India Inc Is Spending Billions on AI It Cannot Govern
Enterprise AI adoption in India is moving faster than governance, turning unused cloud spending into a financial and regulatory risk.
News
- Adani Says India Must Own AI Stack to Secure Future Power
- SoftBank Plans Battery Business to Power AI Data Centers
- Nasscom Backs Hybrid Work, NITES Seeks WFH Advisory for IT Sector
- OpenAI Launches Enterprise AI Deployment Unit with $4 Billion Backing
- Google Weighing Making AI Servers in India, Vaishnaw Says
- Supreme Court Launches AI Chatbot, Unified Court Data Initiative
Image Credit- Chetan Jha/ MIT Sloan Management Review India
Key Takeaways
01
The waste problem is organizational, not technical. AI workloads are increasing cloud waste because adoption has moved faster than ownership, cost attribution, and governance controls — producing an implied structural drain of roughly $3 billion annually against India’s cloud trajectory.
02
India’s data law makes cloud visibility mandatory. DPDP compliance requires the same tagging, ownership, and data-lineage controls that cloud cost governance demands. The architecture that answers the finance function’s cost attribution question also answers the Data Protection Board’s audit question — it is the same architecture.
03
By May 14, 2027, CIOs, CFOs, and legal teams must share accountability under a single AI governance structure — or face DPDP penalties of up to ₹250 crore and compounding cloud waste simultaneously. Enterprises that treat the compliance deadline as a catalyst will emerge from 2027 with a structural advantage their deferring competitors will then have to construct under pressure.
In the summer of 2024, a technology operations team at a large Indian conglomerate approved the expansion of a generative AI pilot into three more business units. The pilot had shown promising results in one division. No one had measured whether those results had moved a single revenue line. Within two quarters, the company’s cloud bill had grown 40%. The AI estate had doubled. The governance framework had not moved at all.
This pattern is playing out across India’s enterprise technology sector at scale. Nearly 59% of large Indian enterprises have already deployed AI in operations, the highest rate globally, according to TechRepublic’s analysis of the APAC enterprise AI landscape. That early movement has generated real advantages: accumulated institutional experience, trained talent, embedded workflows. It has also generated a structural problem that is not showing up in technology audits, because it is not a technology problem.
Most Indian enterprise leaders believe their AI underperformance is a technology problem. The infrastructure is not fast enough, the models not accurate enough, the data not clean enough. The evidence says otherwise. The primary constraint on AI value creation in Indian enterprises is not technology. It is governance: the absence of ownership structures, cost attribution, and financial controls needed to convert AI experimentation into sustained business outcomes.
The financial case is stark. Flexera’s 2026 State of the Cloud Report, based on a global survey of 753 cloud decision-makers, found that an estimated 29% of enterprise cloud budgets are currently wasted — the first increase in five years, driven directly by AI workloads that organizations lack the governance to manage. India’s public cloud services market reached $10.9 billion in 2024 and is forecast to grow to $30.4 billion by 2029, according to IDC. Apply Flexera’s waste rate to that trajectory and the implied waste runs to roughly $3 billion annually. It is a structural drain that compounds with every budget cycle.
The regulatory case is just as direct and just as costly. India’s DPDP Rules, notified on November 14, 2025, give full operational effect to the Digital Personal Data Protection Act, 2023, with substantive obligations due on May 14, 2027. The visibility deficit that generates cloud waste is precisely what DPDP compliance requires enterprises to eliminate. That deficit has three components: absent data asset tagging, unclear ownership, and processing records that cannot be audited. Organizations that treat these as separate problems are solving the same puzzle twice.
Neelakantan Venkataraman, who leads cloud, edge and AI business at Tata Communications, has watched this pattern play out across enterprise clients in India and globally. “The fundamental issue with rising AI-driven cloud spend is not over-adoption,” he says. “It is the absence of mechanisms that convert experimentation into sustained business outcomes.”
AI Spending Is Outrunning Cloud Governance
The scale of the failure is measurable before it becomes visible on a balance sheet. MIT’s NANDA initiative, in its 2025 GenAI Divide: State of AI in Business report — which reviewed 300 publicly disclosed AI initiatives and conducted 52 structured executive interviews and 153 senior leader surveys — found that 95% of enterprise generative AI initiatives showed no measurable impact on profit and loss. Integration failures and data governance gaps were the primary causes. Not model quality.
For India specifically, the implication is direct. The State of Enterprise Technology Survey 2025, conducted by CIO&Leader among 350 CIOs and senior technology leaders at enterprises with annual turnover above ₹5,000 crore, found that 93% plan to increase AI and analytics investment. Only 15.8% have operationalized AI at strategic scale with proper governance, measurable outcomes, and organization-wide alignment. Investment is accelerating faster than the governance needed to justify what is being deployed.
