice, platforms that host user-generated content, especially video, voice, or image content, need an incident-response model that can consistently function inside that two-hour window.

Not occasionally.

Consistently.

A workable framework usually breaks into four stages.

Stage 1 — Triage (0–20 minutes)

The complaint lands.

It could come from a user. A victim. Law enforcement. A court. A government authority.

The first system to touch it can’t be human alone.

At scale, that’s impossible.

So, the complaint gets routed through an AI-assisted triage system that classifies whether it potentially falls into a high-risk bucket:

NCII
Deepfake impersonation
Explicit sexual content
Identity misuse
Fraudulent synthetic media

Once classified, the content receives a severity tag, a timestamp, and immediate routing to the on-call moderation team.

No manual inboxes. No “we’ll review this shortly.”

Time starts now.

Stage 2 — Verification (20–60 minutes)

This is where human judgment still matters.

A trained moderator, or in some cases a senior automated review system backed by policy logic, reviews:

The content itself
The complaint details
The associated user account
Prior moderation history
Technical indicators (metadata, manipulation signals, upload origin)

The goal isn’t perfection.

The goal is defensibility.

Every action needs documentation:

What was reviewed?

Why was it flagged?

What indicators supported the classification?

Because if regulators ever ask why content was removed, or why it wasn’t, that audit trail becomes your legal defense.

Stage 3 — Action (60–90 minutes)

Once verified, the platform has to move.

That usually means one of three outcomes:

Immediate removal
Temporary disabling / quarantine pending final review
Senior escalation if the case is genuinely ambiguous

But here’s the operational trap:

Escalation loops can quietly kill compliance.

A “let’s send this to policy” email chain might feel reasonable internally. Legally, it could destroy your timeline.

Any escalation process needs a hard ceiling.

No extra review layer should add more than about 30 minutes.

Anything slower becomes a liability.

Stage 4 — Notification and Reporting (90–120 minutes)

Once action is taken, the clock still isn’t done.

Before the two-hour window closes, platforms may still need to:

Notify the complainant
Notify the content uploader (where legally permissible)
Update internal compliance logs
Preserve evidence for future appeals or law enforcement requests

That final piece, evidence preservation, is often overlooked.

And then six weeks later someone asks why there’s no audit trail.

The Role of AI in Moderation: Why Human-in-the-Loop Is Legally Insufficient

There’s been a lot of industry talk over the past few years about human-in-the-loop moderation.

It sounds reassuring.

Balanced. Responsible. Ethical.

And in many contexts, it is.

But under the 2026 amendment?

Human-in-the-loop, by itself, is no longer enough.

The law explicitly requires intermediaries to deploy “reasonable and appropriate technical measures, including automated tools or other suitable mechanisms” to prevent users from creating or distributing unlawful SGI.

That language changes everything.

Because it means AI moderation isn’t optional operational efficiency anymore.

It’s part of the legal duty itself.

And when you’re working inside a 180-minute deadline or 120 minutes for high-risk content, manual review simply cannot be the first layer on a platform operating at scale.

It becomes mathematically impossible.

So, the real-world compliance model now looks more like this:

Automated detection identifies likely violations in real time.
Risk scoring systems prioritize high-severity content.
Temporary quarantine systems limit spread before final review.
Human reviewers act as quality control, edge-case resolution, and legal escalation—not as the first filter.

The World Economic Forum’s Responsible AI Innovation Playbook offers a useful governance model here.

That said, there’s an obvious danger.

When you combine automated detection with brutal legal deadlines, platforms often start over-removing content just to stay safe.

And that’s not hypothetical.

Digital rights advocates, including observers cited here have already raised concerns about political speech, satire, journalism, and commentary disappearing under aggressive moderation pressure.

So yes, AI moderation may now be legally required.

But if platforms don’t build appeal systems, false-positive reviews, and accountability layers alongside it.

They may solve one compliance problem by creating another.

Section 79 and the “Safe Harbour” Paradox

Loss of Safe Harbour IT Act Consequences

For most internet platforms operating in India, Section 79 of the Information Technology Act, 2000 has always been the legal safety net.

It’s what allowed platforms to scale without being automatically held responsible for every post, video, comment, image, or voice note uploaded by users.

The logic was simple, if you’re merely hosting or transmitting third-party content, and you follow the law’s due diligence requirements, you generally aren’t liable for what users do.

That protection became the backbone of the platform economy.

Social media, forums, messaging platforms, marketplaces, Creator ecosystems and pretty much all of it.

