Should law enable and guide innovation or step in only to regulate and restrict once innovation has taken place? In the area of emerging technologies, law has often played catch-up. An underlying principle driving this approach has been that regulation should not limit innovation and should step in only once there is evidence of the risk that needs to be addressed.In India, where digitisation is imbued in various aspects of the economy, risk management is as important as it is to encourage innovation. (Reuters)In the rapidly growing area of Artificial Intelligence (AI), where applications are already being deployed across sectors, the regulatory pendulum seems to be oscillating between a consolidated framework such as the EU’s AI Act; China’s stack of topic-specific regulations on algorithms (recommendation, deep synthesis and generative AI); and the US light-touch permissive approach at the federal level, which also bars individual state regulations and emphasises the need for companies to be free to innovate without cumbersome regulation. There is, however, universal acknowledgement that AI development needs to generate trust and accountability.India’s AI governance guidelines announced in February 2026 adopt an approach of “innovation over restraint” as one of its seven sutras. The guidelines suggest using existing regulatory frameworks while plugging gaps through amendments in the existing Information Technology Act, 2000. It also suggested the adoption of voluntary measures such as industry codes, technical standards and self-certification as methods for risk mitigation.Since April, however, greater vigilance and perhaps a rethink of domestic legal strategy have been apparent, with the finance minister highlighting the potential risks from Mythos — a tool with autonomous AI capabilities that can detect, and potentially fix, serious flaws in cyber-systems. Anthropic, the US-based AI research company that developed it, has ruled out its public release, citing potential for risks with its large-scale release. As with any tool, Mythos could be a force for good in strengthening cyber-defence by detecting and fixing vulnerabilities or a force of evil in the hands of cyber-attackers. The government has held meetings with Anthropic and continues to engage with key stakeholders in India.The restraint shown by Anthropic is laudable; acknowledging risks and having transparent conversations is a welcome step. But clearly, law cannot depend on enlightened self-interest and self-regulation. Corporate growth is primarily driven by the need for high stock valuations and managing investor expectations for returns.For a country like India with digitisation imbued in various aspects of the economy, be it banking, UPI, Aadhaar or Digilocker, risk management is as important as it is to encourage innovation. When AI operates in a regulated environment with sector-specific stewardship, it signals credibility for broader diffusion. A framework for algorithmic governance as implemented in the medical device industry provides some insights, with regulation based on intended use, followed by post-market checks. Regulators, manufacturers and health care providers are required to check and report on the behaviour and evolution of AI-enabled devices. While algorithmic governance of medical devices is far more evolved in the EU and the US, the Central Drugs Standard Control Organisation (CDSCO) in India has started implementing this through the Medical Devices Rules, 2017.A similar stratified risk approach could be considered across other key sectors such as autonomous air traffic control, autonomous robotic surgery and autonomous drones in warfare. The key determination would be how much to regulate: A chatbot providing customer service may only require a disclosure that it is not a natural person, while using AI for robotic surgery would need greater controls.In either situation, legal accountability must always be on the person that is legally responsible. The strength of the regulatory framework would lie in its ability to unambiguously map developer → deployer → user, so as to ensure that autonomy does not create an accountability vacuum. Based on the level of risk, autonomy must be declared and proved and always supported by mandatory human oversight, with a “kill switch” or human control if something goes wrong.Another feature that needs to be built into the legal framework is the need for adaptive governance tokeep pace with a fast-growing technology. Regulatory sandboxes, to shadow key decisions and review cycles as agents learn and adapt, can also provide and support the growth of technology with regulation.To state the obvious, a domestic-level regulatory framework by itself cannot be sufficient to address a technology whose growth and impact are not limited by territorial boundaries. A shared global understanding of AI regulation and governance structure is key. Following a United Nations General Assembly resolution in 2024, countries globally considered establishing an independent scientific panel to work towards evidence-based assessments. That, however, has not materialised. The first meeting of the UN-led Global Dialogue on AI Governance is scheduled for July 2026. It is primarily a forum for deliberations and possible coordination. The divergence between country positions may not yield a binding international law any time soon. But with technology growing at a rapid pace, it is important to have a coordinated approach at least on basic principles.Innovation needs stability and certainty of governance structures. When AI is held accountable and risks are continuously managed, its use will be based on trust and reliability. That itself will be an impetus for greater adoption of responsible innovation.For Aristotle, the soul of “mythos” was the event or design of a story, and the individual characters were merely incidental to it. Any AI tool, however, needs to have humans as its centre. That is the task for a clear legal framework.RV Anuradha is Partner, Clarus Law Associates, New Delhi, and Mandira Shah is a Bengaluru-based consultant on digital transformation and data sciences. The views expressed are personal