Compliance has become the financial services industry’s most expensive paradox. Despite financial institutions funnelling billions in their operating budgets, compliance spending surged by 12% last year, even as risk exposure continued to rise.1
While the bank’s digital core executes high-velocity processes such as real-time payments, instantaneous FX trading and customer onboarding, it remains throttled by an analogue control engine that still relies on spreadsheets and PDFs. This architecture is buckling under a 35% year-on-year increase in regulatory mandates.2
To break this cycle, the strategic pivot must shift from ‘Optimisation’ (making manual tasks faster) to ‘Codification’ (turning mandates into executable code). We must treat compliance not as a periodic check, but as software that is codified, continuous, and intelligent.
The non-deterministic barrier: Policies written for humans
The primary obstacle to modernisation is that regulatory policies were written for humans, not machines. These documents rely on subjective judgement, creating a ‘cold start’ problem characterised by overlapping, conflicting, and constantly shifting regulations and associated corporate policies. When the ‘source of truth’ is a 1000-page PDF, the translation to technical controls is where the risk leaks in.
When the ‘source of truth’ is a 1000-page PDF, the translation to technical controls is where the risk leaks in.
The vision: An intelligent control fabric
To achieve an autonomous state, we must move past human-centric interpretation. The goal is an Intelligent Control Fabric, a self-aware layer woven into the enterprise’s digital core where compliance is invisible yet omnipresent. Powered by Kyndryl’s Agentic AI, this fabric serves as the ‘nervous system’ that transforms compliance from a hindsight-driven cost center into a deterministic strategic advantage.
This fabric enables:
Real-time detecting and decoding of regulatory shifts by breaking down policy documents into discrete visual decision trees.
Assessing impact and fixing the drift before a risk materialises.
Generate real-time, audit-ready evidence that is inherently more reliable than manual screenshots, reducing audit effort by up to 74%.3
The non-deterministic barrier: Policies written for humans
The primary obstacle to modernisation is that regulatory policies were written for humans, not machines. These documents rely on subjective judgement, creating a ‘cold start’ problem characterised by overlapping, conflicting, and constantly shifting regulations and associated corporate policies. When the ‘source of truth’ is a 1000-page PDF, the translation to technical controls is where the risk leaks in.
Bridging the cold start: From ambiguity to codification
To move from ambiguous, paper-based documents to machine-executable reality, we implement a layered technical architecture:
Layer 1: The enforcement layer: Policy-as-Code:
We break down policy documents into discrete, binary decision trees and translate these policies into machine-executable rules (using languages like Rego). This Policy-as-Code serves as an enforceable control layer that sits between the AI and the toolset. While the AI can reason freely, the policy layer deterministically decides what is allowed to execute, ensuring tool access is gated and auditable
Layer 2: Semantic verification: Domain ontologies:
To solve the ‘cold start’ problem, we use domain ontologies. Instead of simple pattern matching, the system uses the contextual understanding of Transformer architectures to reason over the intent of a regulation. This allows the system to highlight conflicts or inconsistencies within documented policies impartially.
Layer 3: The adaptive intelligence layer: Kyndryl’s Agentic AI:
This is the cognitive engine of continuous assurance. Kyndryl leverages decades of experience operationalising mission-critical systems, generating over 12 million AI-driven insights monthly. This layer provides:
- Regulatory ingestion: Continuously reconciling new obligations against the organisation’s active Policy-as-Code control set.
- Strategic simulation: Allowing businesses to simulate how tweaking a policy would impact rejection rates or customer demographics before the rule is live.
- Human-in-control design: Shifting the human role from a doer (manual checker) to a supervisor (strategic governor), providing final verification for absolute governance.
Conclusion: From liability to strategic capability
The future of regulatory assurance demands a fundamental shift: treating compliance as software engineered into the fabric of the enterprise. By integrating Policy-as-Code with Kyndryl’s Agentic AI, financial institutions can finally move beyond reactive manual checklist driven controls to achieve intelligent, real time, preventative assurance. This is the moment where compliance stops slowing the organisation down and starts accelerating resilience, trust, and innovation.
The leadership mandate is unmistakable: stop inspecting compliance and start engineering it. Those who act now will not only reduce structural risk and cost, but they will build a digital core that regulators trust, that customers rely on, and that the organisation can innovate on with confidence. The firms that embrace this shift will set the standard for the next era of financial services.
Explore more
At Kyndryl, we believe that AI, done right, creates real business value.
Get actionable insights, real-world strategies and practical guidance to transform and drive meaningful impact with our Kyndryl + WIRED Rethink AI videos series.
1 Global Cybersecurity Outlook 2025, World Economic Forum, January 2025
2 Financial Services: Research Shows Regulatory Burden Increased 35% YoY, Dun & Bradstreet, August 2024
3 Compliance-as-Cod 2.0: Orchestrating Regulatory Operations with Agentic AI, Journal of Artificial Intelligence General sciences, ISSN3006-4023, August 2024