But Section 79 was built for an older internet, one where platforms mostly argued they were passive conduits, not active participants.

Generative AI complicates that story a lot.

And the 2026 amendment makes that tension impossible to ignore.

Under the new rules, Significant Social Media Intermediaries (SSMIs) can now be deemed to have failed their due diligence obligations if it’s established that they knowingly permitted, promoted, or failed to act upon unlawful Synthetically Generated Information (SGI).

That wording matters more than it may seem.

Because historically, platforms could often lean on plausible ignorance:

We didn’t know the content existed.
We hadn’t received notice yet.
No formal complaint was filed.

That defense gets a lot weaker now.

If a platform has the technical capability, or is reasonably expected to have the capability, to detect deepfakes, synthetic impersonation, or other unlawful SGI, and still chooses not to deploy those systems regulators may treat that as constructive knowledge.

In other words:

Not knowing may no longer protect you if you reasonably should have known.

And for large platforms, that’s a serious shift.

Shardul Amarchand Mangaldas frames the liability implications here.

Understanding “Due Diligence” in the Age of Generative AI

In 2021, due diligence mostly meant governance hygiene.

Publish platform rules, appoint officers, respond to complaints and file reports.

Important, yes, but manageable.

By 2026, “due diligence” becomes much heavier.

It starts looking less like policy administration and more like continuous operational accountability.

Under the amended framework, due diligence now effectively includes:

Publishing terms of service that explicitly prohibit unlawful SGI.
Warning users—every three months, not once a year—about platform rules, enforcement actions, and legal consequences.
Informing users that unlawful SGI activity may trigger disclosure of their identity to affected victims where legally required.
Deploying automated tools to detect prohibited synthetic content.
Operating visible labeling and provenance systems for lawful SGI.
Meeting accelerated takedown timelines.
Preserving internal logs that prove each of the above actually happened.

That quarterly notification requirement, by the way, sounds minor on paper.

Operationally, it’s not.

A lot of platforms built their trust-and-safety disclosures around annual policy reminders—something users click through and forget five seconds later.

Now those systems need redesigning.

And in India, that redesign isn’t just about timing.

It’s also about language.

If your platform serves users across Hindi, Tamil, Bengali, Marathi, Telugu, Urdu, Gujarati, Kannada, Malayalam, or any of the 22 Eighth Schedule languages, you’re expected to communicate platform obligations in a way users can actually understand.

Not just in English because it’s convenient.

That’s a product design problem as much as a compliance problem.

The Knowledge Test: When Does an Intermediary Lose Immunity for AI Hallucinations?

This is where things get genuinely tricky.

Suppose a platform offers an AI chatbot.

A user asks a question. The chatbot confidently generates false information about a real person, maybe defamatory, maybe damaging, maybe just wildly wrong.

Who’s responsible?

The user?

The model?

The platform?

Under the 2026 framework, the safer legal assumption is this:

If the content comes from your platform’s own AI system, you probably shouldn’t assume Section 79 protects you at all.

Because at that point, you’re no longer merely hosting third-party content.

You’re creating, or at least originating, the content yourself.

That changes everything.

A hallucinated response from a platform-owned AI assistant doesn’t fit neatly into the classic intermediary model.

And regulators are increasingly aware of that.

NITI Aayog’s discussion paper on AI governance is available here signals exactly this concern, recommending separate liability frameworks for autonomous AI-generated outputs.

Which means platforms deploying generative AI tools need to stop asking:

Can we moderate this later if something goes wrong?

And start asking:

Are we the publisher the moment our system generates it?

That’s a harder question.

And honestly, one that India’s next wave of AI regulation will probably have to answer more directly.

For now, the safer compliance posture is blunt:

If your AI creates it, assume you own it.

And if you own it, Section 79 may not save you.

Platform Obligations: The Compliance Checklist

Appointment of Chief Compliance Officer and Grievance Officers

When India introduced the 2021 IT Rules, one of the clearest messages to large platforms was this: if you want access to India’s user base, you need people on the ground who can actually be held accountable.

That’s where the officer framework came in.

Significant Social Media Intermediaries, platforms with over five million registered users in India, were required to appoint three key roles:

A Chief Compliance Officer (CCO)
A Nodal Contact Person
A Grievance Officer

And all three needed to be resident in India.

At the time, many companies treated this as a structural compliance requirement. Necessary, yes, but mostly administrative.

By 2026, that interpretation feels outdated.

The amendment doesn’t formally rewrite the appointment rules, but it dramatically expands what these officers are expected to oversee.

Especially the CCO.

