Choosing an AI Risk Framework for a Fintech Startup's Credit Models

A UAE fintech startup was building AI models for credit scoring and customer onboarding. Their technology partner, a US firm, pushed NIST AI RMF as the governance anchor. It made sense on paper. The founders already knew NIST from their security work, and it was the framework their partner used.

Through a NIST lens, the models were a risk management exercise. Document your risks, monitor for bias, establish oversight. Nothing that would block the roadmap.

But the startup's growth plan included onboarding European users in the next funding cycle. When our team assessed the same models under the EU AI Act, credit scoring is explicitly listed as high-risk under Annex III. The obligations are specific and binding: conformity assessment, technical documentation, human oversight mechanisms, and EU database registration. The models were nowhere near compliant.

Why the framework choice changed the plan

NIST said "improve governance." The EU AI Act said "you cannot onboard EU users with these models as built." For an early-stage company, that is not a footnote. It is the difference between a governance to-do and a feature that would have to be rebuilt, ideally before it shipped rather than after a customer's compliance team found it.

We anchored on the EU AI Act for the European-facing path and used ISO 42001 as the operational management layer underneath, which gave the founders something defensible to show investors and partners. Catching it pre-launch meant a design decision, not an expensive retrofit.

The lesson generalises to any startup with ambitions beyond its home market. The framework you assess against is not a formality. It decides which findings you even see, and whether you find them while they are still cheap to fix.

---

If your situation is similar, our team is happy to start with a conversation about scope and approach.

Schedule a Scoping Call