Automation in compliance is no longer only about assistance – it is about delegation. Across KYC, AML, sanctions screening and transaction monitoring, machines are not just identifying risk; they are prioritising it, filtering it, and in some cases resolving it before a human intervenes.
This forces a much tougher question: which compliance decisions are safe to automate, and which should remain human by design? Detecting patterns is one thing. Closing alerts, assigning risk ratings, mapping regulatory obligations, or escalating SARs is another. The risk may not be over-automation but automating the wrong layer of the decision chain.
Machines are already shaping outcomes. The real issue is whether firms have consciously defined the boundary – or whether that boundary is being set quietly by operational pressure and technology design. In an environment where accountability ultimately sits with the firm, that distinction matters.
In Part One of The Accountability Gap, we examined how automation has outpaced traditional responsibility frameworks. This second instalment moves the debate forward. If accountability ultimately rests with the firm, then defining what machines are allowed to decide is not a technical choice – it is a governance one. And until that boundary is clearly drawn, the gap between decision-making and responsibility will continue to widen.
What is safe to automate
One of the first key questions to ponder in this debate is which compliance decisions are safe to automate — and which never are.
For Areg Nzsdejan, CEO of Cardamon, there are two lenses to view this through – technical and ethical.
On the technical lens, he believes the first question that needs to be asked is whether machines are capable enough to make the decision. “We’ve already automated rule-based workflows for years – transaction monitoring alerts, sanctions screening, threshold checks. These are structured environments with clear logic,” he said.
As has been seen in the wider market, AI is now capable of more nuanced tasks. This involves determining whether a regulatory obligation is applicable, assessing whether it is covered by existing policy, and identifying gaps and suggesting remediation.
He remarked “These are all decisions our AI agents at Cardamon are making in product right now for some of the largest regulated brands in the world. Where things get harder is where genuine ambiguity exists. For example: “Why is that risk rating high?” How severe is this exposure?” These, Nzsdjean states, are areas where even experienced compliance professionals disagree. The more judgment required, the most cautious he believes we should be about full automation.
Then comes the ethical lens. Assuming machines are technically capable of making every decision, if there is even a 0.01% chance of a mistake that could result in a material breach or criminal liability, can a machine truly own the decision?
Nzsdejan said, “Machines cannot be prosecuted. They cannot be fined. They cannot be disqualified. Someone must bear responsibility. And today, that someone is human”
The Cardamon CEO stressed that AI can – and should – make a vast range of compliance decisions. However, where accountability sits with a named individual, those decisions should ultimately be signed off by that individual.
“AI can decide however humans must remain accountable. Well, until an AI firm takes on insurance and becomes liable – that is where things may get interesting,” said Nzsdejan.
Tim Khamzin, CEO of Vivox AI, outlined proclamations from regulators that have continously stated that automation in compliance is not inherently the issue – the real issue is accountability.
He said, “The discussion has evolved from basic task automation to agentic AI systems. Large global institutions are redesigning finance, tax and risk operating models around domain-specific AI agents, embedding governance directly into the architecture through audit trails, override controls, continuous validation and clearly defined decision rights. That shift is significant, as it recognises that autonomy must be engineered alongside accountability, not layered on afterwards.
“Machines can safely automate bounded, policy-defined tasks such as data gathering, document verification, screening triage, report generation and structured risk scoring, where outputs are traceable, monitored and reversible. What they should not do is carry final authority over decisions that materially alter a firm’s risk posture or directly affect a customer, including sanctions confirmations, exits, freezes or policy exceptions.”
Another view held on this is that the decisions that are safe to automate are those rooted in speed, scale and pattern detection – reviewing large volumes of data, surfacing false positives and identifying anomalies – states John Kearney, AI product director at MyComplianceOffice.
He said, “AI can handle that work consistently and efficiently. But when a decision requires human judgment, contextual understanding, or nuanced interpretation of regulation, it cannot be fully automated.”
This is where MCO he claims draws an important distinction. “Deterministic surveillance — defined rules producing predictable, defensible outcomes — will remain the core of compliance programs for the foreseeable future. Probabilistic AI capabilities enrich that foundation; they don’t replace it.”
Supradeep Appkionda, COO and Co-Founder of 4CRisk.ai, draws a sharp line between automation that enforces clarity and automation that attempts to interpret ambiguity.
Some compliance decisions, he argues, are simply structured logic problems. “When a clear rule results in a yes or no determination, and the remedy is predictable,” those decisions are safe to automate. There is little value in inserting human discretion where none is required. Security monitoring for password changes, sanctions screening against a defined list of requirements, policy acknowledgements – these are binary exercises. Either the control has been met or it has not. In such cases, automation enhances consistency, speed and auditability without meaningfully increasing risk.