Venkataraman identifies three structural failures that account for most of the waste. Each one compounds the others.
Overprovisioning — the costliest failure in rupee terms
“The costliest way businesses use AI is by overprovisioning GPUs,” Venkataraman says. Graphics processing units power AI model training and inference and are among the most expensive items in any enterprise cloud budget. AI infrastructure is typically provisioned for peak demand, but AI workloads are spiky and variable. The result: reserved capacity running at 30–40% utilization, a sustained financial drain that rarely surfaces in any single report with enough clarity to trigger corrective action.
Fragmented ownership — nobody optimizing the whole
In most large Indian enterprises, cloud resources are managed by individual business units, product teams, or geography-specific functions — each with its own provisioning authority and budget. The CIO sees the aggregate bill. Individual teams see only their slice. Nobody is optimizing the whole. This pattern is acute in India’s large conglomerates, where subsidiaries have migrated to cloud on independent timelines with independent vendor relationships, producing estates of considerable complexity and considerable redundancy.
The contrast with what governance delivers is instructive. HDFC Bank, India’s largest private-sector lender, confronted exactly this fragmentation problem in its credit risk analytics function. Data pipelines were siloed, integrating external sources was slow, and infrastructure could not scale cost-effectively. The bank migrated to a unified data platform on Azure, implementing centralized data lineage tracking, granular access controls, and a single governance layer linking every AI model to one customer record. The outcome, documented in a Databricks case study: faster delivery of risk modeling and analytics projects, and a governance architecture that now underpins the bank’s broader AI-first strategy. The choice was not between more technology and less. It was between ungoverned complexity and governed simplicity.
Shadow AI — the newest and least-understood failure
The democratization of AI tools has made it easy for any team to deploy foundation models through APIs, build chatbots, or integrate AI-assisted workflows without formal approval. These shadow AI deployments — unauthorized systems that operate entirely outside governance structures — are invisible to the finance function and generate no entry in any asset register or cloud cost report. Unlike shadow IT of an earlier era, which typically meant unauthorized SaaS subscriptions, shadow AI consumes compute resources, processes sensitive personal data, and creates DPDP compliance exposures, often simultaneously.
“Layering AI onto existing cloud environments is not fundamentally flawed. But it is fundamentally limiting. Most Indian enterprises are only now discovering what that distinction costs.”
India’s Data Law Makes Cloud Visibility Non-Negotiable
The governance failure described above is costly. From May 14, 2027, it will also be illegal to ignore.
India’s DPDP Rules give full operational effect to the Digital Personal Data Protection Act, 2023. They cover consent requirements, data retention, breach reporting, and additional duties for Significant Data Fiduciaries. The Data Protection Board of India, now formally constituted, carries powers to investigate and impose penalties of up to ₹250 crore (approximately $26 million) for failure to implement reasonable security safeguards.
The cloud governance implications are direct. An enterprise cannot demonstrate DPDP compliance without knowing what personal data it holds, where it is stored, who has access, how long it is retained, and whether it is being processed for its stated purpose. These are not abstract legal questions. They are precisely the questions that cloud governance frameworks — built around tagging, data lineage, and ownership attribution — are designed to answer. Tagging creates the visibility that makes ownership attribution possible. Named ownership makes scale thresholds enforceable. Enforced thresholds make real-time monitoring meaningful rather than merely reactive.
Research Context
Flexera 2026 State of the Cloud Report: Annual global survey of 753 cloud decision-makers across enterprise segments. Methodology: online survey, self-reported cloud spend and waste estimates. Fieldwork: Q4 2025–Q1 2026. Key finding cited: estimated wasted cloud spend on IaaS and PaaS rose to 29% in 2026, reversing five consecutive years of decline, driven by AI workload adoption outpacing governance architecture. The 29% figure represents respondents’ own estimates of avoidable or value-less spend, not an externally audited measure.
For India’s financial services sector, the stakes compound further. The Reserve Bank of India’s data localization rules already require payment system data to be stored exclusively within India. DPDP adds a layered obligation on top. Most large Indian financial institutions operate multi-cloud environments that cross jurisdictions. They must now build governance architectures that demonstrate compliance with both regimes simultaneously.
Venkataraman is direct about what this means for architecture decisions. “Sovereignty is no longer just ‘nice to have’,” he says. “It has become a core element of the design process.”
The market is beginning to respond. In July 2025, TCS and C-DAC signed a memorandum of understanding to build sovereign cloud infrastructure within India, specifically designed to support AI-ready, data-localized services for public and private sector workloads. For enterprises not yet at that stage, the practical implication is simpler: treat data sovereignty as a first-order constraint in architecture decisions, not an afterthought addressed at the compliance review stage.
