If the first two parts of The Accountability Gap exposed the problem and questioned where decisions should sit, the next challenge is execution: how do firms govern AI without slowing compliance to a crawl?
Most responses have been predictable — more controls, more oversight, more sign-offs. But added governance does not always mean better control. In many cases, it slows decisions, obscures ownership, and creates friction without reducing risk.
Firms are now caught between two pressures: prove control to regulators, and operate at machine speed. This is where the accountability gap becomes operational. The question is no longer whether AI can be governed — but whether it can be governed without breaking the system around it.
In the first part of The Accountability Gap, we looked into the accountability problem and why it hasn’t been solved. In part two, we then discussed with key thought leaders what decisions machines are able to make. In this third part we ask a key question – how can we govern AI without it slowing it down?
Controls that reduce risk
Which governance controls reduce risk, and which are the ones that slow teams? For Rick Grashel, CTO and co-founder at Red Oak, the controls that reduce risk and improve efficiency are the ones that are architecturally embedded — meaning they operate as part of how the system works, not as additional steps layered on top of it.
He said, “Auditability by design, deterministic decision logic, and structured workflows that document every action as it happens. These are governance controls that protect the firm without adding unnecessary friction to the workstream of a compliance professional.”
On the opposite side, the controls that slow teams down are those that exist to compensate for systems that weren’t built with governance in mind.
“When firms adopt AI tools that lack native explainability or traceability, they inevitably require manual review layers, secondary approval chains, and post-hoc documentation requirements to fill the gap,” said Grashel. “That’s not effective governance — rather, it’s inefficient auditability and remediation disguised, which incurs a great debt that compounds over time.”
The Red Oak co-founder remarked that the companies that are encountering governance that slows them down are almost always businesses where the AI tools came first, and the controls came second as an afterthought.
“Reverse that sequence — start with compliance-first engineering — and the tension between governance and time-to-approval speed largely disappears,” he said.
Meanwhile, Ryan Swann, founder of RiskSmart, stated on the point that controls that are embedded into workflows (like automated audit trails, model monitoring, and real-time policy checks) reduce risk without friction. “In contrast, heavy manual approvals, static documentation, and disconnected oversight processes tend to slow teams down without materially improving outcomes,” he said.
For Areg Nzsdejan, CEO of Cardamon, there is a quiet tension that is building inside most regulated firms right now. On one side, there’s a push to move faster – automate decisions, reduce reliance on manual review at automate decisions.
“On the other, there’s a growing expectation from regulators that firms can fully explain, justify, and stand behind every decision they make. Those two things don’t naturally fit together, and that’s where the accountability gap starts to appear,” he said.
When businesses introduce AI, the instinct, Nzsdejan states, is usually to add layers of control. “More approvals. More documentation. More oversight. Some of that is necessary. A lot of it isn’t,” said the Cardamon CEO.
The question for him isn’t how much governance you have, its whether it actually reduces risk.
“In practice, the controls that actually matter tend to be quite specific. Clear ownership of models and outcomes, traceability of decisions (what data was used, what logic was applied), consistency in how similar cases are handled and the ability to intervene when something goes wrong,” he remarked.
Nzsdejan finished, “Everything else often just slows teams down without meaningfully improving outcomes. What you see in a lot of firms is governance sitting around the system, rather than being built into it. Which means every time you need to explain something, you’re reconstructing it manually after the fact.”
Meanwhile, CleverChain asked to consider a concrete scenario. “In October 2025, a DNS failure in AWS’s US-EAST-1 region disrupted customer-facing services at Lloyds, Halifax, Coinbase and HMRC. Core payments were unaffected and no one did anything wrong. As Forrester noted at the time, the lesson was about hidden dependencies within services that appeared multi-region but still had nested links to a single data centre in Virginia. In that instance, the primary regulatory lens was operational resilience.”
The company went on, “Now imagine the affected system was not a website but an AI-based customer due diligence platform. Same outage, but three frameworks activate simultaneously: DORA (incident classification, resilience testing, dependency management and fallback planning), the EU AI Act (high-risk system logging, human oversight, accuracy and robustness), and the AMLR (non-delegable CDD responsibility, continuity of controls, and accountability for outcomes even where technology or third parties are involved).”
