Imagine a relationship manager at a bank asking an internal AI assistant a simple question: what is this client's current exposure across all their accounts?
The AI responds confidently. The numbers look plausible. The manager makes a recommendation based on them.
Three days later, it turns out the data was stale. Or incomplete. Or worse — the AI had access to information it should never have seen in the first place, from a department with entirely different access rules, and blended it into an answer that looked authoritative.
This is not a hypothetical edge case. It is the exact failure mode that most enterprise AI deployments are currently not protected against. And in a regulated industry — banking, insurance, financial services — the consequences are not just embarrassing. They are a compliance problem, a liability problem, and a trust problem all at once.
The part of enterprise AI nobody talks about enough
The conversation around AI in enterprise has focused heavily on capability. Can it answer questions? Can it summarise documents? Can it reduce the time analysts spend on manual tasks?
The answer to all of those is yes. The capability is real.
What gets discussed far less is the question of control. Specifically: when your AI assistant answers a question, what data did it actually use? Who decided it was allowed to use that data? What happens if it uses data from a department the person asking doesn't have clearance for? And if something goes wrong, can you trace exactly what happened?
For most AI systems, the honest answer to that last question is: not really.
The AI receives a question, pulls from whatever it has access to, and generates an answer. The path from question to answer is largely invisible. The data sources are not audited in real time. The access controls, if they exist, are applied loosely. And the language model itself — the part that forms the answer — has no concept of what it should or should not be allowed to see.
This is a significant problem for any organisation that handles sensitive data. In banking and financial services, it is unacceptable.
Trust has to be designed in, not added later
The standard approach to AI security in enterprise is to build the AI system first and layer security on top. Add authentication. Add some access controls. Restrict which users can query which databases.
This approach has a fundamental flaw: the AI itself is still trusted. It still has direct access to data. It still makes decisions about what to retrieve and what to include in an answer. The security controls are sitting around the outside of a system that is, at its core, operating without meaningful constraints.
Zero trust takes the opposite position. Nothing is trusted by default — not the user, not the application, and critically, not the AI itself.
In ZTA-AI, the language model is treated as fundamentally untrusted. It does not have access to databases. It does not know the structure of your data. It does not retrieve information directly. Instead, it receives only what a separate, controlled system has decided it is allowed to receive — carefully prepared, access-checked, and stripped of anything that should not be part of the answer.
The AI's job is to form a coherent, useful response from what it is given. The job of deciding what it is given belongs to a different layer entirely — one that is deterministic, auditable, and not subject to the unpredictability that language models introduce.
What immutable claims actually mean in practice
One of the core ideas in ZTA-AI is that data does not flow freely into the AI. Instead, it is represented as claims — discrete, versioned, traceable units of information.
Think of it this way. In a traditional system, when the AI answers a question about a client's portfolio, it might query a database, pull some rows, and weave them into a response. The chain of custody for that data — where it came from, when it was last verified, who had the right to see it — is largely invisible.
In a claim-based system, every piece of information the AI is allowed to use has a record. It was sourced from a specific place. It was verified at a specific time. It was approved for use in a specific context. If the data changes, the claim is updated and versioned. If something goes wrong with an AI response, you can trace exactly which claims it was built from and whether each of those claims was valid at the time.
For a bank dealing with an audit. For an insurance company responding to a regulator. For a financial services firm that needs to demonstrate it is handling client data responsibly — this is the difference between being able to answer the question and not being able to answer it.
The access problem in large organisations
There is another dimension to this that is particularly relevant for large financial institutions and EdTech platforms with thousands of users across many different roles.
Data access in these organisations is not uniform. A retail banking analyst should not see the same data as a wealth management advisor. A compliance officer needs access to records that a relationship manager does not. A new joiner should not have the same permissions as someone who has been with the firm for ten years and cleared for sensitive engagements.
When AI is layered on top of this complexity without proper controls, the result is a system where the AI effectively flattens those distinctions. Ask the AI a question and it will try to answer it from whatever it can reach — regardless of whether the person asking should have access to all of those sources.
ZTA-AI enforces access at the level of the individual query, not just the user account. The same person asking two different questions may get two different sets of data — because the system evaluates not just who is asking but what they are asking, in what context, from which location, at what time, and whether any of the relevant data has flags that should restrict its use.
This is what real access control looks like for enterprise AI. Not a list of who can log in. A continuous, per-request evaluation of what each request is allowed to see.
Why this matters specifically for BFSI and EdTech
Banks and financial institutions operate under compliance frameworks — RBI FREE-AI guidelines, the DPDP Act, SEBI's cybersecurity requirements — that are not suggestions. They are legal obligations. Demonstrating compliance means being able to show, with evidence, that data was handled correctly, that access was controlled appropriately, and that AI systems operating on sensitive data did not create new vectors for misuse or breach.
A system where the AI has invisible access to data cannot provide that evidence. A system where every data access is logged, every claim is traceable, and every decision about what the AI is allowed to see is deterministic and auditable — that system can.
For EdTech platforms managing student data, the same principle applies. Student records, assessment data, and personal information sit under increasingly strict data protection obligations. An AI tutoring assistant or administrative tool that handles that data without rigorous access controls is a liability, not a feature.
The question is not whether AI has a role in these industries. It clearly does. The question is whether the AI can be deployed in a way that satisfies the people responsible for risk, compliance, and data governance — not just the people excited about the capability.
The audit trail as a feature, not a checkbox
Most organisations treat audit trails as a compliance requirement — something you build because you have to, not because it adds value.
ZTA-AI treats the audit trail differently. Every query, every access decision, every piece of data that flows into an AI response is logged with full traceability. Not because a regulator requires it — though they do — but because that trail is what allows an organisation to actually understand what their AI is doing.
When an AI response is questioned, you can trace it back to the exact claims it was built from. When a data access looks anomalous, the system can flag it in real time. When a compliance team needs to demonstrate that a particular client's data was handled correctly, the record exists.
This is the difference between an AI system that your risk and compliance teams can get comfortable with and one they will perpetually treat as a threat to be managed.
The shift worth making
Enterprise AI is not slowing down. The pressure on banks, financial institutions, and large EdTech platforms to deploy it is real and growing. The question is not whether AI will be part of these organisations' futures. It is whether the infrastructure underneath it is built to the standard those industries require.
The capability is not the hard part. The hard part is building an AI system that a compliance officer can sign off on. That a regulator can audit. That a risk team can defend. That, when something goes wrong — and eventually something will — gives the organisation a clear, traceable record of what happened and why.
Zero trust is not a constraint on what AI can do. It is what makes AI deployable in environments where the stakes are too high for a system that cannot explain itself.
ZTA-AI — Enterprise AI built for the industries that cannot afford to get it wrong.