Artificial intelligence will have a transformational impact on GRC, which one AI system defines as:

• Governance requires clear policies and processes which ensure accountability, transparency, and ethical conduct.

• Risk management requires identifying, assessing, and mitigating potential risks.

• Compliance requires adherence to laws, regulations, and internal policies.

The broader view of compliance is not limited to laws or regulations.  Laws, regulations, and policies are analyzed and reduced to “rules” with which processes must comply.  When a law, regulation, or policy is instituted or modified, existing processes must be assessed for compliance.  And where processes are assessed as non-compliant, processes must be changed, such as by revised training of personnel or updating information systems.

Given pertinent laws, regulations, and policies, generative AI can assist in ensuring their consistency, coverage, and clarity.  These are reduced to increasing clear and specific language which governs processes until they can determine compliance or identify gaps to be mitigated.  And the increasingly clear and specific sentences produced are easy to review and approve.

Given an understanding of existing processes, such as the architecture and implementation of information systems, generative AI can almost autonomously reengineer and test those systems to mitigate gaps in compliance with external requirements or internal policies.  Further, this can be done in a manner which provides auditable, explainable, accountability back to governing policy.

This document examines the first steps towards more intelligent compliance with governing policy:

• Analyze governing law, regulation, and policy, reducing them to situated business logic

• Assess compliance with such governance, identifying any gaps

Subsequent steps, including suggesting or implementing changes to processes, will follow.

As discussed below, governance and compliance are critical but complex undertakings. The complexity often manifests in high costs and non-compliance.  AI agents can make the process of assessing compliance and operating in accordance with governing policy simply reliable.

Compliance is not Optional

AI can reduce the risk of human oversight, such as in this case of non-compliance with regulations:

U.S. Bancorp has agreed to pay $613 million in penalties to state and federal authorities for violations of the Bank Secrecy Act and a faulty anti-money-laundering program.  The Office of the Comptroller of the Currency said the bank had systemic deficiencies in its anti-laundering monitoring systems, which resulted in gaps and “a significant amount of unreported suspicious activity”.  “The bank failed to adopt and implement a compliance program because of an inadequate system of internal controls, ineffective independent testing, and inadequate training”, the agency said.  

Such penalties arise when enterprises fail to adequately analyze regulations, determine how they apply to the enterprise, and ensure compliance.  According to a 2024 study, the cost of financial crime compliance in the U.S. and Canada reached U.S.$61 billion, and this is only one aspect of regulation in a single sector.

Estimates for the total cost of compliance in the U.S. vary from $2 to $3 trillion.  Such staggering investment is motivated by the cost of non-compliance.  A reputable 2017 study estimated the cost of non-compliance to be almost 3 times the cost of complying.  Moreover, in the years since, regulatory complexity and penalties for non-compliance have increased significantly.  Consequently, the market for compliance technology is well over $100 billion and growing quickly.

The Complexity of Compliance

Ensuring enterprise compliance has traditionally been a multidisciplinary effort. It involves a core team of legal and risk management specialists working in close partnership with key stakeholders across the organization. These stakeholders include executive leadership, business unit managers, and the technology teams responsible for refining information systems and processes.

To facilitate this high-level partnership, organizations rely on various types of analysts who act as crucial intermediaries. These specialists are responsible for translating broad regulatory mandates into concrete business processes and technical specifications, ensuring the strategic goals of compliance are executed at an operational level.

In theory, these analyst roles function like a relay team to carry a compliance initiative from inception to completion. The process might begin with a compliance analyst interpreting a new regulation and outlining its core requirements. A business analyst, embedded within an affected department, then maps these requirements to existing processes and identifies necessary changes. These business requirements are then handed off to a systems analyst who translates them into detailed technical specifications. Finally, a data analyst or risk analyst helps architect a monitoring framework to automatically flag exceptions and produce reports for the Chief Compliance Officer, who relies on them for sustained visibility and accountability.

In reality, this process is rarely so linear or tidy. It is less like a relay race and more like making sausage—an iterative, sometimes messy undertaking involving significant back and forth between responsible parties. For example, a systems analyst might discover that a requirement is not actually satisfied by an information system, sending the process backward to a business or compliance analysts. Even worse, pieces fall to the floor, as they did at US Bancorp. Overlooking, miscommunicating, or misunderstanding critical details, despite significant effort and the best intentions, is difficult to avoid. Overall, the process is expensive, brittle, and prone to error.

From Chaos to Clarity

Technology can reduce the cost of compliance and reduce the risk of non-compliance if it can:

1. Ensure that no mandate of a law or regulation is overlooked.

2. Determine and record whether each mandate is applicable or not and why.

3. Determine and record how each applicable mandate is complied with.

Artificial intelligence can play a significant role in doing this.  For example, given the European Union’s Artificial Intelligence Act, an agent might identify key concepts, such as “prohibited practices”, “transparency obligations”, “high-risk AI”, “general purpose AI”, “systemic risk”, “significant harm”, and so on.  Other agents can reduce the logic within the act to collections of logical truths (aka “axioms”) expressed in English, such as:

• The application of an AI system by a public authority for the purpose of social scoring is a prohibited practice.