These were one event, three regulatory conversations, three evidence requirements. “In practice, these workstreams are still often run separately: resilience under the CIO, AI governance under the CRO, financial crime under the MLRO. Different teams, budgets, reporting lines. Each produces its own documentation, its own risk register, its own board pack. The overhead is real, but it does not reduce risk. It fragments the very evidence base that a regulator will ask to see as a coherent whole.”
According to the company, the controls that actually reduce risk are those embedded in what might be called “evidence architecture”: a single, integrated layer that captures the full reasoning trail of every AI-assisted decision.
Concretely, this means three things. First, deterministic policy gates sitting outside the model: the AI proposes, the gate enforces. The approve, escalate or close outcome is evaluated by versioned rules that reflect the institution’s own risk appetite and the policy version in force at decision time. Second, an evidence layer that ties every claim to a verifiable source. If a finding exists in the output but cannot be traced to a captured, timestamped source, it cannot survive audit. Third, entity resolution controls that catch misattribution, which in compliance contexts is by far the most common and least visible failure mode: the AI confidently attributes something to the right name but the wrong legal person.
Cleverchain continued, “These are engineering decisions made at design stage. The controls that slow teams, by contrast, are those that duplicate governance structures across siloed regulatory programmes without producing integrated evidence. The drag is not in the controls themselves, but in the fragmentation.”
On governance controls, Chaitanya Sarda, co-CEO of AiPrise, believes that the highest leverage ones are the boring ones. A clear policy tied to the workflow, an audit trail that captures the inputs and the reasoning, and explicit ownership for outcomes. Those reduce real risk because they make decisions repeatable.
He added, “The controls that slow teams without reducing risk tend to be heavy, generic approvals that do not map to risk tier. One size fits all sign off on every case is not governance, it is just latency.”
Stacey English, director of regulatory intelligence at Theta Lake, suggested that when it comes to financial services, the primary challenge isn’t whether to govern AI, but how to do so without stifling innovation.
She said, “Currently, 88% of organizations struggle with AI governance, often falling into the trap of restrictive controls that simply block access to AI features or tools like Microsoft Copilot or Zoom AI Companion. Instead of eliminating risk, they drive employees toward ‘shadow AI’, where sensitive tasks are performed in unmonitored, unapproved environments.”
For English, she believes that risk-reducing controls focus on visibility rather than prohibition. “Effective governance provides a window into AI interactions: Is sensitive data being exposed? Is the generated content compliant?”
She gave the example of Theta Lake’s AI Governance and Inspection tools, which are able to detect when sensitive data has been exposed in prompts or responses, identity attempts to manipulate an AI system into generating harmful content and flag use of unsanctioned AI tools.
“By providing visibility into prompts and outputs, firms can sanction the use of AI with the confidence that they can detect and remediate risks,” said English.
Can explainability demand undermine AI effectiveness?
A key question being asked in the industry right now centers around when does demand for explainability start to undermine AI effectiveness?
For Grashel, it doesn’t – if the system was designed correctly in the first place. “The premise of this question assumes a tradeoff: the more explainable you make an AI system, the less effective it becomes.
“That tradeoff is real for systems built on probabilistic, generative architectures — large language models or custom-trained models that derive their power from statistical inference across massive datasets.”
In those systems, Grashel stated, explainability is genuinely at odds with capability, because the model’s “reasoning” is opaque by nature. “Asking it to show its work means either approximating an explanation after the fact (which isn’t real explainability) or constraining the model in ways that reduce its performance.”
However, for Grashel, that’s a design problem, not an inevitability. The more productive question for firms to ask, he claims, isn’t how much explainability can be afforded, but why are we using systems where their AI architecture forces firms to choose.
“In compliance, where every action must be defensible and every outcome auditable, the answer should be straightforward: you shouldn’t have to choose,” he said.
Swann remarked his view that explainability becomes counterproductive when it forces simplification of models to the point where performance, accuracy, or adaptability is compromised. “The goal should be appropriate explainability, aligned to risk and use case, rather than full transparency at the expense of capability,” he explained.
English, on the other hand, suggested that AI is already driving significant efficencies particularly in supervision, where 94% of financial services firms now use AI-driven detections to manage the volume and diversity of modern communications spanning chat, mobile, video, whiteboards and more. “However, the models can be opaque, and difficult or impossible to explain how decisions are made,” English said.
