Credit Scoring Is High-Risk by Default: Sovereign AI for Lending Under Annex III
The high-risk duties on a lender running a credit-scoring system, logging, oversight and data-governance, were due on 2 August 2026 and now apply from 2 December 2027 after the Digital Omnibus deferral, yet the proof they demand is unchanged and architecture, not policy, must satisfy it, so we build now.
The substantive obligations of the EU AI Act for high-risk systems, once due on 2 August 2026, now apply from 2 December 2027 following the deferral agreed in the Digital Omnibus, and creditworthiness assessment sits inside them. Annex III names credit scoring and the evaluation of natural persons for access to essential financial services as high-risk by default. This is not a label a lender can argue its way out of. The proof requirements survive the move, so the sensible response is to build now: if a model decides whether a person receives a mortgage, a card or a small-business facility, it inherits a legal regime built around record-keeping, human oversight, data governance and transparency.
For a bank, a building society or a fintech lender, the practical question has narrowed. It is no longer whether artificial intelligence in lending is regulated, but whether systems already in production can produce, on demand and years later, a tamper-evident account of every decision and why. Many cannot, because the architecture beneath them was never designed to be interrogated. That gap is where compliance risk now lives.
What Annex III actually asks a lender to prove
The high-risk obligations read less like an ethics statement and more like a systems specification. Article 12 requires automatic logging of events across the lifetime of the system. Article 14 requires effective human oversight: a person who can understand a decision, override it and stay accountable. Article 10 governs the data used to train and tune the model, its representativeness, provenance and bias controls. Transparency duties require that an affected applicant and a supervisor receive a meaningful explanation.
Each of these is a duty to demonstrate, not merely to assert. A regulator arriving after a complaint will ask for the record, and a rejected applicant exercising rights under existing consumer-credit and data-protection law will ask for the reasoning. The uncomfortable position for many lenders is that their scoring stack cannot reconstruct the exact model state, feature set and inputs behind a decision eighteen months ago, because logs were partial, mutable, or held by a third party the lender never controlled.
Why the cloud model of security makes this harder
Much modern scoring runs on shared infrastructure operated by a large cloud provider. That design has real strengths, which we do not dispute. The difficulty for a regulated lender is one of evidence and control. When the model, the logs and the key material all reside inside an environment the lender does not physically hold, compliance rests on another party's attestations, and the audit trail is only as trustworthy as a perimeter the lender does not own.
There is also a jurisdictional edge that boards now examine closely. Data held by a provider headquartered outside the European Union can fall within the reach of foreign disclosure laws regardless of where the servers physically sit. For a European lender processing borrowers' financial data under the AI Act, DORA and NIS2, that reach raises a governance question no contractual language fully closes. Sovereignty here is the difference between holding your own evidence and borrowing another's.
The sovereign alternative: computation the lender actually holds
Mickai is a Sovereign Intelligence Operating System, a SIOS. It runs offline on operator-owned hardware, inside the lender's own estate, with no dependency on an external inference endpoint. Every scoring decision is computed where the lender can see it, and every action is cryptographically sealed as it happens. Nothing about a borrower leaves the building unless the operator sends it.
This inverts the usual trust relationship. Instead of accepting a provider's summary of what the model did, the lender owns a first-party record outright. The logging duty under Article 12 stops being a hope that a supplier retained the right telemetry and becomes a property of the operator's own hardware, and explainability becomes a by-product of running the computation where the lender governs it.
“When a lending decision is high-risk by law, the only defensible position is a record the lender holds itself, sealed at the moment of decision and verifiable without trusting anyone else.”
Sealed audit chains and the evidence a supervisor will demand
The mechanism that makes this concrete is a post-quantum signed audit chain. Every decision, input feature, model version and human override is written as a linked, signed entry referencing the one before it, so the chain cannot be silently reordered or edited. Because the signatures resist future quantum attack, an audit trail written in 2026 stays verifiable across the retention periods a financial regulator expects.
This is what Article 12 logging looks like when it is built into the substrate rather than layered on top. A supervisor can be handed the chain and check it independently, and a rejected applicant's decision can be reconstructed down to the model state that produced it. The lender no longer argues that its logs are complete; it offers a mathematically verifiable object that shows they are.
Explainability and human oversight that hold up in practice
Article 14 asks for oversight that is real, not ceremonial. A credit officer signing off on scores they cannot interrogate is oversight in name only. The design principle we work to is that the human in the loop must see the reasoning, challenge it and record their judgement inside the same sealed chain, so accountability is traceable to a named person.
To reduce the risk of a single model producing a confident but flawed decision, the system uses cross-model consensus. Several sovereign models, run on the operator's hardware, assess the same case, and material disagreement is surfaced to a human rather than averaged away. This addresses the robustness concerns Article 15 raises, and it guards against the prompt-injection and model-manipulation risks catalogued in the OWASP work on AI, because no single output is trusted alone.
A perimeter designed so nothing reaches the model uninvited
Data governance is not only about the training set. It is also about who and what can touch the running system. The SIOS operates behind a zero-egress inbound perimeter: the scoring environment does not call out, and unsolicited traffic cannot call in. Identity is hardware-attested, binding a request to a verified machine rather than a credential that can be phished or replayed, and integrity can be confirmed offline.
For a lender aligning to DORA's operational-resilience requirements, to NIS2 and to an ISO/IEC 42001 management system for AI, this architecture does much of the foundational work. Resilience is easier to evidence when the critical dependency is hardware the operator owns rather than a remote service, and the controls sit inside the components rather than in a policy describing a supplier's promises. That engineering is reflected in the 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD and currently patent pending.
Where lenders go from here
The window before full application is short, and the reasonable starting point is honest self-assessment. A lender should ask a plain question of its stack: if a supervisor requested the complete, tamper-evident decision record for an application from two years ago, could it be produced, and its integrity proven without relying on a third party's word. For many, the honest answer today is no, and closing that gap is an architectural project, not a paperwork exercise.
Annex III has made a design choice into a legal duty. The lenders who fare best will treat creditworthiness assessment as something to be computed where they can see it, sealed where they can prove it and explained where a person can stand behind it. Sovereign infrastructure does not remove the obligation. It makes the obligation something a lender can meet, on its own hardware, with evidence it holds.




