The regulation you know was built for a different kind of system
Retail and corporate banking, insurance, asset management, fintech, payments. Financial services operates under the most mature regulatory framework of any industry, and yet none of those frameworks were designed for AI systems whose behavior changes after deployment. The gap is widening, and supervisors are closing it.
How AI is changing financial services
The dominant assumption inside financial services has been that AI risk fits within existing model risk management frameworks. SR 11-7 in the US, equivalent standards in Europe, and internal validation processes built over decades. The assumption: AI is a more sophisticated model, and sophisticated models are what financial services has always governed.
That assumption breaks at three structural points. First, traditional model risk management assumes models can be specified, validated, and then operate within known parameters. AI systems do not behave that way. The same model, fed slightly different production data, can produce systematically different outcomes than it did in validation. Second, the model is no longer the unit of governance. A single foundation model can power five distinct banking use cases simultaneously, each with a different risk profile. Third, vendor models, the foundation models from third-party providers that increasingly power banking AI, are governed by procurement frameworks that were never designed for systems whose behavior the buyer cannot fully observe.
Insurance compounds the problem. The EU AI Act explicitly classifies pricing in life and health insurance as high-risk. That single sentence changes the obligations of every insurer deploying AI in underwriting or claims, regardless of how mature their existing actuarial governance is.
What risks does this create
The risks are structural, and they sit at the intersection of existing supervisory frameworks and new regulatory obligations that none of those frameworks anticipated.
Model risk frameworks that do not cover AI behavior
Traditional model risk management was designed for systems that operate within defined parameters after validation. AI systems in production can behave differently as data distributions shift, as models are retrained, or as the same architecture is deployed in a new use case. The validation that cleared the model does not guarantee the model in production.
Vendor governance that stops at procurement
The relationship with foundation model providers, AI vendors, and embedded AI in core banking systems cannot be governed solely by procurement. Third-party AI that processes credit decisions, detects fraud, or supports AML functions requires AI governance, not just vendor management. ISO/IEC 42001 is the framework that codifies the difference.
High-risk obligations that apply to existing products
The EU AI Act classifies credit scoring, life and health insurance pricing, and employment-related AI as high-risk. These obligations apply to systems already in production. Most financial institutions have not yet mapped their existing AI portfolio against Annex III.
The integration gap with existing certifications
Many financial institutions already operate certified ISO/IEC 27001 information security management systems, particularly larger banks and insurers. The structural overlap with ISO/IEC 42001 is significant and the implementation effort is materially lower than starting from scratch, but only if the integration is done deliberately. Fintechs and mid-size insurers without existing certifications face a different starting point.
The question that has changed
The question supervisors and boards are asking has shifted: from whether the model risk framework covers AI, to whether the institution can demonstrate that AI deployed across credit, fraud, AML, underwriting, and claims operates under a continuous risk management system they can assess.
How these risks can be mitigated
The mitigation path runs through a management system that integrates AI governance with the existing risk and compliance infrastructure.
Use cases as the unit of governance
A credit decisioning model used in mortgage origination has a different risk profile than the same architecture deployed in fraud detection. Existing model risk frameworks are mostly blind to this distinction. AI governance has to operate at the use-case layer, with different controls, different oversight, and different documentation for each application.
Vendor governance extended to AI behavior
Procurement contracts do not substitute for continuous oversight of AI vendor behavior. Documented controls, escalation paths, and evidence of human oversight are required for third-party AI that participates in regulated activities.
ISO/IEC 42001 integrated with ISO/IEC 27001
The overlap between information security and AI governance management systems is extensive. A deliberate integration avoids duplication, reduces audit burden, and produces a single coherent framework that supervisors and boards can assess.
Certification under ISO/IEC 42001 converts AI governance into independently verified evidence.
How we help financial institutions
ISO/IEC 42001 Certification for Financial Institutions
ANAB-accredited certification of your AI Management System. Scoped to the realities of regulated financial entities, including integration with existing ISMS, model risk frameworks, and regulatory expectations from sectoral supervisors.