A Chief Compliance Officer is no longer just someone who signs reports, attends policy meetings, and keeps regulators satisfied on paper. Under the SGI framework, the role becomes deeply operational.

In practical terms, the CCO now needs enough authority, and enough technical visibility, to certify that the platform’s core moderation systems are actually working.

That includes:

Automated SGI detection systems
Labeling and disclosure workflows
Provenance metadata pipelines
Escalation systems for high-risk takedowns
Audit logging and preservation controls

And if those systems fail? The CCO may be the first-person regulators ask to explain why.

That changes the job entirely.

India’s own institutional model offers a useful clue here. The PIB backgrounder on India AI Governance Guidelines describes a governance structure involving an AI Governance Group, policy experts, and a dedicated AI Safety Institute.

That’s not just government architecture.

It’s probably a signal.

Sophisticated platforms would be smart to mirror something similar internally, cross-functional oversight instead of siloed legal ownership.

Because AI moderation isn’t purely a legal issue anymore.

It’s product, it’s engineering, it’s risk and it’s public trust.

Quarterly Transparency Reports: Factoring in AI-Detected vs. User-Reported Content

The 2021 rules already required SSMIs to publish monthly compliance reports.

Those reports weren’t exactly thrilling reading, but they mattered. They created visibility into how platforms handled user complaints, removals, account actions, and government requests.

The 2026 amendment doesn’t change the reporting frequency.

What it changes is the depth.

And honestly the complexity.

Platforms are now expected to report not just moderation outcomes, but how SGI was identified in the first place.

That means distinguishing between content that was:

Detected proactively by automated systems
Reported by users
Flagged by government authorities
Escalated internally after behavioral signals

That distinction matters because regulators increasingly want to know whether platforms are actively policing synthetic harms or merely reacting after damage has already spread.

At a minimum, compliance reports now need to capture:

Total volume of SGI detected by automated tools
Total SGI-related complaints from users
Government takedown requests involving SGI
Number of SGI items removed, labelled, restricted, or otherwise actioned
Response times against the new legal deadlines
Number of accounts suspended or terminated for SGI violations

On paper, it sounds straightforward.

Operationally, it’s a data infrastructure headache.

Because most platforms weren’t originally designed to classify moderation events at this level of granularity.

A flagged image is a flagged image until regulators ask whether it was:

AI-generated?
User-declared?
System-detected?
Provenance-confirmed?
High-risk impersonation?
Non-compliant but lawful?

Suddenly your moderation database design starts looking very important.

Primus Partners explores this readiness gap here.

And based on where many platforms stand today, there’s still a lot of catching up to do.

Regional Language Compliance: Moderating in 22 Scheduled Languages to Meet “Digital Nagrik” Rights

This is probably one of the least glamorous parts of compliance.

And one of the hardest.

India’s internet doesn’t operate in one language.

Or two.

Or five.

It operates across dozens of linguistic ecosystems, cultural contexts, dialect patterns, slang systems, political references, and regional humour that don’t always translate cleanly.

The 2026 amendment reinforces that user notices, platform disclosures, and moderation communication may need to be delivered “in English or any Eighth Schedule language.”

That includes Hindi, Tamil, Bengali, Telugu, Marathi, Urdu, Gujarati, Kannada, Malayalam, Punjabi, Assamese, Odia, Maithili, and the rest of the 22 constitutionally recognized languages.

For global platforms, this creates a very uncomfortable reality:

English-first moderation is no longer a scalable compliance strategy.

And translation alone doesn’t solve it.

Because content moderation isn’t just about language.

It’s about meaning.

Sarcasm, satire, religious references, political slogans, regional idioms, context-heavy humour and local insults that don’t look offensive in literal translation but absolutely are in cultural context.

A deepfake policy violation in English is one thing.

A synthetic political voice clip circulating in rural dialect communities two weeks before an election?

That’s a completely different operational challenge.

True compliance now likely requires:

Language-specific AI moderation models
Regional human reviewers
Escalation systems that don’t disadvantage non-English complaints
Policy documentation localized for cultural context—not just vocabulary

India’s “AI for All” blueprint emphasizes inclusive, multilingual AI as a national priority.

And content moderation may be where that principle gets tested most aggressively.

Because if your moderation systems only work well in English.

They don’t really work in India.

Grievance Redressal and the GAC 2.0

How to Appeal a Content Takedown in India?

One of the quieter, but increasingly important, parts of India’s platform regulation framework is what happens after content gets removed.

Because moderation doesn’t end with takedowns.

Sometimes platforms get it wrong.

