GenAI is no longer a novelty in financial services, but on the compliance desk, trust is still hard-won. While generative models promise faster analysis of regulations, risks, and controls, concerns around explainability, accountability, and regulatory scrutiny continue to slow adoption. As pressure mounts to do more with less, compliance teams are being forced to decide whether GenAI can be relied on for defensible decision-making — or whether it remains a powerful assistant that still needs close human supervision.
In the first part of a two-part series, RegTech Analyst spoke to key industry leaders to get their take on whether GenAI is able to secure the trust of compliance leaders.
For many compliance leaders, the trust question hinges on whether GenAI can be treated like any other regulated system. Paul Burleton, CPO at Corlytics, argues that firms must apply the same discipline they would to traditional compliance models. Outputs need to be version-controlled, traceable, and defensible, supported by a clear audit trail showing inputs, model changes, and resulting decisions. While the growing complexity of large language models increases opacity, Burleton believes combining explainability techniques with rigorous testing by subject-matter experts can meet regulatory expectations — provided these controls are designed in from the outset rather than retrofitted later.
Guardrails are emerging as a critical layer in that design. Rather than limiting GenAI’s usefulness, well-constructed workflows can reinforce governance while delivering real operational gains. These include confidence thresholds, policy validation, and tracking human overrides so that models improve over time. When implemented properly, Burleton notes, such frameworks do more than manage risk — they also streamline day-to-day compliance operations and regulatory change management.
Regulatory attitudes toward GenAI remain cautious but pragmatic. In the US, FINRA has classified generative AI as a “supervised technology,” signalling that it will be held to the same standards as other compliance systems. Global bodies such as the Basel-based Financial Stability Institute have warned of new risks, including hallucinations, but continue to emphasise that existing frameworks around model risk and data governance still apply. Some regulators are even pushing ahead: Finland’s FSA has described GenAI as a supervisory “sweet spot,” identifying more than 100 potential use cases. The message is clear — GenAI is not being rejected, but it is being held to a higher bar.
That rising bar is something Areg Nzsdejan, CEO of Cardamon, believes compliance teams should embrace rather than fear. “The bar is actually the same as it would be for any human colleague,” he says. “You need to be able to clearly explain why a decision was made.”
For GenAI, that means material outputs must be traceable to their rationale and, where possible, grounded in source citations. Judgement-based workflows are inevitable, particularly in areas like reputational risk or obligation prioritisation, but Nzsdejan stresses that the methodology behind those judgements must be explicit, documented, and reviewable. Black-box approaches, he warns, are simply not sign-off-able in regulated environments.
Human-in-the-loop models are widely seen as the most effective way to manage hallucinations and accountability in high-stakes decisions. Nzsdejan likens AI oversight to existing compliance controls: “In regulated environments, we already assume that people can make mistakes, which is why we use controls like four-eye checks.” At Cardamon, no critical AI output is final until a human explicitly approves it, ensuring AI accelerates work without silently shifting responsibility.
Alex Mercer, Head of Innovation Lab at Zeidler Group, takes a similarly pragmatic stance. He advises clients to treat GenAI outputs as they would those of a third-party contractor: for low-risk tasks, lighter oversight may be acceptable, but for decisions requiring extreme accuracy, verification is essential. Mercer highlights a structural limitation of LLMs — they generate statistically likely outputs rather than reasoning step-by-step — making human review indispensable in sensitive compliance workflows. “For anything that carries a high degree of risk or a high degree of consequences,” he says, “we always recommend having a human-led approach.”
Despite these limitations, regulators are unlikely to resist GenAI’s adoption. Nzsdejan argues that regulators have little choice but to engage with the technology, as bad actors are already using AI to scale fraud and financial crime. Used properly, GenAI can help firms detect issues earlier, remediate faster, and reduce residual risk — even if that ultimately raises expectations around compliance performance. “The bar is going to rise anyway as risks scale,” he says. “GenAI just makes it possible to clear it.”
Balancing act
Balancing productivity gains with new risks around governance, bias, and model drift remains one of the toughest challenges. Mercer notes there is no universal solution, with firms experimenting across a spectrum of controls — from SME oversight to committee reviews, and in some cases minimal governance at all. Bias and drift are particularly difficult to manage when firms rely on third-party foundation models, leaving continuous monitoring as the primary defence. His advice is blunt: “Pay attention.” Automation, he cautions, does not justify complacency.
From a vendor perspective, Esteban Lopez, Senior Manager of Product & Technical Marketing at Theta Lake, argues that trust ultimately depends on governance visibility. Without explainability, auditability, and oversight, GenAI remains little more than a productivity tool. Theta Lake’s approach focuses on maintaining full-fidelity records of prompts and responses, giving compliance teams the context they need to reconstruct AI-driven decisions and demonstrate control to regulators. Guardrails, Lopez suggests, are only effective when backed by complete data and end-to-end transparency.
Question of governance
For RelyComply, trust in GenAI is ultimately a question of governance rather than capability. Generative AI can earn a place on the compliance desk, they argue, but only if it is treated as a regulated capability, with transparency, oversight, and auditability built in from the outset. Clear documentation and defensible controls are essential if AI outputs are to withstand regulatory scrutiny.
While GenAI’s efficiency potential is widely recognised, its use in compliance remains cautious, particularly in high-risk areas such as AML. Regulators are increasingly open to innovation, but only where AI operates within robust governance frameworks. Ongoing concerns around hallucinations, misinformation, and misuse continue to limit the extent to which GenAI can be trusted in decision-critical processes.
Adoption is already taking place in lower-risk use cases. Tools such as ChatGPT are commonly used by compliance professionals to summarise regulatory material, structure thinking, and support routine tasks. In these scenarios, GenAI can provide meaningful assistance when outputs are reviewed by human experts. However, RelyComply notes persistent scepticism in the industry, driven by the risk of AI being used as a shortcut rather than as a controlled efficiency tool. GenAI, they stress, should assist expert judgement, not replace it.
Regulators may welcome productivity gains, but accountability remains non-negotiable. Firms must be able to demonstrate how AI systems are trained, how outputs are interpreted, and how final decisions are made. Human oversight is therefore central, ensuring responsibility remains with compliance teams and regulatory standards are upheld.
For higher-risk applications such as transaction monitoring, compliance gap analysis, and risk alerting, expectations rise further. RelyComply highlights the importance of using proprietary, domain-specific datasets to reduce bias and improve accuracy, alongside explainable models that allow regulators and auditors to understand how conclusions are reached. Continuous testing, refinement, and collaboration between firms, RegTech providers, and regulators are essential to maintaining model performance over time.
Ultimately, trust in GenAI is built through governance, transparency, and accountability. Models are not static solutions but evolving tools that require ongoing feedback and control. When deployed responsibly, RelyComply believes GenAI can support faster, higher-quality AML outcomes at a time when compliance demands continue to intensify.
Taken together, the message from across the industry is consistent. GenAI can earn trust on the compliance desk — but only if it is treated as a regulated capability, not a shortcut. Transparency, human accountability, and continuous oversight are not optional add-ons; they are the price of admission. Firms that invest early in these foundations may find that trust in GenAI is not just achievable, but essential as regulatory complexity and financial crime risks continue to scale.
