Artificial intelligence has been used in payments for over a decade — Mastercard's first neural network fraud models date to the early 1990s. What is different in 2026 is the breadth of application, the depth of regulatory scrutiny, and the speed at which criminal actors are using the same technology to attack the systems it is meant to protect.
Where AI is being deployed in payments
Real-time fraud detection is the most mature AI application in payments. Modern systems analyse transaction data, device signals, behavioural biometrics and merchant-specific patterns to generate real-time risk scores in under 50 milliseconds. These systems use ensemble approaches — combining gradient boosting models, neural networks and rules-based logic — so that failure of any single layer does not create exploitable gaps. According to Mastercard, organisations lost an average of $60 million to payment fraud in the past year. AI-driven detection has reduced false positives by 83% across adopting institutions, meaningfully reducing the friction that causes cardholders to abandon legitimate transactions.
Credit scoring and underwriting — the use of machine learning to assess creditworthiness beyond traditional bureau data — is a high-growth application in GCC markets where thin credit files are common. Alternative data sources including transaction history, utility payment patterns and mobile data are incorporated into models that can deliver decisions in seconds. This is the category most directly in scope for the EU AI Act's high-risk provisions, and the one where the conformity assessment requirements are most operationally demanding.
Transaction monitoring for AML is moving from static rules-based systems to adaptive models that reduce alert volumes while improving detection rates. Institutions that have deployed machine learning for AML monitoring typically see alert reduction of 30–60% alongside improvements in suspicious activity detection rates. The regulatory expectation is shifting: examiners now ask not just whether monitoring exists, but whether it is demonstrably effective at the risk levels specific to the institution's business model.
Payment routing optimisation uses reinforcement learning to route transactions through the path most likely to succeed — considering card type, amount, merchant category, geography and issuer behaviour — maximising authorisation rates and minimising processing costs simultaneously. This capability is now table stakes at large acquirers and payment processors.
The adversarial dynamic: AI attacking AI
Criminal actors are deploying AI at scale. Generative AI has substantially reduced the cost and skill requirement for synthetic identity creation, deepfake-based identity verification bypass, and social engineering at volume. Europol has explicitly flagged that deepfake capabilities are being used for document manipulation and impersonation in financial onboarding. This creates an arms race: fraud detection models trained on historical patterns must continuously adapt to attack vectors that did not exist when the training data was assembled.
A specific concern for payment institutions is the use of AI to probe controls systematically — running large numbers of low-value transactions to map fraud detection thresholds before launching higher-value attacks. Real-time payment rails, where transactions are irrevocable within seconds, are particularly exposed to this type of reconnaissance-and-attack pattern.
EU AI Act: the high-risk compliance deadline
The EU AI Act's high-risk system provisions apply from August 2026. For payment and credit firms, the relevant categories include AI systems used in creditworthiness assessment and credit scoring, AI systems used in risk assessment and pricing in insurance, and — with active regulatory debate — AI systems used in biometric verification for payment authentication and fraud detection systems that make or materially influence decisions affecting individuals' access to financial services.
Conformity assessment for high-risk AI systems requires technical documentation covering the system's purpose, capabilities and limitations; data governance records demonstrating training data quality and absence of problematic biases; logging infrastructure enabling post-hoc audit of individual decisions; transparency obligations to users; and human oversight mechanisms. The human oversight requirement is particularly complex for real-time fraud detection: the requirement is interpreted as meaning that humans must have the ability to intervene, override and shut down the system, not that humans must review every transaction.
Payment institutions with EU nexus that have not yet completed a systematic inventory of AI systems against the high-risk criteria should do so now. For those that discover gaps in technical documentation, the time available before the August 2026 deadline is short.
GCC context
In the GCC, AI governance in financial services is evolving. The UAE AI Strategy and ADGM and DIFC frameworks provide high-level principles. SAMA has issued AI governance guidance for Saudi institutions. QCB is expected to issue AI-specific guidance in 2026. The GCC regulatory frameworks are less prescriptive than the EU AI Act but are moving in the same direction — toward documented accountability for AI-driven decisions that affect customers. Institutions building compliance programmes for the EU AI Act would do well to design them to be extensible to GCC regulatory expectations as they develop.