Sometimes users genuinely violate policy.

And sometimes, it’s a lot murkier than either side wants to admit.

Satire gets mistaken for misinformation. News footage gets flagged as graphic content. Political commentary gets swept up in automated impersonation filters. It happens.

That’s exactly why the Grievance Appellate Committee (GAC) was introduced under the 2021 IT Rules.

The idea was simple enough: if a user believed a platform removed, restricted, or acted on their content unfairly, they could escalate beyond the platform’s internal grievance system and seek review through an independent appellate mechanism.

In theory, it created accountability.

In practice the real test is scale.

And with AI-generated content now flooding moderation pipelines, that scale problem is about to get a lot bigger.

The 2026 amendment doesn’t fundamentally redesign the GAC structure. The framework still exists. The timelines still broadly hold.

But what changes is the type of disputes entering the system.

Because now platforms aren’t just deciding whether content violates platform policy.

They’re deciding:

Was this actually SGI?
Was the content mislabeled?
Was it synthetic, or merely edited?
Was the takedown legally required—or overly cautious?
Did automated tools misclassify satire, journalism, or artistic work?

Those aren’t always straightforward calls.

And unlike obvious spam or nudity cases, SGI disputes often live in technical gray zones.

The result?

Expect the GAC’s workload to become significantly more technical—and significantly more contentious.

The Grievance Appellate Committee (GAC) Process for AI Disputes

For AI-related moderation disputes, the standard appeal process generally works in three stages.

Stage 1 — Platform-Level Grievance (Day 0–7)

Everything starts with the platform itself.

A user whose content has been removed, labeled, restricted, or demonetized first files a complaint with the platform’s designated Grievance Officer.

From there, response timelines depend on the nature of the complaint.

If the complaint involves content affecting an identifiable individual, especially deepfakes, impersonation, or reputational harm—the platform may need to respond within 36 hours.

For general grievances, the standard window remains 7 days.

At least on paper.

In reality, high-volume platforms often feel pressure to respond much faster simply to prevent escalation.

Stage 2 — GAC Appeal (Day 7–37)

If the user isn’t satisfied with the platform’s response, or gets no meaningful resolution, they can escalate to the GAC within 30 days.

And this is where things get interesting.

Because at this stage, the dispute moves beyond community guidelines and into quasi-regulatory review.

The platform may need to explain:

Why the content was classified as SGI
What technical indicators supported that classification
Whether labeling requirements were applied correctly
Whether removal was legally required or discretionary
What human review steps, if any, occurred

That’s a very different conversation from “your content violated our terms.”

It’s closer to evidence-based regulatory defense.

Stage 3 — GAC Hearing and Order (Day 37–67)

Once the appeal is admitted, the GAC generally has 30 days to issue a reasoned order.

And in AI-heavy cases, MeitY has indicated that technical expertise may become part of that process.

That matters.

Because an SGI dispute isn’t always something a traditional legal panel can resolve from screenshots and policy PDFs alone.

You may need:

Metadata analysis
Provenance verification
Deepfake detection reports
Model confidence scores
Content generation logs

That’s a very different skill set.

The NLU Delhi Centre for Communication Governance has published important work on the GAC’s evolving structure and institutional limits here.

And one theme keeps surfacing:

Without strong technical advisory capacity, AI appeals risk becoming policy decisions made without technical grounding which is not ideal.

User Rights: Protecting Against Over-Moderation and Automated Censorship Bias

There’s a hard truth built into the 2026 framework:

When platforms face two-hour takedown deadlines and the threat of losing safe harbour protection, the safest business decision often becomes:

Remove first and ask questions later.

That’s understandable.

It’s also dangerous.

Because systems built under intense legal pressure tend to drift toward over-removal.

Not necessarily out of bad faith.

Sometimes just math.

If the cost of missing harmful content is regulatory exposure, and the cost of removing lawful content is an angry user complaint, many systems naturally bias toward removal.

Especially automated systems.

And when that happens at scale, the fallout isn’t abstract.

It often hits:

Journalists covering breaking events
Political commentators
Satirists
Activists
Minority-language creators
Documentary footage involving sensitive material

The Future of Free Speech India report documents these patterns in detail.

Which raises an uncomfortable question:

How do you build aggressive moderation systems without quietly creating automated censorship?

There’s no perfect answer.

But platforms that want to stay credible, and defensible, probably need at least four safeguards.

1. Clear User Notification

If content is removed or restricted, users should receive a meaningful explanation.

Not generic language like “violates community guidelines.”

