As AI continues its undeniable rise through both private enterprise and public practice, it’s entirely possible that soon, comprehensive checks will end up being cheaper than selective, sample-based reviews, says Dawid Kotur, CEO of generative AI platform Curvestone.
In the city of London and other financial centers across Britain, the compliance profession has always been built on a fundamental compromise: Regulators accept sample-based checking for certain complex checks because comprehensive review simply isn’t practical and would encumber businesses with “dead weight” cost. But what happens when that constraint disappears? We’re about to find out.
Regulation is by nature not simple. It requires skilled people to interpret complex requirements and navigate the gray zones that emerge in every situation. There are rarely simple yes or no answers; context matters, judgment matters, expertise matters.
This balance has shaped everything. Compliance teams create processes and checklists to demonstrate that they’ve interpreted regulations correctly and have appropriate guardrails in place. They prepare meticulously for their sample checks, knowing most cases won’t face scrutiny. But this entire system rests on one assumption: Compliance checking must be done by humans because it’s simply too complex for anything else.
That assumption is now starting to be questioned.
Why this time is different
Unlike previous regulatory evolutions, typically triggered by disasters in which something bad happens and we scramble to ensure it doesn’t happen again, we’re witnessing something different. We’ve got exponential progress in technology and AI that’s drastically improving our ability to do these checks in ways that simply haven’t been possible before. This is not the typically reactive approach to regulation; it’s capability-driven.
For instance, mortgage case file checks that were taking two or three hours can now be done within 12 minutes: four minutes for an automated review and eight minutes for human oversight.
But law firms offer our best preview of what’s coming. These are some of the most conservative, cautious corporate entities in the economy. Yet they’ve embraced AI with remarkable speed. Two years ago, they were worried. Now the big firms are using AI as part of their everyday operations.
And this matters for compliance teams: Using AI in compliance is actually safer than using it for broader legal work. Compliance is much more contained; you’re checking against specific requirements rather than interpreting centuries of case law. You have defined checks, clear parameters and much less interpretive variability. This containment means you can achieve much greater accuracy.
The EU Has Taken Another Step Toward Unified AML Supervision; Are Your Processes Ready?
Regulators want to see that firms’ policies work in the real world
Read moreDetailsSignals that things are changing
DORA was the first major regulation where AI was truly good enough to be used effectively, and once it hit, law firms partnered with technology providers. Grant Thornton developed a DORA solution, as did others. This was proof that AI could play a central role in handling serious regulatory compliance at scale.
The Solicitors Regulation Authority (SRA), which oversees law firms in the UK, has not blocked any law firms from using AI to improve their ability to provide legal counsel on new regulations like DORA. In fact, the agency approved the first AI-driven law firm in May. This regulatory acceptance signals that AI-enabled compliance is not just technically possible but legally permissible.
The Financial Conduct Authority (FCA) has also dramatically expanded its own internal use of AI: monitoring scam ads, detecting unauthorized firms, synthetic‑data testing for sanctions and AML pattern‑spotting. This gives the FCA the muscle to run more automated spot checks and surveillance than in the past.
Companies House will by 2027 require that all accounts be submitted via approved software like QuickBooks. This adoption of now widely used software on the regulator’s side shows how possible becomes required. The same might come incrementally for AI, but it is coming.
Three moves UK compliance professionals can make now to prepare
1. Start tracking
You need visibility on your current compliance metrics. How many cases do you process? How long does each check take? Where are the bottlenecks? Having clear processes mapped out with metrics on how long each step takes is essential. This will be critical intelligence for the transition ahead.
2. Break down the silo wall
The chief compliance officer needs to start talking with the chief technology officer regularly. While compliance isn’t the sexiest area for technology deployment, it’s almost certainly one where the operational efficiency savings are most measurable and impactful. Don’t rush to buy software. The first thing to do is ensuring compliance is on the technology agenda, understood as a strategic priority rather than a back-office burden.
3. Don’t wait for yesterday’s playbook
This shift won’t follow the traditional pattern of “crisis → regulation → implementation.” It’s more subtle and more gradual but potentially more transformative. Follow regulatory speeches, consultation papers and technology initiatives. The clues are there for those paying attention.
Some questions to keep asking
Who carries the liability? When AI assists or automates compliance checks, where does technology provider responsibility end and corporate responsibility begin? This handover of liability needs crystal clarity.
What about smaller firms? Just as Companies House’s software requirement will challenge some small businesses, comprehensive AI-enabled checking could create a new digital divide in compliance.
Where’s the ceiling? If regulators can demand 100% checking, what else becomes possible? The specter of real-time, continuous compliance monitoring looms.
The truth is, not everything should or will be automated. I like to think of AI in compliance as crtl + F on steroids. It’s not making broad inferences or judgments; it’s finding and connecting information within defined parameters. The most important requirement is transparency. If you’re using technology in a way where you can’t explain what’s happened or show your work, that’s a risky situation. Black-box solutions won’t cut it because regulators will demand to see the reasoning.
I recently spoke with a compliance director who told me something that stuck: “We’ve been playing compliance theater for 20 years. We check the ones we check, everyone knows the game, and somehow we all sleep at night.” That game is ending, not because UK regulators suddenly got tough and not because there’s been another financial crisis. It’s ending because the fundamental math of compliance has changed.
When comprehensive checking becomes cheaper than selective checking, the old bargain dissolves. And while the next regulatory evolution will likely take a while, it could also come faster than you think; so preparation and anticipation remain the best strategies.
Dawid Kotur is founder and CEO of Curvestone, a generative AI platform for legal and compliance professionals. 
