As regulatory demands continue to multiply, many organisations are finding that their compliance frameworks have grown larger, more complex and harder to manage, rather than more effective.
Susan Palm, chief revenue officer at 4CRisk.ai, says this growing sprawl of overlapping controls is one of the most persistent challenges facing IT, security and compliance teams today, particularly as firms operate across multiple jurisdictions and regulatory regimes. Palm argues that control harmonisation, supported by AI-powered tools such as 4CRisk’s Compliance Map, offers a practical way out of this inefficiency.
In today’s IT, cyber and regulatory compliance environment, the instinctive response to every new framework or regulation has been to add more controls. Standards such as ISO 27001, PCI DSS, SOC 2, NIST, GDPR and DORA have all contributed to a landscape where similar controls are implemented repeatedly under different names. Over time, this creates a compliance framework riddled with overlap. Audit and compliance teams may end up testing the same control multiple times, often in silos, which can lead to what many professionals describe as “compliance drift”. One version of a control may pass while another fails, resulting in an inaccurate view of the organisation’s true risk posture, Palm noted.
This problem is commonly referred to as control redundancy. It includes duplicate, overlapping, orphaned and unnecessary controls that quietly erode efficiency. While it has long been accepted as an unavoidable cost of compliance, advances in AI are now making it possible to address redundancy systematically through control harmonisation. Rather than managing thousands of individual controls across multiple frameworks, organisations can rationalise them into a smaller set of unified controls that satisfy multiple requirements at once, Palm explained.
The operational benefits of this approach are significant. Harmonised controls allow teams to collect evidence once and reuse it across standards, enabling a “test once, comply many” model. Harmonisation also reduces friction between teams by eliminating repeated evidence requests from risk, compliance, governance and audit functions. Perhaps most importantly, it enables organisations to respond more quickly when new regulations emerge, as new requirements can be mapped to an existing control framework rather than rebuilt from scratch.
Traditionally, harmonisation has relied on spreadsheets and manual cross-referencing, an approach that struggles to scale and is prone to human error. Many teams still find themselves mapping hundreds of controls across dozens of frameworks by hand, often duplicating work across departments. This is where AI is beginning to change how compliance programmes operate.
4CRisk’s Compliance Map applies natural language processing to analyse the intent and meaning behind internal controls and external regulatory requirements. Instead of relying on keyword matching, the platform interprets context, allowing a single internal control to be mapped accurately across multiple frameworks. The technology also identifies redundant controls that serve the same purpose, helping organisations rationalise their frameworks and reduce testing workloads. As regulations evolve, the mapping updates dynamically, supporting real-time gap analysis and highlighting where genuine compliance gaps exist.
By adopting AI-enabled control harmonisation, organisations can shift away from reactive, manual compliance practices, Palm said. The result is a leaner and more resilient compliance function that lowers costs, improves morale and delivers a clearer, more reliable view of regulatory risk. As regulatory pressure continues to rise, particularly heading into 2026, the choice to persist with spreadsheet-driven compliance is increasingly difficult to justify.
For more insights, read the full story here.
Read the daily RegTech news
Copyright © 2025 FinTech Global
Copyright © 2018 RegTech Analyst