Deliberate Architecture Beats Accumulated Legacy
Most Indian enterprises arrived at their current cloud configuration through a series of independent decisions: a business unit choosing AWS, a product team choosing Azure, a subsidiary retaining a legacy on-premises system. The result is not a cloud strategy. It is a cloud history.
Deliberate architecture — defined here as enterprise-wide workload design governed by explicit criteria of cost, latency, data sensitivity, and regulatory compliance — routes each workload intentionally rather than by habit or convenience. It has three components.
Workload distribution by requirement, not habit. Latency-insensitive batch processing runs on the cheapest available option. Real-time inference on sensitive customer data runs on private infrastructure within India. Edge processing is gaining traction in manufacturing, retail, and financial services where data volume and latency make centralized cloud processing uneconomical.
Sovereign cloud as a design constraint. Under the DPDP framework, the government retains the authority to mandate localization of specific categories of personal data for Significant Data Fiduciaries. For RBI-regulated entities, payment data localization is already mandatory. Enterprises that have not yet mapped which workloads trigger that obligation are building on an unstable foundation.
Orchestrated multi-cloud. Flexera’s 2026 survey found that 73% of organizations globally operate hybrid cloud estates — often driven by mergers or siloed application decisions rather than deliberate strategy. Multi-cloud without coordination produces the worst of all outcomes: the cost and complexity of managing multiple environments without the resilience or optimization benefits that deliberate strategy is meant to deliver.
“Transforming multi-cloud into an integrated, unified, resilient operating model requires proper orchestration,” Venkataraman says. “Without it, duplication compounds, governance fragments, and the conditions that produce waste are actively reinforced.”
What Leaders in Each Role Must Do Differently
The governance failure is not owned by any single function. Fixing it requires distinct action from three leadership levels — on a timeline that the May 14, 2027 DPDP deadline has made non-negotiable.
Role | Required Action |
C-Suite & Board | The most consequential decision Indian CEOs and CTOs face is not which AI tools to buy. It is whether to treat AI as business-critical infrastructure with embedded controls, or as a portfolio of experiments the technology function manages in isolation. Establish a cross-functional AI governance function — what practitioners call FinOps for AI: a discipline that unifies cloud cost management, data governance, legal compliance, and business outcome measurement under a single accountable structure. The strategic question to answer before Phase 2 DPDP obligations take effect: which AI workloads are genuinely business-critical, and which are experiments that have outlived their justification? Without governance, that question cannot even be posed clearly. Boards carry direct fiduciary exposure. The Data Protection Board’s penalty powers are real, and the deadline is fixed. If management cannot answer the five questions below with specifics, that gap belongs on the audit committee agenda: (1) Have we mapped all personal data across cloud, SaaS, on-premises, and endpoints? (2) Which environments may trigger Significant Data Fiduciary obligations? (3) Can our breach notification process meet DPDP reporting requirements? (4) Does AI governance span technology, legal, finance, and business — or sit only in IT? (5) What is the estimated cost of cloud waste in our AI estate, and who is accountable for reducing it? |
CIOs, CFOs & CDOs | Four governance practices must be in place before any further AI scale-up. Tag everything now: every cloud resource labeled with owner, purpose, cost center, and data classification — without this, cloud bills stay opaque and DPDP data mapping is impossible. Name an owner for every workload: shared infrastructure with no named owner defaults to overprovisioning. Establish scale thresholds before any pilot proceeds to production: what business impact justifies the production cost, what are the unit economics at scale, and what controls manage cost and compliance as usage grows? Monitor costs in real time, not quarterly: Flexera’s 2026 data shows 85% of organizations cite managing cloud spend as their top challenge, with budgets already exceeding planned limits — quarterly reviews are not adequate for AI workloads. |
Hiring & Talent Leaders | Shadow AI is a people problem as much as a technology problem. Teams deploy unauthorized AI tools because the authorized path is too slow or the governance process is invisible to them. HR and talent functions must work with technology leadership to build AI use policies that are fast enough to be used, and visible enough to be followed. Governance that arrives after deployment is not governance — it is damage control. |
India’s AI Edge Depends on Governance
India’s enterprises have moved faster on generative AI adoption than almost any peer economy. Speed, in itself, is not the problem. The problem is that AI workloads are now the primary driver of a $3 billion annual waste figure that compounds with every budget cycle — and the governance architecture required to stop that waste is the same architecture DPDP compliance demands. Organizations that solve one are building the infrastructure to solve the other.
India’s AI advantage will not be decided by which models enterprises deploy but by whether organizations can answer four questions about every workload before the Data Protection Board asks them first: who owns it, what it costs, what data it processes, and what outcome it produces.
