Compliant But Unprovable: Why Controls That Work Fail Examinations

Ask a compliance officer whether their program is well-designed, and the answer is almost always yes. The policies are thorough. The training is documented. The governance structure has been reviewed, revised and approved at the board level. The harder question is whether that same program can prove, right now, that a specific control operated correctly on a specific transaction last quarter. For many firms, answering that takes weeks of manual reconstruction across multiple systems. 

Inability to provide concrete proof drives more examination findings than weak policies or inadequate training. Examiners want something more granular. Provability should be a design requirement from the start rather than a reporting function attached afterward. If done from the get-go, controls that generate proof as a byproduct of operating eliminate the need for reconstruction entirely and set up compliance teams for success in the long run.

Retrofitting that philosophy into an existing compliance program is difficult under stable conditions. Under current market conditions, it is becoming urgent, because three converging forces are widening the provability deficit faster than most firms recognize.

Forces compounding the provability deficit

Regulatory changes trigger a predictable response inside most compliance departments: update the policy document, circulate the revision, log the change. What rarely follows is a corresponding update to the control logic that enforces it. The policy reads one way while the control logic underneath may still reflect the old rules. That misalignment only surfaces when an examiner tests the control rather than the document, and by then the firm has been operating under a false sense of compliance. In a regulatory environment where multiple jurisdictions are updating requirements simultaneously, this problem multiplies. A firm that updated five policies in a quarter but only re-engineered two of the corresponding controls has three examination findings waiting to be discovered. Treating every regulatory change as a control re-engineering event rather than a documentation update closes that exposure before an examiner finds it.

Where regulatory change creates a provability problem through drift, AI creates one through opacity. Logic behind an automated decision that nobody captures at the point of decision is gone permanently. There is no interview to conduct, no email chain to pull, no analyst notes to review. The decision happened inside a model, and if the model’s reasoning was not logged at execution, the evidentiary trail ends there. Firms adopting AI-driven processes in lending, risk scoring and transaction monitoring are generating outcomes at a volume and speed that make after-the-fact reconstruction impossible. Regulators are paying closer attention to AI-driven outcomes precisely because the decision-making process is opaque by default, and the efficiency gains do not offset the evidentiary liability they create. Every model-driven result requires captured inputs, logic and output in a form someone can review later. Without that record, the decision is indefensible regardless of whether it was correct.

Governance

When Efficiency Becomes Fragility

by Stuart J. Green

March 30, 2026

It may be time to reconsider your structure: raze, enrich and grow

Read moreDetails

The challenge is compounded by the speed at which AI adoption is outpacing governance. Compliance teams that took years to build evidentiary frameworks around manual processes are being asked to extend the same level of oversight to AI-driven workflows that were deployed in weeks. The provability requirement does not shrink because the process became faster. It grows, because the decision volume and complexity both increase while the ability to trace any single decision back to its inputs decreases.

These challenges become harder to manage as organizational complexity increases alongside them. Every new asset class, jurisdiction or distribution channel adds another evidence chain a firm needs to maintain, and the evidence-producing capacity does not grow with it. A firm operating across three regulatory regimes with two product lines has a manageable number of proof points. After an acquisition and two product launches, that same firm has multiplied its evidence obligations without proportionally expanding its ability to meet them.

Each of these forces is difficult to address individually. Together, they create a compounding effect. A firm responding to regulatory changes while adopting AI and absorbing an acquisition is facing all three at once, layered on top of a provability framework that was under-built before any of them arrived. The firms that recognize this compounding dynamic early and restructure their controls accordingly will carry a significant advantage into their next examination cycle.

Provability as an audit discipline

Addressing the provability deficit at the level of individual controls is necessary, but it is not sufficient on its own. The discipline also needs to be embedded into how firms evaluate their programs internally. Internal audit functions should expand their scope to test for provability alongside adherence. Most audit programs assess whether controls exist and whether staff follow them. Provability belongs in that same assessment. Can the firm prove a specific control operated correctly on a specific date for a specific transaction without manual reconstruction? Without that capability, the control functions but cannot account for itself.

Provability deserves the same investment and rigor given to program design. The compliance teams that treat it as a design discipline rather than an afterthought will spend less time reconstructing evidence and more time on the strategic work that examination readiness is supposed to enable. Every examination comes down to one question. Did the program work? The answer lives in the evidence trail, and the time to build it is before the question gets asked.