But that clarity dissolves quickly once context enters the frame. Many compliance decisions are not mechanical rule checks but judgment calls shaped by nuance. Where facts must be weighed, intent inferred, or exceptions evaluated, Appkionda is unequivocal: human involvement is non-negotiable. A potential breach, for example, is rarely just a data point – it may require investigation, interpretation, and proportional response. Likewise, determining whether an exception is warranted demands experience and accountability.
Alex Mercer, Head of Innovation Lab at Zeidler Group, resists the temptation to draw bright lines.
“I don’t think there is a universal list of compliance decisions that every firm will agree is safe to automate; nor do I think there should be.” For Mercer, the question is less about categories of decisions and more about risk appetite. In principle, he argues, “any compliance decision could be safe to automate, so long as you are willing to live with the consequences of doing it incorrectly.” Automation is not a moral threshold — it is a risk calculation.
As the stakes rise, however, enthusiasm for full automation naturally recedes. When the regulatory, financial or reputational consequences of error become severe, firms instinctively pull humans back into the loop. The willingness to automate, Mercer suggests, is inversely proportional to the cost of being wrong.
Still, he offers pragmatic heuristics. If a task is one a firm would comfortably outsource to a third party, it likely sits closer to full automation than most admit. If it is a decision reserved for senior compliance officers, scrutinised by committee and framed by institutional memory, “you probably don’t want to automate that now.” The dividing line, in practice, is not technological sophistication but impact: lower-risk, lower-consequence decisions are prime candidates; high-stakes judgments remain firmly human territory.
Stephen Lovell, CPTO at Vixio, sees that machines are excellent at monitoring regulatory change, extracting structured data from complex text, identifying patterns and anomalies, scoring and prioritising risk signals and drafting impact assessments – all repeatable, high-volume, evidence-driven tasks.
“Where machines struggle – and where risk escalates – is in interpreting regulatory intent, applying firm-specific risk appetite, making final decisions that materially affect customers and balancing competing regulatory principles,” said Lovell.
Compliance exists primarily to protect customers from harm, such as unfair treatment, misconduct and fraud. “The decisions taken have real-world consequences,” Lovell said. “Automation is powerful, but responsibility cannot be outsourced. The issue is not whether AI can generate an answer. It’s whether that answer is defensible.”
Meanwhile, for Rick Grashel, CTO and co-founder at Red Oak, the decisions that are safe to automate depend on the acceptable level of risk to a particular firm.
He said, “For example, some firms might consider it perfectly safe to completely automate approval decisions for institutional fact sheets. Whereas other firms might think it is never acceptable to automate the approval of retail market commentary. In the end, there are SEC and FINRA-licensed individuals who put their licenses on the line when making regulatory approval decisions.
“If regulatory licenses are on the line, fully-automated approval decisions will be highly scrutinized to ensure that all the information surrounding those decisions can be easily produced and explained with a sufficient level of detail—under regulatory audit or subpoena.”
AI risk: wrong automation or over-automation?
Another key discussion point within the industry right now is whether AI risk comes from over-automation on the wrong automation. For Kearney, the real risk doesn’t come from automating too much, but from automating the wrong things.
“AI will scale whatever logic it’s given, and if that logic is biased, outdated, or opaque, the system will amplify those weaknesses across the workflow,” he said. “That’s how historic bias gets reinforced, how conflicts get embedded into daily operations, and how flawed decisions spread at machine speed. Poorly governed automation, not the volume of automation, is what creates systemic risk.”
This point is somewhat echoed by Mercer, who believes that AI risk generally comes from using the wrong automation, or an automation implemented without full knowledge.
He said, “In a way, over-automating a process is a wrong automation; specifically in scenarios where the same process could be accomplished with significantly less steps and traditional ML instead of GenAI. I find that most AI risk we see in the field comes from implementations of the technology that didn’t take in account basic software principles.”
Mercer gave the example of the acronym KISS (keep it simple stupid) and believes this is absent from many GenAI tools and implementations
“As such, we see a lot of AI processes that are rather bloated and use GenAI for tasks that frankly didn’t need to be used. I don’t think these are necessarily fatal in the moment, but I do think not being careful with AI implementation means that the risk from using the wrong automation will continue to compound,” he said.
Nzsdejan additionally voiced his support for the wrong automation crowd. He said that AI fails when it is given poor context, fed incomplete data and is pointed at the wrong problem.
“That’s no different to a human colleague. If you give someone unclear instructions or a flawed framework, the output will be flawed,” he said. “When implemented correctly, AI can automate the heaviest, most time-consuming layers of compliance: broader regulatory coverage, more consistent analysis and faster gap detection.”
He finished, “Done right, this increases quality and improves customer outcomes. The risk is not automation itself. The risk is automating the wrong thing.”
Similarly, for Khamzin, the real risk is not over-automation, but automating the wrong layer of judgement without mature governance and lifecycle oversight.
