In its 2025 Responsible AI Pulse survey, EY asked 975 C-suite executives across 21 countries a simple question: has AI cost you money? Ninety-nine percent said yes. Nearly two-thirds reported losses exceeding one million dollars, with the average sitting at USD 4.4 million per organization. The single most cited cause was not model failure or bad data - it was non-compliance with AI regulations, named by 57% of respondents.[1]
For India's Global Capability Centers, that number should land differently than it does anywhere else. GCCs now build and operate a substantial share of the AI systems that global enterprises run — and when those systems touch users in Brussels, Frankfurt, or New York, the regulatory exposure travels back up the chain to the parent. The question facing GCC leaders in 2026 is no longer whether they can build AI at scale. We covered that shift in How India Is Becoming the AI Nerve Center for Global Retail and CPG. The question now is whether they can prove that what they build is governed — because their clients' regulators, boards, and procurement teams have started asking.
The regulation has left the white paper and entered the audit
The EU AI Act is the forcing function. Its prohibitions on practices such as emotion recognition in the workplace and manipulative AI have been enforceable since February 2025, with penalties reaching €35 million or 7% of global annual turnover. Obligations for general-purpose AI models followed in August 2025. On 2 August 2026 — weeks from now — the Act's full enforcement machinery activates at national and EU level.[2] The recent Digital Omnibus agreement deferred high-risk system obligations to December 2027 and August 2028[3], but deferral is not relief. It is preparation time, and the extraterritorial scope is unambiguous: the Act applies to any organization whose AI systems affect people in the EU, regardless of where the code is written. An Indian GCC building a credit-scoring model or an HR screening tool for a European parent is inside the perimeter.
The United States offers no simpler picture — it offers a fragmenting one. Federal AI policy reversed direction in January 2025, and a December 2025 executive order now seeks to preempt state laws, while more than 1,000 state AI bills were introduced in 2025 alone. California's frontier-model transparency law is in force, Texas's Responsible AI Governance Act took effect in January 2026, and Colorado's revised act arrives in 2027.[4] For a GCC serving US business units, compliance is not one standard but a moving patchwork — which is precisely why American clients increasingly push governance requirements into contracts rather than waiting for Washington.
And India itself has moved. MeitY released the India AI Governance Guidelines in November 2025, recommending that organizations consider an AI governance committee and a responsible AI officer. The DPDP Rules, notified the same month, put consent requirements around personal data used to train AI models and established the Data Protection Board of India, with substantive obligations phasing in through 2026 and 2027. February 2026 brought mandatory labelling rules for synthetically generated content.[5] India's approach is deliberately lightweight, but the direction of travel is one-way: the jurisdiction where GCCs operate is itself building governance expectations, not just the jurisdictions they serve.
Scale without governance is now a liability
The size of India's GCC sector is what turns governance from a legal topic into a strategic one. The Zinnov-NASSCOM 2026 landscape report counts 2,117 GCCs employing 2.36 million professionals and generating USD 98.4 billion in revenue. More than 1,200 of those centers have AI/ML capabilities, over 185 run dedicated AI Centers of Excellence, and 120,000+ AI/ML professionals work inside them.[6] According to EY's GCC Pulse Survey, 83% of Indian GCCs are investing in generative AI and 58% are already investing in agentic AI.[7]
Read those numbers the way a client's chief risk officer reads them. Tens of thousands of models, copilots, and agents are being built in centers that, until recently, were measured on delivery velocity and cost efficiency — not on auditability. The agentic wave sharpens the problem: Gartner estimates that 40% of enterprise applications will embed task-specific AI agents by the end of 2026, up from under 5% in 2025[8], while 53% of enterprises admit they are running agents they do not fully trust or fully understand[9]. NIST launched a dedicated AI Agent Standards Initiative in February 2026[10] precisely because existing frameworks were not written for software that acts autonomously.
This is the gap between adoption and accountability — and it is measurable. EY's mid-2025 pulse found that only one in three organizations has protocols covering the full span of responsible AI.[11] The other two-thirds are running systems they cannot fully explain, in markets that now demand explanation.
Governance has become a buying criterion
Here is the shift that matters commercially: AI governance has migrated from the compliance annex to the procurement scorecard. Enterprise vendor due diligence questionnaires now routinely ask for model cards, bias testing results, training data summaries, incident histories, and audit rights. A GCC — or a services partner — that cannot produce this documentation does not lose the argument; it never gets into the room.
The certification market tells the same story. ISO/IEC 42001, the AI management system standard, has moved in two years from novelty to table stakes for outsourced AI work, with Indian firms such as Datamatics and KPMG India among the certified and clients explicitly requesting the certificate as a trust signal.[12] More than 100 technology firms — TCS, Infosys, and Wipro among them — signed the EU AI Pact[13], committing to compliance ahead of legal deadlines. Wipro rolled out Microsoft 365 Copilot to roughly 105,000 employees with mandatory responsible-use and prompt-hygiene training before access[14]. These are not gestures. They are bids for the same mandate: trusted AI operations at scale.
The structural response inside GCCs is already visible. Zinnov-NASSCOM reports that AI governance is increasingly written into GCC site-leader mandates, with a growing share of centers standing up dedicated AI ethics and compliance functions[6]. Forrester projects that 60% of Fortune 100 companies will appoint a head of AI governance this year[15]. The conversation, as the landscape report puts it, has shifted from what AI can do to how to govern it.