Something specific enough to understand and challenge.

2. Fast-Track Appeals

Time-sensitive content—news reporting, election coverage, public-interest journalism—shouldn’t sit in a seven-day queue.

By then, the moment is gone.

3. Transparency Around False Positives

Platforms should publicly disclose how often moderation systems get it wrong.

Uncomfortable? Absolutely.

Necessary? Probably.

4. Independent Audits

AI moderation systems should undergo regular bias and accuracy reviews, especially for regional language content, political speech, satire, and culturally contextual content.

Because if your moderation systems only work accurately in clean, English-language test environments.

They’re not really tested for India.

And users will notice long before regulators do.

The Intersection of AI Rules and the DPDP Act 2023

Data Minimization vs. Content Traceability

This is where compliance starts to get uncomfortable.

Not because the rules are unclear. In some places, they’re actually pretty direct.

The problem is that two major regulatory frameworks are now pulling platforms in opposite directions.

On one side, you have the Digital Personal Data Protection (DPDP) Act, 2023, which is built around a fairly intuitive principle: collect only the personal data you genuinely need, use it only for the stated purpose, and don’t hang onto it forever just because storage is cheap.

This means minimal collection, limited retention and purpose-bound use.

This sounds poretty clean.

On the other side, the 2026 IT Rules amendment introduces provenance and traceability obligations for SGI, requirements that, in practice, often demand the exact opposite.

If a platform generates, modifies, or distributes Synthetically Generated Information, it may now need to retain metadata that identifies:

Who created or uploaded the content
Which system or compute resource was used
When the content was generated or modified
How the content moved through moderation and enforcement workflows

And here’s the catch:

The rules don’t give a hard retention period.

That leaves compliance teams in an awkward spot.

Retain too little, and you may lose critical evidence during investigations, appeals, or law enforcement requests.

Retain too much, and you may create unnecessary privacy exposure under the DPDP framework.

NITI Aayog’s Roadmap on AI for Inclusive Societal Development touches directly on this tension.

For now, many legal and operational teams are leaning toward a practical middle ground:

Retain SGI provenance metadata for a period long enough to support audits, reporting, and enforcement, often around 90 days, roughly aligned with quarterly compliance cycles, then either anonymize or securely delete it unless there’s an active legal preservation requirement.

Is that a statutory rule?

No.

At least not yet.

It’s more of a defensible operational posture while waiting for more detailed guidance.

And honestly, that’s becoming a recurring theme in AI compliance.

The law arrives.

The technical standards catch up later.

How Long Can Social Media Keep User Data in India?

Under the DPDP Act, the general rule is straightforward:

Personal data shouldn’t be retained longer than necessary for the purpose it was collected.

Simple sentence.

Complicated execution.

Because in the context of SGI moderation, “necessary” becomes very situational.

Necessary for what?

User safety?
Appeals?
Regulatory audits?
Criminal investigations?
Victim identity disclosure?
Platform risk defense?

Depending on the situation, the answer changes.

As of the date of this guide, MeitY hasn’t issued a platform-specific retention period for SGI-related metadata.

So, until sector-specific rules emerge, platforms need to anchor their decisions in their own declared privacy practices.

That usually means:

Retaining only the SGI metadata genuinely needed for moderation and compliance
Avoiding indefinite linkage between metadata and identifiable user profiles
Deleting or anonymizing metadata once the compliance purpose expires
Extending retention only when there’s a lawful preservation request from enforcement authorities

Blanket retention “just in case” may feel operationally safe.

Legally? It’s harder to defend.

Especially if users start asking hard questions about why synthetic content metadata still exists months, or years, later.

The Privacy Conflict: Balancing SGI Traceability with the Right to Be Forgotten

This is probably where the tension becomes most personal.

The SGI framework explicitly allows platforms, in certain serious cases, particularly NCII, deepfake impersonation, fraud, or other reportable offences, to disclose the identity of the violating user to victims or authorities where legally required.

That’s deliberate.

The goal is obvious: if someone creates a sexually explicit deepfake, impersonates another person, or weaponizes synthetic content to cause harm, anonymity shouldn’t become a shield.

Victims need a pathway to accountability.

But then comes the privacy question:

What happens if the creator later invokes their right to erasure?

Can they demand deletion of the very metadata that links them to the harmful content?

Short answer:

Probably not.

At least not where the data functions as evidence of unlawful conduct.

The right to erasure generally protects a person’s personal data in ordinary contexts, not necessarily records tied to active investigations, legal claims, or demonstrable harmful conduct.