The solution for English lies in having explainability that is embedded directly into workflows rather than imposed on top of them. She remarked, “For instance, Theta Lake provides a plain-language rationale for why a specific AI risk was flagged directly within the platform. If a conversation triggers a collusion detection, the system might point to specific phrases like “keep this between you and me” or a “zipper-face” emoji as evidence of an attempt to obscure information.”
Janet Bastiman, chief data scientist at Napier AI, meanwhile, is clear on her view here. “Never. Explainability should be the ethos of any AI implemented. At Napier AI, we advocate for compliance-first AI. Rather than deploying closed AI systems that generate alerts without context, AI is tailored to the business’s risk appetite and regulatory environment.”
For AML in particular, Bastiman detailed that any AI which is deployed without explainability at its core will slow down analysts.
She said, “Compliance teams—not just data scientists—should be able to leverage AI, with no code rule builders to test and improve their detection scenarios and enhance their workflows without needing a technical background. And explanations of AI generated alerts or actions should be understandable by compliance experts to empower them to make faster, better decisions.”
CleverChain also referenced ComplyAdvantage’s 2025 survey, which had found that 91% of financial institutions are willing to trade AI explainability for efficiency.
“That figure captures a widespread assumption: that explainability and effectiveness are in tension, and that governance necessarily slows down the systems it oversees. CleverChain’s experience, built through regulatory engagement including participation in the UK FCA Regulatory Sandbox and validated through independent recognition by independent analysts such as Chartis Research and Datos Insights, suggests the assumption is wrong. The question is not how much explainability an institution can afford, but what kind,” the firm said.
It added that AI risks in compliance contexts typically present in three forms. The model reasons about the wrong entity (misattribution), it makes a claim it cannot actually evidence (confabulation), or it applies reasoning that made sense at the time but cannot be reconstructed later (irreproducibility). They are routine failure modes of large language models operating in high-stakes domains. None of these failure modes is solved by making the model more cautious or more accurate. They are solved by making the architecture around the model more transparent.
CleverChain stated, “Misattribution is caught by entity resolution controls, confabulation by evidence requirements and irreproducibility by the audit trail. When these controls are embedded in the reasoning loop from the outset, rather than bolted on as a compliance overlay, they do not slow the system down because they define the system’s operating parameters.”
Meanwhile, Ermanno Ciarrocchi, chief growth officer at CleverChain, stated, “The common complaint is that regulatory constraints tie defenders’ hands while criminals face none. I think this gets the problem backwards. The constraints exist because the decisions are consequential. The failure is in treating them as obstacles rather than design requirements.”
In summary, CleverChain remarked that regulatory requirements and security requirements converge on the same architecture and explainability, when properly implemented, does not undermine AI effectiveness, but protects it instead.
Nzsdejan also jumped in, explaining that there’s also a point where the push for explainability starts to work against the value of AI. “The more complex and effective a model becomes, the harder it is to explain in simple, linear terms.”
Due to this, firms end up making a trade-off. Simpler models that are easier to explain but less effective, or more powerful models that are harder to justify. “What’s becoming clearer is that this is the wrong trade-off. Explainability doesn’t need to mean simplifying the model itself. It needs to mean being able to explain the outcome in context – why this case was flagged, what factors drove that outcome, how it comes to similar cases. That’s a very different problem – and one that sits more in how decisions are structured and recorded than in the model itself,” explained Nzsdejan.
Sarda added, “On explainability, the goal is not to explain the model. It is to explain the decision. If a system can say “approve because these checks passed and this policy threshold was met,” with links to evidence, you get accountability without neutering effectiveness. Where teams get stuck is demanding a dissertation for every case, including low risk ones. That is when explainability becomes performance theater.”
The reconstruction of AI decisions
Can a team reconstruct an AI decision today to satisfy a regulator? Here, Grashel detailed that for most firms using AI-native compliance tools, the honest answer is probably not.
He said, “Regulators haven’t yet published granular rules on AI governance, but they’ve been unequivocal about the direction. Systems that a firm uses must be books-and-records compliant. Firms must be able to demonstrate how approval decisions were made, and they must be able to reproduce the audit trail of historical outcomes that withstand scrutiny years after the fact. These aren’t speculative requirements — they’re the logical extension of existing supervisory expectations applied to a new technology.”