The governance dividend is quantifiable
The skeptic's objection is familiar: governance slows delivery and adds cost. The 2025 data dismantles it. EY found that organizations with real-time AI monitoring were 34% more likely to report revenue-growth improvements and 65% more likely to report improved cost savings; across all respondents, 81% reported improved innovation and 54% reported revenue growth[1]. BCG's research on the widening AI value gap points the same direction — the 5% of companies that are "future-built" for AI achieve 1.7x higher revenue growth and 2.7x greater ROI on AI investments[16], and disciplined governance with clear decision rights is one of the traits that separates them. The business case for AI itself is settled, as we argued in Why AI in Retail Is Moving from Nice-to-Have to Operational Necessity; governance is what determines who captures the value without giving it back in losses, rework, and lost deals.
For a GCC, the dividend compounds. A center that can hand its parent an AI system inventory, a risk-tiered model register, EU AI Act conformity evidence, and an ISO 42001-aligned management system is no longer selling capacity. It is selling assurance — and assurance is what unlocks the high-stakes work: credit decisioning, clinical workflows, autonomous category management, agentic operations. The governed GCC gets the charter that the ungoverned GCC is not allowed to touch.
What building the muscle actually looks like
The practical agenda is narrower than the regulatory sprawl suggests. It starts with a complete AI inventory — you cannot govern systems you have not catalogued — followed by risk classification mapped to the EU AI Act's tiers and the client's sectoral regulators. On top of that sits a management system, with ISO 42001 and the NIST AI RMF as the two interoperable scaffolds, and a monitoring layer that treats model drift, bias, and agent behavior as operational telemetry rather than annual review items. The organizational piece — an AI risk committee, named accountability, literacy training — is what India's own governance guidelines now sketch as the expected baseline.
None of this is exotic. It is engineering discipline applied to a new surface, which is exactly why GCCs — built on process maturity — are better positioned to industrialize it than almost any other part of the enterprise.
The window matters. Between now and December 2027, every GCC serving European and American clients will be asked to show its governance evidence. The centers that spent 2026 building it will answer with documentation. The rest will answer with a project plan — and in enterprise procurement, that is the difference between winning the mandate and watching it move to the center next door.
DS Stream designs, builds, and operates AI solutions with governance built in — from data platforms to MLOps and agentic systems. If your GCC or AI team needs an EU AI Act-ready operating model, talk to us.
Sources
[1] EY, Responsible AI Pulse Survey, Wave 2 (October 2025), 975 C-suite leaders across 21 countries: 99% reported AI-related losses, ~64% over USD 1M, average USD 4.4M, 57% cited regulatory non-compliance; same wave reports the governance/monitoring outcome figures. ey.com
[2] EU AI Act, Regulation (EU) 2024/1689: Art. 5 prohibited practices (applicable 2 Feb 2025), Art. 99 penalties (up to EUR 35M or 7% of turnover), Chapter V general-purpose AI obligations (applicable 2 Aug 2025), Art. 2 extraterritorial scope; main application date 2 Aug 2026. EUR-Lex; EC timeline
[3] Digital Omnibus on AI, Council and European Parliament provisional agreement, 7 May 2026: high-risk obligations deferred to 2 Dec 2027 (Annex III) and 2 Aug 2028 (Annex I); not yet published in the Official Journal at time of writing. Council of the EU
[4] US AI policy: White House EO 'Removing Barriers to American Leadership in AI' (23 Jan 2025, revoking EO 14110); EO on state-law preemption (11 Dec 2025); NCSL, 1,000+ state AI bills in 2025; California SB 53 (in force 1 Jan 2026); Texas TRAIGA / HB 149 (1 Jan 2026, narrower than the original bill); Colorado AI Act SB 24-205 as amended (effective 1 Jan 2027). NCSL; White House (Dec 2025); California SB 53
[5] India: MeitY, India AI Governance Guidelines (5 Nov 2025); DPDP Rules 2025 (notified 13-14 Nov 2025, obligations phasing in through 2026-2027); IT Rules amendment mandating labelling of AI-generated content (in force 20 Feb 2026). MeitY / PIB; AI labelling (Feb 2026)
[6] Zinnov-NASSCOM, India GCC Landscape 2026 (May 2026): 2,117 GCCs, 2.36M professionals, USD 98.4B revenue; 1,200+ centers with AI/ML capabilities, 185+ AI Centers of Excellence, 120,000+ AI/ML professionals. zinnov.com
[7] EY GCC Pulse Survey 2025 (November 2025): 83% of Indian GCCs investing in generative AI, 58% investing in agentic AI. ey.com
[8] Gartner (26 Aug 2025): 40% of enterprise applications will integrate task-specific AI agents by 2026, up from less than 5% in 2025. gartner.com
[9] Kore.ai enterprise AI agent survey (2026): 53% of enterprises run AI agents they do not fully trust or understand; 70% have faced a failure they could not trace. kore.ai
[10] NIST Center for AI Standards and Innovation (CAISI), AI Agent Standards Initiative, announced 17 Feb 2026. nist.gov
[11] EY, Responsible AI Pulse Survey, Wave 1 (June 2025): only about one in three organizations has protocols covering the full responsible-AI framework. ey.com
[12] ISO/IEC 42001:2023, AI management system standard (published Dec 2023); Datamatics (certified Jun 2024) and KPMG India (certified Dec 2025) among certified Indian firms. ISO 42001; KPMG India
[13] EU AI Pact, European Commission (25 Sep 2024): 100+ signatories, including TCS, Infosys, and Wipro. European Commission
[14] Microsoft (3 Jun 2026): Infosys, TCS, and Wipro scaling Microsoft 365 Copilot; Wipro at roughly 105,000 seats with governance and responsible-use training. microsoft.com
[15] Forrester, Predictions 2026: 60% of Fortune 100 companies expected to appoint a head of AI governance. forrester.com
[16] BCG, 'The Widening AI Value Gap: Build for the Future 2025' (Sep 2025): the 5% of 'future-built' companies achieve 1.7x revenue growth and 2.7x greater ROI on AI. bcg.com


.webp)
