Risk and compliance teams in 2022–25 didn’t want magic. They wanted tools that surfaced signals, preserved audit trails, and respected existing controls.
Working with risk and compliance between 2022–25 taught us a lot about how AI should show up in sensitive domains. These teams were not opposed to AI - many were excited about it - but they needed systems that fit their mental models of evidence, accountability, and control.
Start as a Spotlight, Not an Autopilot
The most successful first deployments used AI to highlight anomalies, suggest potential issues, and prioritise workloads. Only after months of monitored performance did we start closing loops and automating low-risk actions.
Design Principles Risk Teams Responded Well To
Risk and compliance teams had clear instincts about what felt safe. They wanted systems that logged everything, made it obvious what data and models were used for each decision, and allowed them to override or stop automation quickly if something looked wrong. They were less interested in model internals and more interested in whether the system fit their existing lines of accountability.
- Traceability: every alert or recommendation linked back to the exact data, model version, and rules involved
- Separation of duties: the AI surfaced signals; humans in existing roles decided on enforcement actions
- Auditability: logs were immutable, searchable, and retained long enough for regulatory review
- Change control: model and rule changes went through the same change management processes as other critical systems
Choosing the First Use Cases Carefully
The worst early AI projects for risk teams went after high-consequence decisions immediately: automatic transaction blocking, automated case closure, or unsupervised policy enforcement. The projects that built trust started with monitoring and triage: highlighting unusual activity, flagging high-risk cases for review, and prioritising workloads, while leaving the final decision to humans.
- 1Start with detection and triage use cases where AI can surface patterns humans might miss.
- 2Keep humans firmly in the decision loop for any action with legal or regulatory consequences.
- 3Measure success not just by accuracy, but by reviewer time saved and improved coverage of high-risk cases.
Building something in this space?
We'd be happy to talk through your use case. No pitch - just an honest conversation about what's feasible.
Book a 30-minute callKey takeaways
- Starting with monitoring use cases built trust before automation
- Traceability and audit logs mattered more than model internals
- Risk teams appreciated honest evaluation data over marketing claims
- Use case selection by consequence class prevented dangerous overreach
- Joint workshops between engineering and risk teams paid off quickly