He said, “Human sign-off does not signal distrust of AI; it is a deliberate control aligned with regulatory responsibility. The future of compliance is staged autonomy: automate evidence and orchestration first, introduce tightly governed agentic decisioning next, retain human authority where accountability and risk appetite ultimately sit.”
Appikonda took the chance to reference the growing use of AI Agents, citing the valid concern that some risk may actually rise for those 5% of corner cases that are outliers.
He commented, “AI may be making biased decisions, blind to unusual factors that may be clouding suspicious intent. Remember, AI needs to be able to provide explainability, outlining the logic it used to make a decision. If confidence factors are repeatably low, it may signal that part of the process cannot be logically automated. Professionals need be able to explain to a regulator why a specific decision was made.”
Jean Voigt, head of AI at IMTF, made clear they believe automation should be calibrated to risk assessment observations, not technological ambition. Machines are well suited to decisions that are repetitive, low-risk, and grounded in clearly defined patterns, provided those decisions remain explainable, traceable, and subject to appropriate controls and escalation.
Voigt said, “Where regulatory interpretation, contextual judgment, or material impact comes into play, human involvement is essential. The real danger is not over-automation, but automation without effective controls, where organisations lose sight of which decisions truly require human judgment.
“The goal is not to automate everything, but to automate responsibly. Automation works best when risk is well understood and controls firmly established. Machines should handle what is predictable and controlled, and humans should focus on what requires judgment, accountability, and regulatory interpretation.”
Lovell was another to see a greater risk is wrong automation. For him, the critical boundary sits between analysis and preparation and judgement and accountability.
He said, “If firms automate interpretation without clear explainability, they introduce regulatory risk. If they automate preparation but retain structured human decision-making, they increase both efficiency and safety.”
For Lovell, the simple stress test was: if challenged, can we clearly explain the data used, how it was processed and why the final decision was taken? “If the answer is unclear, the automation boundary is misplaced,” he said.
Grashel was one of the first to break from the line, stating that the real risk is neither. Instead, the real risk is incomplete automation or gaps in automation.
He said, “Automating human agents requires deep subject-matter expertise in what they do, what skills they have, and what resources they use to complete their tasks. For many tasks, this can be incredibly complex, poorly documented (or not at all), and/or substantially contained solely within tribal knowledge. These kinds of gaps will result in an improperly or insufficiently trained AI agent, which will produce sub-standard results and could lead to serious regulatory issues.”
Are human sign-offs a lack of a trust in AI?
Whilst more trust has grown up around the AI space, there is still significant requirements for human sign-offs up and down the value chain. Does this represent a lack of trust in AI?
For Appikonda, he believes it is more to do with answering how the decision was made and do the oversight role diligently. “A small mistake applied across thousands of transactions can blow up to a significant failing that may not be detected for weeks or months. Regular reviews on the effectiveness of ‘human in the loop’ steps will help uncover where more or less scrutiny is required.”
Nzsdejan stressed that instead of being seen as a lack of trust, human sign-offs reflect good governance.
He said, “Think of it as a four-eye check. When a critical compliance decision is made – whether by a junior analyst, a senior colleague, or an AI system – the accountable individual signs off. That’s just risk management. This is why we build what we call ‘last mile compliance’ tools at Cardamon – to make this sign-off process as smooth as possible.”
Meanwhile, Red Oak’s Grashel also stated that human sign-offs are less about a lack of trust in AI and more reinforcing the importance that an organisation’s supervisory procedures were followed in the review process and that the detailed record-keeping is also stored alongside that process.
He said, “The outcome of any particular document review or checkpoint is not the only important thing in an approval workflow. Recording the checkpoints and steps taken that resulted in that review is equally important, if not more so, to ensure books-and-records compliance.”
Kearney agreed with the same point, saying that sign-offs are more about managing risk responsibly.
He said, “MCO’s approach is what we call “Human in the Middle”: AI assists, but humans review, decide, and remain accountable. The workflow is straightforward — Detect, Triage, Human Review, Decision, Record. When a system produces a questionable result, when the stakes are high, or when something just doesn’t look right, a person must step in, understand the reasoning, override it when needed, and own the outcome.”
Mercer, on the other hand, said that human sign-offs reflect the reality of using LLMs, in that it is very difficult to hold an GenAI tool accountable for mistakes or errors.
He explained, “I don’t think it’s a lack of trust, but I could see how it is related more to risk than not. In the event of a critical failure, having sign-offs at least allows for some semblance of control and oversight over the failed instance. You can trust your natural language to SQL GenAI tool as much as you’d like, but in the event it drops all your tables, responsibility has to rest somewhere. Same goes for an automated filing system that fails to go off when it’s scheduled to go.”
Mercer stressed a clear point – that the regulator does not care that you tried really hard to comply, they care if you are compliant or not. “So until we can point to an AI system as the central point of failure and the regulator accepts that as a valid reason, there will continue to be human sign-offs and oversight,” he said.
You can read part one of this Accountability Gap Series here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