EU AI Act Assessment for Banking and Insurance
Inventory of your AI use cases, classification by AI Act risk tier, identification of high-risk obligations (notably credit scoring and life/health insurance pricing), and Fundamental Rights Impact Assessment scoping where applicable.
Vendor and Third-Party AI Assessment
Independent assessment of foundation model providers, AI vendors, and embedded AI in your core systems. Provides documented evidence for supervisors, internal audit, and boards.
Integration with ISO/IEC 27001
Assessment of control alignment between your existing ISMS and ISO/IEC 42001 requirements. Single integrated management system scope, single audit cycle where possible.
Zertia Academy — Financial Services Track
Training for risk, compliance, internal audit, model risk, and business owners. Builds shared institutional language between traditional model risk and AI governance.
What regulators are asking and what certification answers
| Regulatory obligation | What it requires | How Zertia addresses it |
|---|---|---|
| EU AI Act — Annex III (High-risk: financial services) | AI used in credit scoring, life and health insurance pricing, and employment decisions is classified as high-risk. Requires risk management system, logs, human oversight, and registration in the EU database. Applies to systems already in production. | EU AI Act Assessment for Banking and Insurance: full portfolio classification, Annex III mapping, and gap analysis against deployer obligations, with prioritized remediation path. |
| EBA Guidelines on internal governance (AI implications) | EBA Guidelines on internal governance (EBA/GL/2021/05) establish management body accountability and internal control requirements that supervisors are now applying to AI systems in credit and risk functions. While the guidelines predate the AI Act, supervisors are using them as the existing framework for challenging AI governance in on-site inspections. | ISO/IEC 42001 certification addresses governance structure, accountability, and documented oversight at the management system level. Designed to satisfy supervisory inspection requirements. |
| GDPR — Art. 22 (Automated decision-making) | Data subjects have the right not to be subject to solely automated decisions with significant effects. Financial institutions must be able to explain and override AI decisions in credit, insurance, and related contexts. | Covered in certification scope and DPIA services. Explainability and human override controls are assessed as part of the management system audit. |
| ISO/IEC 27001 (Integration with existing ISMS) | Most financial institutions already operate a certified ISMS. AI governance obligations require either extending the existing framework or building a parallel one, with corresponding audit burden. | Single integrated management system, single audit cycle where possible. |
From inquiry to certification
If you're earlier in the process
Get the Financial Services AI Roadmap
FreeA structured assessment for banks, insurers, and fintechs. Covers AI use case inventory, classification under the AI Act, and integration with existing risk frameworks.
Download the roadmapReadiness Audit
Paid · Fixed feeDiagnostic of your AI deployments against ISO/IEC 42001, AI Act obligations, and integration with your ISMS or model risk framework. Documented gap report, remediation plan, and certification timeline.
Book a readiness auditIf you're ready for certification
ISO/IEC 42001 Certification
ANAB-accreditedThree-year cycle, fixed fees, ANAB-accredited. Designed to integrate with your existing certifications. Surveillance audits included.
Talk to us about certificationA model that adapts to your firm
How we work with you depends on your institution's size and complexity. A regional fintech operates on different terms than a global bank with multiple regulators. Three engagement models adapted to institutional realities.
See how we engage →-
Startup
Early-stage AI. Light roadmap, certification when you scale.
-
Scaleup
Readiness audit and certification timed to your growth.
-
Enterprise
Full certification with recurring governance and ongoing support.
Zertia is a conformity assessment body accredited by ANAB for ISO/IEC 42001
Our certification activities under ISO/IEC 42001 are conducted under accreditation by ANAB (ANSI National Accreditation Board), a globally recognized accreditation body.
ANAB accreditation confirms that our audit and certification processes meet applicable ISO standards and international requirements for competence, impartiality, and independence. Our methodologies, auditor qualifications, and decision processes are externally assessed against rigorous technical criteria.
For certified organizations, this provides internationally recognized certificates and enhanced credibility with regulators, clients, and investors.
Your fast track to compliance starts here
Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.
