An AI audit is a structured, evidence-based review of an AI system against a named framework (ISO 42001, NIST AI RMF, EU AI Act conformity, India's DPDP Act, ISO 27001 controls relevant to AI) — covering governance, data, model behaviour, deployment controls, and incident response. In India in 2026, an AI audit is no longer optional for any company selling to EU/UK/US enterprise or operating a regulated AI system in BFSI, health, or HR. The 12 frames you can choose from cover every credible regulatory and procurement requirement an Indian company will face this year.
- AI audit
- An evidence-based assessment of an AI system's design, data, behaviour, governance and operational controls against a named framework — producing a written report with findings, severity ratings, evidence references and a remediation plan. Some AI audits also require a lead auditor signature for procurement or regulatory purposes.
- An AI audit is not a security audit, a code review, or a model evaluation — though it touches all three.
- The 12 frames cover governance (ISO 42001), security (ISO 27001), privacy (ISO 27701, DPDP), and product behaviour (NIST AI RMF, EU AI Act, MAS FEAT, OWASP LLM Top 10, etc.).
- Realistic Indian cost: ₹0.8L–₹3L for an auto-audit per frame; ₹6L–₹24.5L for a Dr. Sodhi-signed engagement on the 3 ISO frames.
- Dr. Sodhi is lead auditor of record only on ISO 42001 / 27001 / 27701 — other frames carry a clear "not lead auditor" disclosure.
- The 3 controls that fail Indian audits most often: AI impact assessment (ISO 42001 A.6), data provenance (A.8), and third-party AI governance (A.9).
What an AI audit actually covers
A credible AI audit is structured around five domains, regardless of which frame you choose:
- Governance. Policy, roles, accountability, board oversight, AI risk appetite, vendor governance.
- Data. Provenance, consent, quality, lineage, bias testing, retention, deletion mechanics.
- Model behaviour. Performance, robustness, fairness, drift monitoring, evaluation methodology — see LLM evaluation framework for the deeper method.
- Deployment controls. Access, logging, change management, rollback, human-in-the-loop where appropriate, prompt-injection defences.
- Incident response. Detection, escalation, user notification, root cause, learning loop.
The 12 frames an Indian company can pick from
Different procurement, regulatory and operational situations call for different frames. The 12 we run inside Bharat NeuroTech audits:
| Frame | Best for | Sodhi lead auditor? |
|---|---|---|
| ISO 42001 (AIMS) | Procurement, board governance, EU buyers | Yes |
| ISO 27001 | Information security baseline, enterprise procurement | Yes |
| ISO 27701 | Privacy management, DPDP alignment, EU privacy buyers | Yes |
| NIST AI RMF | US enterprise, federal-adjacent procurement | No — not lead auditor |
| EU AI Act conformity | Selling AI products into EU after Aug 2026 | No — not lead auditor |
| MAS FEAT (Singapore) | BFSI customers in Singapore / SE Asia | No — not lead auditor |
| MeitY AI guidelines (India) | Public-sector procurement in India | No — not lead auditor |
| RBI / SEBI AI governance | BFSI deployments in India | No — not lead auditor |
| IS 17428 (privacy, India) | BIS-aligned privacy assurance | No — not lead auditor |
| OWASP LLM Top 10 | Product security baseline for LLM apps | No — not lead auditor |
| DPDP Act (India) | DPDP-grounded data and consent assurance | No — not lead auditor |
| Internal AI policy | Pre-audit gap check against your own policy | No — not lead auditor |
The disclosure model: for the 3 ISO frames Dr. Sodhi can sign as lead auditor, the auto-audit PDF carries a soft upgrade prompt to a signed engagement. For the other 9, the PDF carries a hard "Dr. Sodhi is NOT lead auditor of record on this frame" disclosure. This is non-negotiable — see our compliance standards page for the full disclosure language.
The four AI audit tiers Indian companies use
1. Single auto-audit — ₹799
One frame, NeuroCortex-generated, ~25-page PDF with findings, severity, and a ranked remediation list. For exploratory diligence, internal triage, or "do I have a problem here?" questions. Lab-Specimen branded with the appropriate disclosure.
2. 3-pack — ₹1,799
Three frames bundled. Most teams pair (ISO 42001, ISO 27001, ISO 27701) or (ISO 42001, NIST AI RMF, EU AI Act conformity) depending on which markets they sell into.