• The application of an AI system to exploit the vulnerabilities of a person due to their age or disability is a prohibited practice.

• A provider of a chatbot must be transparent about the fact that a user is interacting with an AI system.

• A company that uses an AI system to generate a 'deepfake' video must be transparent about the fact that the content is artificially manipulated.

• An AI is high-risk if it is used to evaluate student exams and its scores could unfairly determine a student's access to higher education.

• An AI is high-risk if it is used in a critical context and its failure could cause significant harm to a person's rights, health, or safety.

• The use of an AI system to determine a person's eligibility for essential public benefits is a critical context.

• Using an AI system to sort résumés for a job application is a critical context.

Another agent might focus on identifying mandates and reducing them to sentences, such as the following from the EU AI Act:

• A provider of a high-risk AI system must establish a continuous risk management system.

• A provider must ensure the training data for a high-risk AI system is high-quality and checked for bias.

• A provider must design a high-risk AI system with specific features that allow a human to intervene, halt, or override its operation.

• A deployer must use a high-risk AI system according to the provider's instructions.

• A provider must ensure that a high-risk AI system passes a conformity assessment before placing it on the market.

Another agent might look for exceptions and reduce them to sentences, such as:

• The AI Act does not apply to an AI system used exclusively for military, defense, or national security purposes.

• An AI system developed and used for the sole purpose of scientific research and development is exempt from the Act.

• The use of an AI system for purely personal, non-professional activity falls outside the scope of the Act.

• The obligations for providers generally do not apply to an AI component released under a free and open-source license, unless it is part of a system that itself involves a prohibited practice or is high-risk or subject to transparency obligations.

This initial step, of reducing laws, regulations, internal policy and guideline documents to such sentences accelerates the compliance process out of the gate. It jump-starts the process beyond the raw document to the comprehensive set of definitions and requirements which can now drive the process of assessing compliance. Of course, the agents can easily answer questions about any of these sentences and identify where in the source documents they are justified.

Increasingly Actionable Clarity

Notice that each of these sentences are held to be true.  Logically, such statements of truth are known as “axioms”.  They can be further simplified by translating them to “rules”.  Agents skilled in understanding logic generate these rules by normalizing terminology, deciding what needs to be deduced, and writing all the rules that perform such deductions in a simple “if-then” paradigm, with minimal use of words like ‘or’ and other expressions which can confuse readers.  This results in individual sentences which are easy for everyone, including agents, to understand:

• If a provider provides a high-risk AI system and has not established a continuous risk management system that satisfies the Act's requirements, then the provider violates the Act.

• If a provider's CRMS does not include a process for identifying and analyzing all reasonably foreseeable risks, then the Continuous Risk Management System does not meet the requirements of the Act.

• If a provider's final system involves a prohibited practice, then the provider may not place that system on the market.

• If a provider's final system is classified as high-risk, then the provider may not place that system on the market before it passes a conformity assessment.

• If a provider's final system is a chatbot, then the provider may not put that system into service without ensuring users are informed they are interacting with an AI.

• If an AI system is used by a public authority to evaluate a person and assign them a social score, then the use of that system involves a prohibited practice.

• If an AI system is used to exploit the vulnerabilities of a person due to their age, then the use of that system involves a prohibited practice.

• If an AI system is used to exploit the vulnerabilities of a person due to a disability, then the use of that system involves a prohibited practice.

All these English rule sentences are added to the memory shared by the agents.  The agents can easily answer questions about these and justify or otherwise discuss them and the pertinent sections of source documents.

Acquiring Knowledge

As agents accumulate such sentences, they can determine what provisions of a law or regulation apply.  For example, someone might ask an agent how the EU AI Act applies to a particular AI system.  Agents would have to ask questions to determine that.  The answers to those questions might be given verbally or found in documents uploaded during the conversation.

The following are examples of questions agents might ask or investigate in the course of determining the applicability, for example, of the EU AI Act to a proposed AI system:

• "Is the system designed to interact with people based on their age?"

• "Is the system designed to interact with people based on a disability?"

• "Is the system designed to interact with people based on their specific social or economic situation, such as poverty or unemployment?"

• "Could this system be used by a public authority to assign a 'social score' to people?"

• "Could this system be used in the context of employment or workforce management?"

• "Could this system be used in education or vocational training?"

• "Could this system be used to determine a person's eligibility for an essential service, like a loan, insurance, or public benefits?"

• "Could an error or biased output from the system cause significant harm to a person's rights, health, or safety?"