The challenge, he added, is that many AI-native tools were not built with this kind of reconstruction in mind.
“Systems built on generative or custom-trained models produce outputs through probabilistic reasoning — they predict likely answers based on statistical patterns,” he said. “Reconstructing why a particular output was produced at a particular moment in time, with a particular version of the model, on a particular dataset, is extraordinarily difficult. Model drift, retraining cycles, and the fundamental opacity of neural network inference all work against reproducibility and explainability.”
Grashel made clear his view that businesses should be asking this question of every AI vendor they evaluate – not hypothetically, but as a live requirement.
“Regulatory scrutiny of AI in compliance is not a matter of if. It’s a matter of when. And the firms that will be best positioned are the ones whose systems were built to answer the auditability question before it is even asked,” he finished.
Nzsdejan held the similar view that the chances of such a reconstruction are unlikely. He said, “A useful way to think about this is quite simple: If a regulator asked you today to justify a specific AI-driven decision, could you reconstruct it? Not in theory, in practice. Could you show the inputs that were used, the version of the model at the time, the reasoning behind the outcome and how similar cases were treated? For most firms, the honest answer is no.”
This isn’t because the models are wrong, but because the surrounding infrastructure wasn’t designed for that level of scrutiny. This is something the Cardamon CEO referred to as the accountability gap.
CleverChain also believes that the honest answer is no here. From their side, its not because the AI is inadequate, but becuase the evidence chain was not always designed to be ‘replayable’.
The company said it was worthwhile mentioning that what “reconstruction” means to a regulator is not about reproducing identical outputs from an AI model. “Models are probabilistic, therefore exact reproducibility is neither achievable nor expected. What a regulator needs is the ability to reconstruct why a decision was made, using the evidence that was available at the time, the policy that was in force, and the reasoning that connected the two,” the firm said.
CleverChain continued, “The minimum evidence bundle for a defensible reconstruction comprises the inputs presented to the system, the sources retrieved with timestamps, the entity resolution decisions made (including confidence levels and any escalation below threshold), the policy version active at decision time, the outputs produced, and any human reviewer overrides with documented reason codes. Each element must be independently verifiable and, together, they constitute a replayable record that can satisfy a supervisor months or years after the original decision.”
This for Cleverchain is where the distinction between integrated and fragmented architectures become consequential.
The firm remarked, “In a model where the institution controls the risk logic, where the system ingests the institution’s own policy and applies it with a full reasoning trail, the decision record is self-contained. The risk outcome is traceable, the system sits in the ICT asset and third-party risk framework with documented resilience and fallback procedures, and the customer-level record links the outcome to the policy version, inputs and evidence used. One architecture, one evidence chain, three regulatory lenses.
By contrast, in a model where the institution depends materially on vendor-controlled logic, even if the output is operationally useful, the institution may not be able to independently reconstruct the reasoning, test alignment against its own risk appetite, or evidence continuity and accountability without going back to the vendor, said the business.
It added, “That dependency is precisely what DORA’s third-party risk management framework, the AI Act’s deployer obligations, and the AMLR are designed to address.”
Bastiman took another route. “When AI-driven pattern detection generates an alert classified as high-risk, a human must be able to actively review the reasoning and be the responsible party for any decision to discount or alert. This remains constant with the expectations under the EU Artificial Intelligence Act, which may still be applicable to UK financial services firms if they support any customers within the EU. While low risk customers and transactions allow for more automation to flow, there still must be human oversight in the form of spot checks and sampling.”
For Bastiman, what constitutes high or low risk is not prescribed by the regulator, but is based on an individual financial institution’s risk-based assessment.
She said, “Regulators will give guidelines, but it is not definitive rules. A strong risk-based assessment should feed into everything that FinCrime teams do with AI, including model validation and outcomes-based testing, to ensure the focus stays on results and not technology.”
The Napier chief data scientist added that ‘reconstructing’ a decision should not be retroactive, and all decisions should be created in parallel with a robust audit trail.
She finished, “AI driven explanations of customer behaviour or the activity contributing to an alert should be natural language and aim to highlight behavioural patterns and surface potential new or emerging risk during investigation. But current regulatory oversight requires that a human conduct the investigation and take accountability for the decision to report or discount.”
