India is looking beyond AI models to the hardware that feeds them. Electronics and Information Technology Secretary S. Krishnan said India may need stronger oversight of devices connected to AI and biometric authentication systems, including sensors, cameras, biometric scanners, IoT devices, and other data-collecting equipment.
Companies serving Indian users may need to review more than model governance and privacy notices. Device sourcing, trusted-vendor requirements, data flows, and audit trails could become part of the compliance work for regional systems built across shared cloud, identity, and security infrastructure.
The hardware beyond India’s AI concerns
Speaking June 5, Krishnan framed the issue around strategic autonomy and the risk of “black box” devices connected to AI systems.
He pointed to AI use in manufacturing and agriculture, where systems can rely on data captured through sensors and other connected hardware. If those devices cannot be inspected or trusted, governments may see them as supply chain, espionage, or infrastructure risks.
For IT teams, the same visibility problem shows up when enterprise incidents reveal which systems are affected, what access paths were exposed, and how quickly vendors contained the issue.
India already uses a trusted-source model in telecom. Under the government’s Trusted Telecom Portal, telecom providers must use trusted products from trusted sources for covered network equipment. Krishnan’s remarks suggest that approach could eventually influence AI-linked hardware and biometric systems, though no blanket rule has been issued.
Biometric devices are especially sensitive because they sit inside India’s digital public infrastructure. UIDAI says Aadhaar biometric devices collect fingerprint and iris inputs for authentication and identity checks, and only registered devices can be used in the Aadhaar authentication ecosystem.
Similar privacy and safety questions are emerging around AI-enabled products that collect sensitive data, even outside formal identity systems.
India’s data protection law is still coming online. Selected provisions of the Digital Personal Data Protection Act, 2023, took effect on Nov. 13, 2025, while consent-manager rules start one year later and most core obligations start after 18 months. The DPDP Act defines personal data broadly, but it does not create a separate biometric-data category.
Where regional exposure builds
India has not issued a blanket rule for AI or biometric devices. Exposure builds where Indian user data, biometric authentication, AI systems, and connected devices overlap.
Identity, fintech, HR technology, access-control, healthtech, industrial IoT, and security vendors should review how authentication is performed, what biometric inputs are collected, and whether third-party devices meet Indian ecosystem requirements.
The hardware focus also mirrors a wider shift in AI planning, where infrastructure limits such as power demand and data center capacity are becoming enterprise risk factors.
Cloud and infrastructure teams should review whether Indian user data can be isolated, retained, or routed differently if transfer restrictions tighten. The DPDP Act allows India’s central government to restrict transfers of personal data to notified countries or territories.
The next signals to watch are trusted-source expansion beyond telecom and CCTV, DPDP transfer restrictions, and early data-protection enforcement.
Also read: A Microsoft 365 Android vulnerability exposed authentication tokens in six apps, underscoring why enterprise teams need to scrutinize trusted platforms from app to device layer.