• "Have you established a continuous risk management system for this AI?"

• "Does your risk management system include a documented process for identifying and analyzing all reasonably foreseeable risks?"

• "Has the system passed a formal conformity assessment?"

• "Is the system designed to have a conversation with a person?"

• "Are users explicitly informed that they are interacting with an AI?"

• "Is the final AI system itself released under a free and open-source license?"

• "Are the core AI components it was built with released under a free and open-source license?"

Of course, the agent would not ask such questions if they were not relevant to determining how the AI is governed by the Act.  For example, they would ask about risk management until they had inferred that the provisions mandating a CRMS applied to the AI system.

During such conversations and from any uploaded documents, the agents obtain facts about the enterprise use case and add them to memory.  They do this in a way that tracks their provenance, so that they can refer back to the conversation or document when asked to explain their conclusions.

Assessing Compliance

This process can continue through assessing compliance and risks.  For example, the following axioms pertain to when a risk management system is required by the EU AI Act:

• A provider of a high-risk AI system must establish, implement, document, and maintain a continuous risk management system.

• The risk management system must be a continuous iterative process that runs throughout the AI system's entire lifecycle.

• The risk management process must include the identification and analysis of all known and reasonably foreseeable risks.

• The risk management process must include the adoption of appropriate mitigation measures to address identified risks.

• The risk management system must evaluate risks arising from data gathered by the post-market monitoring system.

From which the following rules might be derived:

• If a provider of a high-risk AI system has not established a continuous risk management system, then the provider violates the Act.

• If a provider's risk management system is only applied at the design phase and not throughout the AI system's entire lifecycle, then the system does not meet the requirements of the Act.

• If a provider's risk management system does not include a documented process for identifying and analyzing all reasonably foreseeable risks, then the system does not meet the requirements of the Act.

• If a provider's risk management system identifies a foreseeable risk but includes no corresponding mitigation measure, then the system does not meet the requirements of the Act.

• If a provider's risk management system has no process for incorporating data from post-market monitoring, then the system does not meet the requirements of the Act.

And agents might ask or investigate the following:

• "Have you established a documented Continuous Risk Management System (CRMS) for this high-risk AI system?"

• "Does your risk management process cover the entire lifecycle of the AI, from initial design and development through to post-market monitoring and updates?"

• "Does your CRMS include a formal process for identifying and documenting foreseeable risks to health, safety, or fundamental rights?"

• "For the risks you identify, does your process require that a corresponding mitigation measure be adopted and documented?"

• "Is there a defined process for feeding data and insights gathered from your post-market monitoring back into your risk analysis on a regular basis?"

As above, the agents add any answers or findings as facts and evidence in memory. They are able to provide explanations and refer back to facts, evidence, attestations, and documents.  They are also able to answer questions given the knowledge they have obtained in the course of reading documents and conversing with involved parties.

Continuous Improvement

The process discussed above repeats as regulations and policies change.  Agents continue to learn about the organization and its industry as they confirm or elicit knowledge and evidence and assess compliance.  This cycle continuously improves compliance accuracy, builds reusable institutional memory, and ensures the organization is always audit‑ready. This interactive loop creates a continuously improving, audit‑ready system that reflects the methodology described in the Agentic Compliance Process.

Governance and Compliance

The EU AI Act is a simple example of a much more complex problem.  In another article, we discuss more general governance which involves operating in accordance with policies and guidelines formulated by an organization which are not limited to those motivated by external regulations.  In a similar fashion to assessing compliance with the AI Act, AI can help reduce abstract policies to operational rules. Furthermore, agents can assess whether business processes, workflows, and information systems comply with such policies and rules.  This typically involves more conversation and documents and may leverage multi-modal AI to comprehend diagrams and user interfaces, for example.  Agents are also able to read the programming code which supports workflows or which implements information systems.  In the course of drilling down from policy to practice, the agentic system accumulates increasingly detailed and comprehensive knowledge about the organization and its operations.  As the agentic system’s memory accumulates, agents become increasingly capable, and conversations become increasingly productive.  

Crafting the Future

Eventually, many expect agentic systems to automate most information technology. Agents, supervised by their human counterparts, will substantially automate the generation of the software supporting all aspects of the enterprise and its operations. Comprehensive understanding and automation of information systems in compliance with governing policy and law will take a few more years.

The first step towards this future - assessing compliance – can be taken now.  And the knowledge agents gain in the process will power the future of increasingly agentic enterprises.

By adopting agentic governance, organizations unlock tangible value beyond risk mitigation. This approach reduces exposure to costly penalties, accelerates audits with always‑ready evidence, and streamlines analyst workloads, improving operational efficiency. Over time, the accumulation of reusable knowledge and automated checks delivers long‑term savings and resilience, creating a future‑proof, trust‑by‑design enterprise where compliant governance becomes a strategic advantage.

‍