In other words:

You may have the right to delete outdated account preferences.

You probably don’t have the right to erase evidence.

Khaitan & Co’s ERGO analysis explores this overlap in more detail.

For platforms, the operational takeaway is pretty clear:

Don’t treat privacy rights and enforcement obligations as mutually exclusive.

Treat them as layered.

Protect user privacy by default.

Preserve evidence where the law demands it.

And document exactly why certain data was retained when everything else was deleted.

Because in the AI era, compliance isn’t just about collecting data responsibly.

Sometimes it’s about proving why you didn’t delete it.

FAQ: India AI Content Moderation Rules

What are the new 2026 AI content moderation rules in India?

The 2026 IT Rules Amendment, effective February 20, 2026, introduces an “Active Moderation” mandate for all AI-integrated platforms serving Indian users. This shifts compliance from a reactive structure to a proactive burden engineered directly into content pipelines. Key requirements include mandatory SGI labeling, embedding permanent provenance metadata (including unique identifiers), pre-publication user declarations for SSMIs, and dramatically compressed 2-hour and 3-hour content takedown timelines following government or court notices.

What counts as Synthetically Generated Information (SGI) under Indian law?

SGI is legally defined as audio, visual, or audiovisual content algorithmically created or altered to realistically simulate real individuals or events. While deepfakes are a primary target, pure AI-generated text (LLM output) is currently classified outside SGI, though standard unlawful text rules still apply. Explicit carve-outs exist for good-faith routine editing, document creation, and accessibility improvements that do not materially alter substance.

How must AI-generated content be labeled in India?

Intermediaries must deploy a two-layer disclosure. First, platforms must apply “clear and prominent” labels: visual SGI requires an on-screen disclosure, and audio SGI requires a prefixed audible warning. Second, to the extent technically feasible, intermediaries must embed persistent provenance metadata containing a unique content identifier to enable end-to-end traceability of the content’s origin.

How fast must deepfakes and NCII be removed under the new rules?

The 2026 rules implement world-leading removal deadlines. Upon receiving a court order or government notice, platforms must remove high-risk content like deepfakes and Non-Consensual Intimate Imagery (NCII) within a strict two-hour window. General unlawful content subject to government notice must be removed within three hours. Complaints regarding content about specific individuals must be actioned within 36 hours.

Can digital platforms lose safe harbour protection for AI-generated content?

Yes. Non-compliance with the new active moderation mandates—especially takedown timelines, labeling, and provenance metadata requirements—can strip platforms of Section 79 safe harbour immunity under the IT Act. Furthermore, SSMIs are specifically deemed to have failed due diligence if they knowingly permitted, promoted, or failed to act upon unlawful SGI when technical detection capabilities were available, potentially exposing the platform to direct civil damages and criminal prosecution.

Content/Trigger Type	Applicable Intermediary Category	New Takedown Deadline	Old Takedown Deadline	SGI Labeling Requirement	Required Technical Measure
High-risk content (NCII, deepfakes, nudity, impersonation)	All Intermediaries	2 hours	24 hours	Clear & prominent visible/audible label; persistent metadata (C2PA)	Automated detection, triage, and provenance metadata embedding
Court order / govt notice (unlawful content)	All Intermediaries	3 hours	36 hours	Not in source	Immediate removal and notification systems
Complaints regarding individual content	All Intermediaries	36 hours	72 hours	Not in source	Trained human review and verification systems
General user grievances	All Intermediaries	7 days	15 days	Not in source	Grievance Officer appointment and complaint tracking
Synthetically Generated Information (SGI) Creation	All Intermediaries (where technically feasible)	Immediate	Not in source	Unique identifier and computer resource ID in metadata	C2PA-compatible provenance infrastructure and persistent watermarking
User Upload of SGI	Significant Social Media Intermediaries (SSMIs)	Pre-publication	Not in source	Mandatory user declaration; platform-applied visible labels	Upload-point declaration checkpoints and automated verification tools

Future Outlook: The Digital India Act (DIA)

Moving Beyond the IT Act 2000

If the 2026 amendment feels aggressive, there’s a reason.

It was never meant to be the final destination.

In many ways, it feels more like a bridge, an attempt to retrofit modern platform regulation onto legislation that was written for a completely different internet.

And honestly that internet barely resembles the one we live in now.

The Information Technology Act, 2000 was introduced when online risks looked simpler. Email spam was a major concern. Basic hacking incidents made headlines. Websites were mostly static. Social media, algorithmic recommendation systems, generative AI, creator economies, synthetic identity fraud—none of that really existed in any meaningful form.