Swann was clear that in most organisations, such AI decisions could not be reconstructed consistently.
He remarked, “Reconstructing decisions requires clear data lineage, model versioning, and traceable logic – all of which are often fragmented or missing. Without this, accountability remains theoretical rather than demonstrable.”
Sarda believes that the regulator test is simple. “If you cannot show what data was checked, what signals were used, what rule or policy fired, and where human oversight applied, then the gap is not AI. The gap is governance. The fix is to design workflows where evidence and reasoning are captured by default, not assembled after the fact,” he remarked.
Esteban Lopez, senior manager of product & technical marketing at Theta Lake, believes this question is the central one facing every financial institution and global enterprise.
He said, “In the modern regulatory landscape, the requirement has shifted from simple explainability to a comprehensive forensic audit trail of the entire AI decision lifecycle. An organization must now prove more than just the ‘how’ behind a decision; it must substantiate the ‘why’ and the ‘what’ at a precise point in time.”
In his view, this level of reconstruction requires the ability to provide precise data provenance, model versioning and a record of any external data or gateways that influenced the output.
“Currently, the most significant challenge is capturing the ‘prompt and response’ sequence across a complex multi-agent and human interaction spectrum. Decisions are no longer isolated events; they are frequently the result of long communications, information gathering and reasoning processes involving humans, AI agents, and secondary infrastructure providers,” said Lopez.
Lopez also detailed that organisations are struggling to find systems which can effectively normalise and unify these disparate AI communications.
He added, “Whether an interaction occurs through a proprietary gateway or a third-party LLM, the data must be standardized into a single, searchable, audit-ready view. This transforms fragmented conversations into a unified, forensic history. Without the ability to quickly pinpoint specific areas of interest within a massive, longitudinal dataset of AI interactions, true reconstruction remains nearly impossible.”
English also had an opinion on the question. She remarked that regulators remain technology-neutral: accountability rests with the firm irrespective of whether a decision is made by a human or an AI. “When the firm needs to respond to a regulatory inquiry it must be able to reconstruct the logic behind an AI’s decision with both speed and precision,” she said.
Defensibility, she believes, comes down to having both an audit trail and contextual transparency.
She said, “For example, Theta Lake can summarize months of cross-channel conversation data into digestible snippets, providing the necessary context for why a specific interaction was flagged as risky. By generating an “audit-ready” summary at the moment of detection, the system allows human reviewers to verify the alert and present a clear, defensible narrative to regulators. For firms seeking a benchmark, ISO 42001 provides a verifiable framework for governance maturity, ensuring that your AI development is both responsible and regulator-ready.”
Proving their worth
For Iain Armstrong, executive director of FCC Strategy at ComplyAdvantage, he believes it can be a ‘useful thought exercise’ to imagine AI as a human and to ask what would be reasonably expected of a human by regulators, auditors, line managers and more.
Armstrong added that the question he would always ask in compliance was: “Can you show me why this decision was made?”. The concepts that matter the most are observability and explainability: whether a decision can be reconstructed, documented, and defended after the fact, he said.
The ComplyAdvantage director remarked, “Developed correctly, AI agents working on compliance problems can produce defensible rationales at scale, with consistent structure, for every decision the system touches. Assurance teams in some businesses are already refactoring their work to include direct interrogation and sample checking of AI outputs. I expect we’ll see much more of this in future.”
Getting it right
As firms look to scale AI across compliance, a key challenge is emerging in parallel: how to govern effectively without slowing innovation. According to Areg Nzsdejan, the firms getting this right are not layering governance on top of existing systems, but redesigning how those systems operate at a fundamental level.
Rather than treating governance as an external control, they are embedding it directly into the mechanics of decision-making. In these environments, decisions are no longer buried in logs but captured as structured outputs; regulatory obligations are mapped explicitly to system behaviour; reasoning is recorded as part of the workflow itself, not reconstructed after the fact; and outcomes can be traced end-to-end without manual intervention. The result is a subtle but important shift—one where the distinction between “AI tooling” and “compliance infrastructure” begins to dissolve.
