Use of Generative AI by Company Secretaries: Compliance, Data Protection & Governance Challenges

Generative AI is the latest technological wave transforming the Company Secretary's desk. From paper registers to MCA21, and from physical board meetings to video conferencing, every innovation has reshaped workflows without diminishing the profession's strategic role. But Generative AI is different. Unlike prior tools that processed or stored information, GenAI reasons with it. This article is not a caution against AI. It is a call for conscious AI adoption for CS while building a disciplined framework to protect sensitive corporate information. In this process, the CS does not follow the change - they are best placed to lead it.

Key Takeaways

• Generative AI is rapidly entering the secretarial workflow, offering efficiency gains in drafting, research and compliance management.
• Sharing Unpublished Price Sensitive Information (UPSI) through public AI tools may constitute a breach under SEBI PIT Regulations, 2015.
• The Digital Personal Data Protection Act, 2023 (DPDP Act) imposes data fiduciary obligations that extend to all AI tool usage.
• SEBI LODR Regulations impose confidentiality and governance standards that AI-assisted processes must not compromise.
• A structured AI governance framework - covering tool selection, prompt hygiene, data classification and audit trails - is essential for every CS professional.

How Company Secretaries Are Using Generative AI

Generative AI has quietly entered the daily workflow of CS professionals - not as a formal rollout, but through individual initiative. Across listed and unlisted companies alike, practitioners are using AI to get more done in less time.

• Board resolutions, meeting notices, directors' reports, and annual report narratives are being drafted with AI assistance. The CS sets the context; the AI produces a working draft; the professional refines and owns it.
• Legal research has become faster. Querying the Companies Act, SEBI LODR, FEMA, or IBC through conversational AI yields quicker answers - but every output must be verified against the primary source. AI can hallucinate with confidence.
• Compliance calendars for multi-entity groups are being generated using AI - mapped to financial years, listing status, and board composition - reducing the risk of missed deadlines.
• In M&A transactions, AI is being used to summarise agreements, statutory registers, and regulatory filings for board briefings, cutting down review time considerably.
• Shareholder communications - postal ballot notices, AGM materials, voting reports - are being drafted with AI maintaining regulatory language and consistent tone.
• For Domain Knowledge, AI has become a readily available resource for procedural queries, regulatory definitions, and compliance checklists.

Generative AI in secretarial practice: Use cases and Risks

The practical risks of AI in the secretarial function emerge sharply when we examine specific, real-world use cases. Each scenario below reflects a type of prompt that CS professionals are, today, routinely using, which needs to be analysed in terms of risk exposed, if any.

Use Case 1: Drafting Resolutions with Company-Specific Details

Prompt: 'Draft a board resolution approving a related party transaction between [Company Name] and [Subsidiary], involving a loan of ₹75 crores at 9% p.a. for a period of 3 years.'

Risk: This prompt contains the company's identity, transaction size, related party relationship, and financial terms - all of which, if undisclosed, may qualify as UPSI under Regulation 2(1)(n) of the SEBI (Prohibition of Insider Trading) Regulations, 2015. Transmitting this to a public AI tool creates a risk of inadvertent disclosure, particularly if the tool retains user data for model training.

Use Case 2: Summarising Board Papers with Unpublished Financials

Prompt: 'Here is our Q3 board paper. Summarise the financial highlights and flag action points.'

Risk: Quarterly and annual financial results, prior to publication, are explicitly listed as UPSI. Pasting such data into a public AI tool amounts to transmitting UPSI to a third-party system outside the company's information security perimeter - a potential violation that the Compliance Officer and the CS must actively prevent.

Use Case 3: KMP-Related Drafting

Prompt: 'Draft an appointment letter for our new CFO [Name] effective [date], with a CTC of ₹X crores.'

Risk: Changes in Key Managerial Personnel are designated UPSI events under the PIT Regulations. Additionally, the personal data of the individual - name, designation, compensation details - is protected under the DPDP Act, 2023. This prompt violates both regulatory frameworks simultaneously.

AI vs. DPDP Act, 2023 & SEBI LODR Framework

Governance Framework for Responsible AI Adoption

The answer to AI risk is not prohibition - it is governance. Company Secretaries are uniquely positioned, both by professional mandate and proximity to the board, to champion this framework within their organisations by adopting these frameworks.

• Data Classification Before AI Interaction :  Classify all corporate information into four tiers - Public, Internal-General, Confidential, and Restricted/UPSI. Only the first two should ever touch a public AI tool; everything else stays within enterprise-grade or private deployments.
• Enterprise AI vs. Public AI Tools like Microsoft Copilot or Google Gemini for Business offer contractual data isolation - the company's data is never used to train the model. CS professionals must push for organisation-wide adoption of such enterprise tools over free public platforms.
• Prompt Hygiene Policy A simple, clear policy governing what can and cannot appear in an AI prompt goes a long way. No company names, CINs, undisclosed financials, or board papers - use generic placeholders whenever specific details are not necessary.
• Board-Approved AI Usage Policy The CS must drive a formal AI Usage Policy covering approved tools, prohibited use cases, review protocols, and incident reporting. Board approval gives it teeth and signals governance intent from the top.
• Audit Trail for AI-Assisted Documents Every governance document touched by AI must carry an internal note recording which tool was used and that a qualified CS reviewed the final output. This single step protects both the professional and the organisation in any regulatory inquiry.
• Training and Continuous Awareness The secretarial team must be trained not just in using AI but in understanding its risk - what data it retains, where its servers sit, and when a task crosses the threshold for public AI use. Awareness is the first line of defence.

Practical Recommendations for Company Secretaries

Based on the regulatory analysis and risk assessment above, the following eight practical steps are recommended for every CS professional, regardless of the size or listing status of their company:

1. Never enter UPSI into public AI tools; if the information is not publicly available, do not use it in an AI prompt.
2. Promote the adoption of enterprise-grade AI solutions with robust data security, contractual safeguards, and data residency controls.
3. Update the Insider Trading Code of Conduct to specifically address AI usage and the handling of UPSI through digital platforms.
4. Implement a Board-approved AI Policy covering governance, data classification, usage protocols, and risk management.
5. Ensure all AI-generated resolutions, notices, and governance documents undergo professional review before use.
6. Maintain a documented audit trail of AI-assisted activities to demonstrate accountability and regulatory compliance.
7. Continuously monitor developments from SEBI, MCA, ICSI, and the DPDP framework to stay aligned with evolving regulations.
8. Actively contribute to AI governance discussions and policy consultations to help shape practical regulatory frameworks.

Conclusion

The Company Secretary has always been the custodian of corporate conscience.That fundamental role has not changed - but the environment in which it is exercised has dramatically changed.

The Risks of UPSI exposure through unguarded prompts, DPDP Act non-compliance, LODR governance gaps can be very well mitigated by informed, policy-driven, professionally supervised AI adoption by the CS. Because Generative AI is a powerful ally, if used well !