Yet somehow, over two decades, that same law has been stretched to govern:

Social media platforms
Streaming services
Messaging ecosystems
E-commerce intermediaries
AI-assisted content systems
Deepfake harms
Recommendation engines

At some point, patching stops being sustainable.

And it’s becoming increasingly clear that India believes it has reached that point.

That’s where the Digital India Act (DIA) comes in.

The DIA, under policy development since at least 2022, is expected to replace the IT Act entirely with a modern framework built specifically for platform governance, AI systems, digital rights, and emerging online harms.

Not a patch.

A rebuild.

The London Story’s Digital India research offers useful historical context.

And if early policy signals hold, the DIA may introduce several major structural changes.

Likely areas include:

Risk-based classification of digital platforms, similar in spirit to the EU Digital Services Act
Explicit algorithmic accountability obligations
Stronger platform governance around recommender systems
AI-specific disclosure and liability frameworks
Integration with India’s broader data protection architecture under DPDP 2023

If that happens, the 2026 amendment may eventually be remembered less as a standalone reform and more as the warm-up.

Digital India Act AI Regulation Status

So where does the DIA actually stand right now?

As of May 2026, it still hasn’t been formally introduced in Parliament.

That doesn’t mean nothing’s happening.

Far from it.

MeitY has already conducted multiple rounds of stakeholder consultation, industry workshops, expert committee discussions, and internal drafting exercises. By late 2025, pre-legislative drafts were reportedly circulating in policy circles.

And while those drafts haven’t become public law yet, the direction of travel feels increasingly clear.

One of the strongest policy signals came through India’s AI Governance Guidelines, announced at the AI Impact Summit in February 2026.

The official PIB release is here.

Those guidelines introduced seven core principles, or “sutras”, that increasingly look like the philosophical foundation of India’s future AI regulation:

Trust
People First
Innovation Over Restraint
Fairness and Equity
Accountability
Understandable by Design
Safety, Resilience, and Sustainability

And if you’ve been following India’s recent digital policy language, those themes keep showing up everywhere.

Not just in AI papers.

But in platform regulation, data policy, public-sector digital systems and even procurement conversations.

Khaitan & Co’s Global AI Brief maps India’s evolving legislative direction.

So, while the DIA isn’t law yet.

Its architecture is already starting to influence how regulators think.

Which means platforms waiting for “final legislation” before acting may already be behind.

Strategic Insights: Preparing for “Regulation by Design” and Algorithmic Accountability Audits

If there’s one phrase that seems to define where Indian AI regulation is heading, it’s probably this:

Regulation by design.

Meaning compliance won’t live in policy documents anymore.

It’ll live in code.

In model architecture.

In user flows.

In logging systems.

In ranking algorithms.

In moderation thresholds.

In content provenance signatures.

Basically, in the product itself.

And globally, that shift is already underway.

The WEF AI Governance Alliance’s 2024 briefing points to three technical pillars that are increasingly becoming standard in serious AI governance conversations:

1. Provenance Infrastructure

Being able to cryptographically verify where content came from, how it was generated, and whether it’s been altered.

C2PA adoption is a major example here.

2. Bias Auditing

Platforms need evidence, not assumptions, that their moderation systems behave fairly across:

Languages
Regions
Political speech
Religious content
Gendered abuse reporting
Satire and cultural nuance

This gets especially important in India, where linguistic diversity can quietly break, even well-trained moderation systems.

3. Explainability Systems

Not necessarily full model transparency, but enough documentation to explain why:

Content was flagged
A user was restricted
A recommendation was downranked
A deepfake detection system triggered enforcement

Because if regulators, or users, can’t understand your decisions.

Eventually, they’ll stop trusting them.

For platforms focused on India, preparation probably means making five strategic commitments before the DIA arrives:

1. Implement provenance systems now

Build C2PA-compatible infrastructure or equivalent content authenticity mechanisms into AI creation tools before regulation makes it mandatory.

2. Audit moderation bias

Especially for regional language content, religious references, satire, political speech, and culturally sensitive contexts.

3. Publish an AI governance framework

Align internal policy with India’s seven AI governance sutras, and update it regularly.

Not because it looks good in PR decks.

Because sooner or later regulators may ask to see it.

4. Build regulatory monitoring workflows

Track guidance from MeitY, TRAI, sector regulators, courts, and advisory bodies, and convert those changes into product requirements quickly.

Not in a year.

Not “next roadmap cycle.”

Quickly.

5. Participate in policy consultation

Platforms that engage early often shape the standards they later have to live under.

