AI Compliance for Tier-1 Banks: RBI, SAMA, EU AI Act in One Picture

Three weeks ago I was in Riyadh, in a meeting room overlooking the King Fahd Road, with the Chief Risk Officer of a SAMA-regulated bank that also serves customers through subsidiary entities in Frankfurt and Mumbai. The CRO put a single-page diagram on the table — an attempt by her risk team to map RBI's Master Direction, SAMA's Cyber Resilience Framework, and the EU AI Act onto one reference architecture. The diagram had three columns and twelve rows. Eight of the twelve rows showed the same architectural answer across all three jurisdictions. Her question was the obvious one: "If the answer is the same, why are we doing this three times?" Two days later her IT director and our team architected the consolidation. A tier-1 bank serving customers across India, the Gulf and the EU now navigates three AI-regulation regimes converging on a single architectural answer. RBI Master Direction on IT Governance specifies that AI/ML model lifecycle artefacts must be hosted on infrastructure under the regulated entity's exclusive control. SAMA Cyber Resilience Framework — updated in 2025 with explicit AI provisions — demands the same in the Gulf. The EU AI Act's Articles 9–15, enforceable from 2 August 2026 for high-risk systems, push BFSI workloads toward auditable on-premise deployments. The architectural answer that satisfies all three is the same architecture, which is why our reference deployments at tier-1 banks across these geographies look structurally identical.

Mapping the three regimes onto Articles 9–15

Article 9 (risk management) aligns with SAMA's risk governance requirements and RBI's IT risk management framework — same lifecycle, different documentation templates. Article 10 (data governance) aligns with both supervisors' expectations around customer data residency and data lineage. Article 11 (technical documentation) is the most demanding of the three regimes when applied to Annex III workloads; if your Annex IV dossier satisfies the EU AI Act, it almost certainly satisfies RBI and SAMA documentation expectations as well. Article 12 (record-keeping) aligns with RBI's expectation that AI/ML inference logs are retained per the bank's regulatory retention policy and held under the bank's exclusive control. Article 14 (human oversight) maps to SAMA and RBI expectations around effective challenge of model decisions.

The architectural pattern that satisfies all three

The reference architecture we deploy at tier-1 banks across all three jurisdictions: open-weights LLMs (Llama 3.3 70B for high-quality, Mistral 7B or Llama 3.3 8B for high-throughput) served via vLLM on bank-controlled GPUs inside the bank's data centre; RAG grounded on the bank's policy and product corpora with citation injection; agentic workflows with bounded autonomy and audit trails into the bank's SIEM; integration to Temenos / Finacle / Flexcube / FIS via event-streaming overlays for reads and API gateways for writes; SSO + RBAC integrated with the bank's identity provider; Annex IV documentation auto-generated from source and held in the bank's Git. This architecture is identical across the three jurisdictions; only the documentation templates differ. /ai-for-bfsi covers the full reference architecture.

The five workloads where the regimes converge most explicitly

Credit scoring — EU AI Act Annex III 5(b), RBI Master Direction model governance, SAMA fair-lending framework. KYC and onboarding — RBI and SAMA AML / KYC frameworks plus EU GDPR processing-control requirements. AML and sanctions screening — Fed SR 11-7 (for US-exposed banks), MAS FEAT principles (for Singapore-exposed banks), SAMA AML framework, RBI Master Direction. Customer chatbots and voice agents — Article 50 transparency under EU AI Act plus the bank's home-jurisdiction consumer-protection framework. Document intelligence — RBI / SAMA document-retention and customer-data-protection requirements plus EU AI Act Article 10 data-governance obligations.

Where most BFSI AI programmes are behind on all three

Three patterns repeat. Documentation is in slides, not in code — the Annex IV dossier needs to be generated from the source artifacts of each AI system and refreshed on every deployment, not maintained as a separate Word document. Audit logs sit in vendor platforms — typically the cloud LLM provider's logging, which satisfies neither the EU AI Act's Article 12 record-keeping requirement (the deployer doesn't have direct control), the RBI Master Direction (the artefacts aren't on infrastructure under the bank's exclusive control), nor SAMA (cross-border AI inference on customer data isn't permitted). And model-risk processes haven't been extended for AI — the bank's existing IRB validation framework typically doesn't cover the fundamental-rights risks that Article 9 risk management requires.

The right sequence for a 90-day remediation programme

Days 1–30: inventory all AI systems in scope of the three regimes, classify by tier and jurisdiction, gap-analyse against each. Days 31–60: stand up the documentation pipeline and audit-log infrastructure under bank control. Migrate any cloud-hosted regulated AI workloads to sovereign infrastructure (this is the longest-lead-time work; start it early). Days 61–90: complete the eval suite, run against historical decisioning data, produce the supervisor-ready report. By 2 August 2026, the bank should be able to hand any of its three supervisors a complete, jurisdiction-specific compliance answer on demand. The MindMap Digital sovereign AI reference architecture and the EU AI Act whitepaper cover the engineering path; for BFSI-specific architecture and reference deployments see /ai-for-bfsi.