In this model, governance is no longer an overlay. It becomes a natural byproduct of how the system functions. Decisions, obligations, and controls are inherently linked, creating a framework where accountability and traceability are built in from the start rather than retrofitted later.
Looking ahead, the direction of travel is becoming clearer. Regulators are unlikely to resist the use of AI in compliance; the real point of scrutiny will be whether firms can explain and justify the outcomes these systems produce. The question is no longer whether AI will be adopted, but whether institutions can stand behind it when challenged.
What is emerging, then, is a shift in focus. The challenge is not primarily about building better models, but about constructing systems in which decisions are observable, structured, and inherently defensible. That is where the gap currently lies—and where many firms are still catching up.
The challenge of governance
Sebastian Hetzler, co-CEO of IMTF, remarked that as financial institutions scale the use of AI in compliance, the challenge is no longer technological capability, but governance.
He detailed, “Increasing automation introduces new questions around explainability, auditability, and responsibility. Effective governance is not about adding layers of control that slow operations, but about designing frameworks where decisions remain traceable, interpretable, and accountable. This requires a careful balance, ensuring that AI models remain effective, while embedding human oversight and clear decision ownership throughout the process.”
For Hetzler, the arms race ahead is not AI vs criminals – it’s automation vs accountability. “The winners will be those who can scale both,” Hetzler said.
How to preserve accountability
As financial institutions deepen their use of GenAI across compliance, a more fundamental question is coming into focus: how accountability is preserved when decision-making is increasingly shaped—sometimes initiated—by intelligent systems. For Paul Burleton, Chief Product Officer at Corlytics, the answer is clear. “Automation doesn’t change responsibility. Under accountability regimes, that principle remains absolute.”
Frameworks such as the Senior Managers and Certification Regime (SMCR) have already established that accountability sits with named individuals, regardless of the tools or third parties involved. AI does not alter that equation. Firms may automate workflows, augment human judgement, or outsource operational processes, but responsibility remains firmly anchored to senior leaders. This becomes particularly significant as AI expands into areas such as trade surveillance, KYC and AML reviews, suitability assessments, and large-scale regulatory interpretation. As Burleton puts it, “when a human accepts an AI-generated recommendation, the accountable senior manager remains responsible for that decision and its consequences.” Far from diluting responsibility, AI raises the bar—requiring leaders not only to make decisions, but to understand and govern the systems that inform them.
Yet while the regulatory position is unambiguous, operational reality is more complex. AI systems now generate insights, classifications, and alerts at a scale that challenges traditional oversight models, creating what Burleton describes as an emerging accountability gap. “Outcomes become automated, but oversight becomes blurred.” As AI outputs grow more sophisticated—often accompanied by confidence scores and increasingly persuasive reasoning—there is a natural tendency for users to over-rely on them, particularly under time pressure. Without deliberate intervention, decisions risk being treated as system-owned rather than individually accountable, eroding the culture of challenge that effective compliance depends on.
Closing this gap requires more than high-level governance; it demands that accountability is embedded directly into AI-enabled processes. That means clearly mapping systems, decisions, and oversight responsibilities to specific individuals, ensuring expert validation carries genuine authority rather than procedural sign-off, and maintaining transparent audit trails that capture model logic, input data, versioning, and human interpretation or overrides. It also requires explainability that translates technical outputs into language the business can interrogate, alongside robust oversight of third-party AI to ensure external tools remain firmly within internal accountability frameworks. In Burleton’s view, this is how firms move from theoretical governance to operational reality—by making ownership explicit at every stage of the decision chain.
The additional challenge is doing so at speed. As models iterate rapidly and deployment cycles compress, governance must evolve from static controls to continuous processes—combining rolling validation, real-time monitoring, and dynamic risk assessment. “Firms need governance that keeps pace with the technology, not one that lags behind it,” Burleton notes.
Ultimately, AI offers significant promise for compliance—reducing manual burden, accelerating insight generation, and enhancing detection capabilities—but these benefits only materialise when accountability remains central. Under regimes like SMCR, responsibility always resides with a human. As Burleton concludes, “banks can automate processes, they can outsource tasks, but they cannot outsource accountability.” The institutions that succeed will be those that combine robust governance with rapid innovation, while maintaining absolute clarity over who owns every AI-enabled decision.
Keep up with all the latest RegTech news here
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