3. 12-pack — ₹2,999, 30-day redemption
All 12 frames, redeemable within 30 days. Not a subscription — a pre-purchase. The right tier for companies preparing for major procurement cycles or expanding into multiple regulated markets.
4. Dr. Sodhi-signed full engagement — ₹24,499
Available only for the 3 ISO frames where Dr. Sodhi is lead auditor of record. A full engagement covering gap assessment, evidence gathering, control mapping, draft report, board-ready written report, and the lead auditor signature for procurement use. See ISO 42001 certification in India for the longer cost and timeline view.
What goes wrong: the three controls Indian companies fail most
A.6 — AI system impact assessment
Most teams have done some impact thinking — usually in a single document attached to the original product brief. Stage 2 auditors look for repeatability: impact assessment as a controlled process, with named owners, refreshed at defined triggers, with evidence of consideration of fairness, safety, robustness, privacy and societal impact. The gap between "we thought about it" and "we have repeatable evidence" is where most teams fail.
A.8 — Data for AI systems
Provenance is the killer. Indian teams routinely cannot answer: where did this training data come from, what was the consent basis, what's the retention policy, what's the deletion mechanism, what's the lineage from raw → curated → training set. Without provenance, every downstream control is theatrical. See our companion essay on AI risk assessment templates for the data-risk taxonomy we use.
A.9 — Use of third-party AI
Every Indian company in 2026 uses OpenAI, Anthropic, Google, NIM, Bedrock, or some combination. The control asks: what's the contractual basis, what's the data-handling posture, what happens if the upstream provider changes terms or has an incident, how do we govern model upgrades. Most teams have not done this thinking. The fix is documented, not technical.
How an AI audit connects to the wider governance picture
An AI audit is one node in a wider AI-governance practice. The framework that governs the audit is the AI governance framework the company chooses. The principles are the four principles of responsible AI. The legal context for India is in artificial intelligence laws in India and the privacy-specific reading in GDPR in India vs DPDP.
What a finished audit report looks like
Every AI audit we ship — auto or signed — produces a Lab-Specimen-branded PDF with the standard structure: tricolour flag stripe header, T-numbered cover (T-102 for AI audit), amber rule between sections, ASCII-safe rendering (no decorative glyphs), executive summary, scope, frame reference, finding-by-finding evidence, severity heatmap, remediation roadmap, and the appropriate disclosure block. The shape of the output is the shape of the audit.
Frequently asked
- What is an AI audit?
- An evidence-based assessment of an AI system's design, data, behaviour, governance and operational controls against a named framework — producing a written report with findings, severity ratings, evidence references and a remediation plan. Some AI audits also require a lead auditor signature for procurement or regulatory purposes.
- Is an AI audit the same as a security audit or a model evaluation?
- No. Security audits cover information security; model evaluations cover model behaviour. An AI audit covers five domains — governance, data, model behaviour, deployment controls, incident response — against a named framework. It touches security and evaluation but covers more.
- How much does an AI audit cost in India in 2026?
- ₹799 for a single auto-audit (one frame, ~25-page PDF). ₹1,799 for a 3-frame bundle. ₹2,999 for all 12 frames with a 30-day redemption window. ₹24,499 for a Dr. Sodhi-signed full engagement, available only on ISO 42001, ISO 27001 and ISO 27701.
- Is Dr. Sodhi lead auditor of record on every framework?
- No — only on ISO 42001, ISO 27001 and ISO 27701. For the other 9 frames (NIST AI RMF, EU AI Act, MAS FEAT, OWASP LLM Top 10, etc.), every audit report carries a hard 'Dr. Sodhi is NOT lead auditor of record on this frame' disclosure.
- Which AI audit controls do Indian companies fail most?
- Three: ISO 42001 A.6 (AI system impact assessment — most teams have done it once but not as a controlled process), A.8 (data provenance, consent, lineage), and A.9 (third-party AI governance — the OpenAI / Anthropic / Bedrock contractual and operational basis).
Run your first AI audit this week.
Pick a frame, point us at your AI system, and a ~25-page audit report lands in your dashboard within an hour. Or book a 1-hour consult with Dr. Sodhi to scope a full signed engagement. ₹799 for a single auto-audit, ₹2,500/hour for the consult.
Bharat NeuroTech offers self-serve AI audits across 12 global and Indian standards from ₹799, with Dr. Sodhi personally signing engagements under ISO/IEC 42001, 27001 and 27701.
— Bharat NeuroTech · /ai-audit