AI inside the perimeter your regulator already approved.
Your data centre is audited. Your access policies are documented. Your model-risk committee meets monthly. Aethos lives inside that perimeter — not next to it, not adjacent to it, not behind a shared-tenant API.
Same auditors. Same controls. Same evidence chain. A new capability added under the rules you already operate under.
You.
A portrait, in your own vocabularyA regulated financial institution.
You are a regional or universal bank, an insurer, an asset manager, or a specialised lender. You answer to the ECB, BaFin, FMA, FINMA or the national supervisor, with internal audit reporting to the board and risk reporting to the CRO. You have a model-risk-management policy that was written for credit and market-risk models and is being stretched to cover AI.
You watched DORA come into force in January 2025. You know the updated MaRisk handles AI explicitly. Your auditors already asked, at the last audit, which cloud provider is processing your customer correspondence — and the answer felt uncomfortable. You are looking for a way to use AI that does not require renegotiating every line of your third-party register.
What's on your desk today.
Three pressures · this quarter, not next yearThe pressures below are not theoretical. They are sitting in your committee minutes right now.
Public-cloud AI is now a regulated dependency.
Under DORA, any ICT third-party service supporting a critical or important function must be in your register, contractually DORA-compliant, exit-strategy-tested, and concentration-monitored. A hyperscaler-hosted LLM is exactly such a service. Aethos is not — it runs on your own infrastructure, under your own ICT.
Your auditors will ask for the trail.
MaRisk now expects evidence of how AI is governed — the documentation of the model, the data lineage, the validation history, the user-level audit log. A public chatbot cannot produce this trail because the model and its history live outside your perimeter. You need a system whose audit log you own.
Adoption is the surprise on the quarterly bill.
Per-token billing prices the success of the pilot. Once a customer-correspondence skill or a credit-policy assistant enters production, every interaction is a metered charge. The CFO needs a number she can defend in front of the remuneration committee. Per-user / per-token does not give her that number.
What Aethos changes.
One answer per pressureThree answers, mapped one-to-one to the three pressures above.
The third-party becomes you.
Aethos is licensed software you install on your own infrastructure. There is no inference call leaving your perimeter, no shared multi-tenant cloud, no foreign processor. For DORA purposes the AI service runs inside your existing governance envelope — the same envelope that already covers your core banking system.
Evidence by construction.
Every inference is written to a signed, append-only audit log that records user identity, skill invoked, model used, retrieved documents, response and latency. The log is exported to your SIEM (Splunk, Sentinel, QRadar, Elastic) and reads like every other audit artefact in the bank. Internal audit and external auditors get the same trace your core systems already produce.
A number the CFO can defend.
Aethos is bought once and supported annually. There is no per-user metering, no per-token charge, no consumption surprise. The cost line is identical whether the assistant handled 100 questions or 100,000 — which is exactly what makes adoption the right outcome instead of the wrong line item.
The shortest path to a clean DORA review is to bring the AI inside the perimeter the regulator already approved.
The modules that matter most for you.
Where banks start · what they add laterAethos is a suite of five modules. For a financial institution the first three below carry almost all of the value; Avatar and VR are typically added later for client-facing and training scenarios.
The policy and precedent engine.
KYC analysts asking about a high-risk geography. Relationship managers checking the latest credit policy. Compliance officers finding the last similar incident. Aethos RAG answers across your policy library, regulatory correspondence, board minutes and product documentation — with the source attached, and only for users with permission to see the underlying document.
RAG module Module 02 · Aethos CoderFor the engineers behind core banking.
Core banking, fraud detection, treasury dealing, ALM, regulatory reporting — built and maintained by your own engineers, under the same security boundary as production. Aethos Coder gives them AI-assisted development without exposing a single line of code to a public model. Every generation is logged and reviewed in your existing change-management process.
Coder module Module 03 · Aethos VoiceCalls and dictation that stay inside.
Relationship-manager calls, KYC interviews, complaint lines, internal voice notes — recognised, transcribed and spoken back, all on your hardware. Multilingual for cross-border practice. GDPR-clean. No third-party processor handles a single second of audio.
Voice moduleThe regulatory anchor.
What the rule asks · what Aethos providesThe frameworks that bear directly on AI in financial services — and where Aethos plugs into each.
| Framework | What it requires of AI use | What Aethos provides |
|---|---|---|
| DORA | ICT third-party register, exit strategy, concentration risk, contractual DORA terms, operational-resilience testing. | Aethos runs on your ICT — not a third-party. No new register entry beyond STK Engineering as software vendor. Exit is contractually defined: keep running the last delivered version. |
| MaRisk · AT 4.3.4 | Governance of models, documentation of methodology, validation, data lineage, change control. | Per-skill model registry · model versioning · prompt and retrieval logs · signed change manifests · validation reports archived per release. |
| EBA Outsourcing Guidelines | Due diligence on the provider, sub-outsourcing transparency, audit rights, location of data and processing. | Data and processing remain on your infrastructure. No sub-outsourcing. STK Engineering is the only vendor relationship. |
| EU AI Act | Credit scoring and creditworthiness assessment are high-risk. Logging, human oversight, technical documentation, transparency to affected persons. | Append-only audit log with user, prompt and response · per-skill human-in-the-loop policy · technical documentation shipped with each release · data subject access for log entries. |
| GDPR Art. 6, 9, 22 | Lawful basis, special categories, automated individual decision-making, right of explanation. | No data egress. Per-tenant DEKs wrapped by customer KMS. Per-skill purpose binding. Audit log produces the explanation trail required by Art. 22. |
| ECB Guide on outsourcing & cyber resilience | Cyber resilience evidence, dependency mapping, recoverability. | Air-gap deployment option · signed-package update channel · backup-restore tooling · 18-month LTS line for stability. |
The next step.
One day · on your premises · written outcomeBook a one-day Architecture Workshop.
One day in your office with Kristijan Stojanović — founder of STK Engineering — and the architect assigned to financial services. We map your priority use cases, survey the existing data landscape and audit setup, and produce a signed sizing & integration plan you can take into your next risk or board committee.