Platforms that ignore consultation usually inherit rules designed without operational input.

And that rarely ends well.

The ORF analysis on decentralized AI ecosystems offers another perspective.

One thing is becoming hard to ignore:

India doesn’t appear to be moving toward lighter AI regulation.

It’s moving toward smarter, deeper, more architecture-driven oversight.

And when the DIA eventually lands, platforms that treated compliance as a legal afterthought may discover they were building for the wrong future entirely.

Building a Trustworthy AI Ecosystem in India

The 2026 IT Rules amendment doesn’t feel like a routine policy update.

It feels more like a line in the sand.

For years, India’s platform governance model was largely reactive. Harmful content appeared, users complained, regulators intervened when necessary, and platforms responded somewhere along that chain. Imperfect? Absolutely. But it reflected an internet where content still moved mostly at human speed.

That’s no longer the reality.

Generative AI has changed both the scale and the velocity of online harm. A synthetic voice clip can go viral before fact-checkers even see it. A deepfake can destroy someone’s reputation in an afternoon. A manipulated video can influence markets, elections, or public trust long before anyone confirms it’s fake.

And the 2026 amendment is India’s way of saying: reactive moderation isn’t enough anymore.

The new obligations, mandatory SGI labeling, provenance metadata, upload declarations, compressed takedown windows, automated detection systems, expanded due diligence, aren’t small compliance tweaks.

They force platforms to rethink how their systems are built.

Not just how they’re governed.

Every AI-enabled platform serving Indian users now faces a very different reality:

Compliance isn’t a legal department issue that gets revisited once every quarter.

It’s infrastructure.

It’s product design.

It’s trust and safety.

It’s engineering architecture.

It’s whether your systems can explain themselves when something goes wrong.

And if they can’t, the legal consequences are no longer theoretical.

Loss of Section 79 safe harbour protection could expose platforms to direct civil liability, criminal scrutiny, reputational damage, and increasingly aggressive regulatory oversight.

Freshfields’ analysis of the amendment’s operational implications makes that risk especially clear.

But focusing only on legal exposure misses the bigger picture.

Because there’s also a strategic opportunity here.

India’s AI governance model, anchored in the seven sutras of the India AI Governance Guidelines and increasingly reflected in the 2026 IT Rules, isn’t simply about restricting technology.

It’s about building trust into the systems that shape public discourse.

And trust, frankly, may become the scarcest currency in the AI economy.

Platforms that invest early in:

Reliable SGI detection systems
Transparent labeling practices
Fair grievance mechanisms
Language-inclusive moderation
Strong provenance infrastructure
Defensible audit trails

won’t just be better positioned for regulation.

They’ll be better positioned for users.

And in a market the size of India, that matters more than a lot of companies realize.

The NEGD’s AI Governance in India report captures that idea well.

Its core message is simple but hard to argue with:

AI governance isn’t about slowing innovation down.

It’s about making sure innovation doesn’t leave trust behind.

For platforms operating in India, that probably means committing on three fronts.

First: Technical commitment
Build production-grade SGI detection, provenance systems like C2PA, and moderation tools that actually work across India’s linguistic and cultural diversity.

Not prototypes. Not pilot programs. Real infrastructure.

Second: Organizational commitment
Give compliance officers, grievance teams, trust-and-safety teams, product leaders, and engineers shared ownership of regulatory execution.

Because no single department can carry this alone anymore.

Third: Civic commitment
Stay involved in what comes next.

The Digital India Act is still taking shape. The rules governing AI in India are still being written in real time. Platforms that participate thoughtfully, bringing technical realities, operational data, and honest friction points into those conversations, will have a much stronger voice in shaping the frameworks they’ll eventually be judged against.

And that may be the real story here.

India’s digital regulation isn’t slowing down.

It’s maturing.

The platforms that thrive in the next phase won’t be the ones that treat regulation as a hurdle.

They’ll be the ones who treat it as part of the product.

DISCLAIMER

This guide, covering India’s 2026 IT Rules Amendment, is provided solely for general informational and educational purposes. It does not constitute binding legal advice. The regulatory landscape regarding artificial intelligence, SGI labeling, and intermediary liability is complex and subject to rapid, unforeseen changes by MeitY or judicial interpretation. Relying on this information is entirely at your own risk. This content is not a substitute for professional legal counsel. You must consult qualified Indian legal professionals regarding your specific platform, technical architecture, and mandatory compliance obligations. India Policy Hub and the author disclaim all liability for actions taken based on this post.