The Digital Personal Data Protection Act assumes a world where data flows through human controlled systems. A person decides to collect data. A person decides how to process it. A person decides when to delete it.
That world ended two years ago.
Agentic AI processes personal data at a velocity no consent architecture was designed to handle. An AI agent can scrape, classify, enrich, transfer, and act on personal data in 400 milliseconds. The consent mechanism that authorised the original collection has no awareness that an AI system is now making autonomous decisions with that data.
The consent gap that nobody is talking about
Section 6 of the DPDPA requires consent to be "free, specific, informed, unconditional and unambiguous." That language was drafted for a world of web forms and cookie banners. It was not drafted for a world where an agentic AI system autonomously decides to cross reference your customer's purchase history with their social media profile to generate a personalised pricing model.
The consent was for the purchase. Not for the profiling. Not for the pricing. Not for the AI agent's autonomous decision chain that produced the price.
The AASAI Framework: measuring what the law does not yet measure
The Agentic AI Surface Area Index quantifies something the DPDPA does not yet address: the total exposure surface created every time an AI system touches personal data. Every API call, every data enrichment step, every autonomous decision node expands the attack surface.
AASAI measures four dimensions:
- Autonomy depth: how many decisions the AI makes without human intervention
- Data surface: how many categories of personal data the AI accesses
- Transfer velocity: how fast personal data moves between systems and jurisdictions
- Decision impact: whether the AI's output affects the data principal's rights, opportunities or pricing
Most organisations have an AASAI score they have never calculated. That score is their actual DPDPA exposure. Not the gap assessment. Not the privacy policy. The AASAI score.
What needs to change
India needs an AI governance framework that sits alongside the DPDPA, not inside it. The DPDPA governs data. An AI governance framework must govern the systems that process that data autonomously.
Until that framework exists, every organisation deploying agentic AI in India is operating in a regulatory gap. The gap is not permission. The gap is liability waiting for a test case.
"The law does not care about your IT roadmap. It cares about your customer's data."
— Anandaday Misshra
Do this now
Calculate your AASAI score. Map every AI system that touches personal data. Document the decision chain. Ask one question: if the Data Protection Board examined this AI system tomorrow, could you explain every autonomous decision it made with a data principal's personal data?
If the answer takes longer than ten seconds, you have work to do.