At a Glance
| Before ZTA-AI | After Pilot | |
|---|---|---|
| AI cleared for internal use by compliance team | No | Yes |
| Audit trail for every AI query | None | Complete, automatic |
| Time to answer internal compliance queries | 1–3 days | Under a minute |
| Cross-department data boundary enforcement | Manual, inconsistent | Automated per query |
| RBI / DPDP Act readiness for AI use | Unverified | Documented |
| Weeks from sign-off to first live query | — | 2 weeks |
The Organisation
Credwise Capital is an RBI-registered NBFC focused on small-ticket personal and business lending. With 85 people across credit, collections, compliance, and operations, they sit squarely in the middle of a sector that is under increasing regulatory scrutiny — and increasing pressure to move faster with less headcount.
Like most organisations their size, they had been watching the conversation around enterprise AI from a careful distance. The productivity case was obvious. The risk case was equally obvious. Every time someone on the leadership team raised the idea of deploying an AI assistant, the compliance and risk function asked one question that nobody could answer cleanly:
If the AI accesses our borrower data, what exactly does it see, and can we prove it?Until that question had a satisfactory answer, AI was not going on their internal systems.
The Compliance Problem Nobody Was Solving
Credwise operates under a framework of regulatory obligations that is only getting more demanding. The RBI's FREE-AI guidelines require that AI systems used in financial services demonstrate governance, explainability, and bias monitoring. The DPDP Act 2023 places specific obligations around how personal data is processed, by whom, and with what controls. SEBI's cybersecurity framework — relevant to their investor-facing reporting — requires zero trust access controls and documented vulnerability assessments.
None of those frameworks prohibit AI. They require that AI be used accountably — with documented controls, verifiable access trails, and the ability to demonstrate to an auditor exactly what the system did and why.
Most AI deployments cannot do that. When a general-purpose AI assistant accesses a database to answer a question, it retrieves data, processes it internally, and generates a response. There is no standard audit record of which data was accessed, under which authorisation, in what form, or whether the access was consistent with the user's role. The answer comes out. The reasoning — and the data trail — stays inside a black box.
For a regulated NBFC, a black box is not an option. It is a liability.
What Made ZTA-AI Different
The compliance team at Credwise reviewed three AI solutions before the pilot. Two were rejected at the first evaluation session. The third — a well-known enterprise AI platform — made it to a second conversation before the risk team concluded that it still gave the model too much visibility into underlying data structures.
ZTA-AI was brought in with a specific question on the table: can you tell us exactly what the AI sees when it answers a query, and can you give us a record of every access that we can show a regulator?
The answer to both was yes — and the architecture made it structurally true, not just a policy commitment.
The model at the centre of ZTA-AI never touches the underlying data. When a user asks a question, the system interprets the request, checks the user's role and permissions against the current access policy, retrieves a pre-approved structured summary of the relevant information, and hands that summary to the language model to turn into a readable response. The model sees the summary. It never sees the database, the schema, or the raw records.
Every step of that process — interpretation, policy check, data retrieval, response generation — is logged automatically to an audit trail that cannot be modified. The log answers, for every query ever made, who asked, what was retrieved, which policy authorised the retrieval, and when it happened. That log is the answer to every regulatory question about what the AI did with sensitive data.
The Pilot
The six-week pilot focused on three specific query types that the compliance and credit teams had identified as their highest-frequency internal data needs.
Compliance queries — Questions about the organisation's internal regulatory registers, breach logs, audit schedules, and policy documentation. Previously handled by a compliance analyst manually searching shared drives. Typical turnaround: one to three days for anything requiring synthesis across multiple documents. Credit portfolio queries — Questions about portfolio performance, delinquency rates, and collection outcomes. This data existed in the system but required a data analyst to extract, format, and share before it could be used in any meeting or decision. Turnaround was typically same-day if an analyst was available, longer if not. Operations queries — Queue status, processing throughput, and application volumes across the team. Useful for daily standups and capacity planning, but always requiring someone to log into multiple systems and manually aggregate the numbers.Each department was configured with a strictly separate access profile. A compliance query could not return credit data. A credit query could not surface operations records. The boundaries were not trust-based — they were enforced by the policy engine on every single request, with the outcome logged regardless of whether access was granted or blocked.
What the Pilot Found
Query turnaround dropped from days to under a minute for the compliance team's most frequent request types. The analyst time that had previously gone into retrieving and formatting data for internal questions was freed for the analysis itself. The compliance function cleared AI for internal rollout — for the first time in the organisation's history. The specific moment that changed the conversation was when the compliance lead reviewed the audit log from the first week of the pilot. Every query, every access, every policy decision, timestamped and readable. She described it as the first time she felt she could actually answer a regulator's question about what the AI had done with company data. Three blocked queries appeared in the audit log. During the pilot, three queries were submitted that exceeded the requesting user's access permissions. The policy engine stopped all three before any data was retrieved. They appeared in the log with the specific rule that had blocked them. In a direct-access architecture, those queries might have returned data — or returned an error with no record. In ZTA-AI, they were stopped, logged, and visible. RBI FREE-AI and DPDP Act documentation was produced from the audit trail at the end of the pilot. The compliance team used the access logs to draft the AI governance documentation required under the RBI guidelines. The trail was already there. The documentation was a formatting exercise.What the Team Said
"Three vendors told us their AI was compliant. None of them could tell us what the AI actually sees when it runs a query. ZTA-AI could. That's a completely different conversation." — Chief Risk Officer, Credwise Capital
"I've been asking for an audit trail on our AI usage for two years. I stopped believing it was possible. Seeing every query logged — who asked, what was retrieved, which policy allowed it — that was the moment I changed my mind about whether we could actually deploy this." — Head of Compliance, Credwise Capital
"The credit team now gets portfolio answers in the room during reviews. We're not waiting for someone to pull numbers after the meeting. That's a different pace of work." — Head of Credit, Credwise Capital
A Note for EdTech Organisations
The compliance challenges facing EdTech platforms under the DPDP Act are structurally similar to those facing financial services firms — perhaps more so, because the data being handled includes sensitive information about minors and learners who have limited ability to advocate for their own data rights.
An EdTech platform using AI to personalise learning, flag at-risk students, or assist instructors with query responses is making data access decisions that carry DPDP obligations. The same questions apply: what does the AI see, under which authorisation, and can you demonstrate that access was appropriate?
ZTA-AI's architecture answers those questions the same way for an EdTech platform as it does for an NBFC. The policy engine enforces role-based data boundaries between students, instructors, and administrators. The audit trail logs every access. The language model never touches raw learner data.
The regulatory pressure is different in tone but identical in structure: regulated data requires accountable AI. The architecture that makes AI accountable in banking makes it accountable in education for the same reasons.
Where Credwise Is Now
Credwise Capital is rolling out ZTA-AI access to the full compliance and credit teams. The operations team pilot is scheduled for the following quarter.
The AI governance documentation produced from the pilot audit trail has been filed with their internal risk register. The compliance team is treating it as a template for how they will respond to any regulatory inquiry about their AI use going forward.
The question that had blocked every previous AI evaluation — what exactly does the AI see, and can we prove it? — now has a documented, auditable answer. That is what the pilot was for.
Organisation name changed at the client's request. Figures reflect data from one 6-week pilot engagement.