By Stuart Watkins, CEO, Zenoo
The compliance industry has been talking about AI for years. Mostly, that conversation has been about machine learning models that score risk, NLP tools that scan adverse media, and chatbots that answer policy questions. These are useful, but they are incremental improvements to existing processes. What is changing now is fundamentally different.
AI agents are autonomous software workers that can perform multi-step compliance tasks end-to-end. Not generating a suggestion for a human to act on. Actually doing the work: gathering data, making assessments, documenting decisions, and escalating only when the situation genuinely requires human judgement. This is not a future prospect. It is happening now, and it is changing how compliance teams operate.
What an AI agent actually is (and is not)
The term "AI agent" is already being overused, so let us be precise about what we mean.
An AI agent is not a chatbot. A chatbot responds to questions. An agent takes action. An AI agent is not a copilot. A copilot suggests next steps for a human to execute. An agent executes the steps itself. An AI agent is not a rules engine. A rules engine follows predefined logic. An agent can reason about novel situations within defined parameters.
An AI agent, in the compliance context, is a software system that can: receive a task (e.g., "review this screening alert"), gather the relevant information from multiple sources, apply reasoning to assess the situation, make a decision within its delegated authority, document the decision with supporting rationale, and escalate to a human when the situation falls outside its competence.
The critical distinction is autonomy within boundaries. The agent operates independently on routine tasks but recognises the limits of its authority and escalates appropriately. This is not artificial general intelligence. It is narrow, task-specific automation with reasoning capabilities.
Where AI agents work in compliance today
The compliance tasks best suited to AI agents share certain characteristics: they are repetitive, data-intensive, require judgement but within well-defined parameters, and generate large volumes that overwhelm human teams.
Screening alert disposition. This is arguably the highest-impact application today. A typical compliance team spends 60 to 70% of its operational capacity reviewing screening alerts, the vast majority of which are false positives. An AI agent can review an alert, gather contextual information (customer profile, transaction history, the specific list entry that triggered the alert), assess whether the match is genuine, and either clear the false positive with a documented rationale or escalate a true or potential match to a human analyst.
The numbers are significant. We have seen AI agents handle 80 to 85% of screening alerts autonomously, with accuracy rates that match or exceed human analysts on routine cases. For a compliance team processing 2,000 alerts per month, that is 1,600 to 1,700 alerts handled without human intervention, freeing analysts to focus on the 300 to 400 cases that genuinely require their expertise.
"We piloted an AI agent on our sanctions screening alerts for three months. It processed 4,200 alerts. Of the 3,500 it cleared as false positives, our quality assurance team reviewed a random sample of 350 and found two that they would have handled differently. That is a 99.4% agreement rate. Our human analyst agreement rate on the same type of alerts is 96%."
Customer risk assessment. AI agents can perform initial risk assessments on new customers by gathering data from multiple sources (registry data, screening results, transaction history, adverse media), applying the firm's risk methodology, and producing a risk score with a supporting narrative. Human analysts then review and approve the assessment rather than performing it from scratch.
Ongoing monitoring reviews. When an event triggers a review (a sanctions list change, a transaction anomaly, a corporate structure change), an AI agent can gather the relevant data, assess whether the event materially changes the customer's risk profile, and either confirm the current risk rating or flag the customer for human review with a summary of what changed and why it matters.
SAR narrative drafting. Once a human analyst decides that a Suspicious Activity Report should be filed, an AI agent can draft the narrative by synthesising the relevant transaction data, customer information, and the analyst's assessment. The analyst reviews and approves the narrative rather than writing it from scratch, reducing SAR preparation time from hours to minutes.
The audit trail question
The most common objection to AI agents in compliance is regulatory acceptability. Will regulators accept decisions made by AI agents? The answer depends entirely on the quality of the audit trail.
A human analyst who clears a screening alert with a one-line note ("False positive, name similarity only") produces a weaker audit trail than an AI agent that documents: the specific list entry that triggered the alert, the customer data points compared, the reasoning for concluding the match is false, the data sources consulted, and the confidence level of the assessment.
Regulators care about the quality of the decision and the quality of the documentation, not whether a human or a machine produced it. An AI agent that generates a comprehensive, consistent, and transparent decision record for every alert is actually more auditable than a human analyst who produces variable-quality documentation under time pressure.
The key regulatory requirement is that a human remains accountable for the compliance programme and that human oversight exists at appropriate points. This means AI agents should operate within a framework where their authority is defined, their performance is monitored, and humans review a representative sample of their decisions on an ongoing basis.
What changes for compliance teams
The introduction of AI agents changes the role of compliance analysts, but it does not eliminate it. The shift is from processing to supervision and complex case handling.
In a traditional compliance operation, senior analysts spend a significant portion of their time on routine tasks that are below their skill level. Clearing obvious false positives. Performing standard risk assessments on low-risk customers. Documenting decisions that are straightforward but time-consuming to write up. This is a poor use of their expertise and a major contributor to compliance analyst burnout and turnover.
With AI agents handling routine tasks, human analysts focus on the cases that actually require human judgement: complex corporate structures, novel risk scenarios, cases where the data is ambiguous or incomplete, and decisions that require regulatory interpretation rather than rule application. This is more intellectually engaging work and a better use of specialist knowledge.
"Since we deployed AI agents on our screening workflow, our senior analysts tell me they actually enjoy their work more. They are spending their time on interesting, complex cases instead of grinding through obvious false positives. Our attrition rate in the compliance team has dropped from 35% to 15% in the last year. I cannot attribute all of that to the AI agents, but the timing is not a coincidence."
The risks and limitations
AI agents are not a panacea, and pretending otherwise would be dishonest.
Model risk. AI agents make mistakes. They will occasionally clear an alert that should have been escalated, or flag a case that is genuinely benign. The question is not whether mistakes happen, but whether the error rate is acceptable and whether the oversight framework catches errors before they cause harm. This requires ongoing performance monitoring, regular quality assurance reviews, and clear escalation procedures.
Regulatory uncertainty. While regulators have generally been supportive of technology adoption in compliance, specific guidance on AI agent use in compliance decision-making is still evolving. Firms deploying AI agents should document their approach, engage with their regulators proactively, and be prepared to demonstrate that human oversight is maintained.
Over-reliance. There is a risk that compliance teams become overly dependent on AI agents and allow their own expertise to atrophy. Maintaining human competence in the tasks that agents handle is important, both as a fallback and as a quality control mechanism.
Data quality. AI agents are only as good as the data they access. If your underlying screening data is incomplete, your adverse media sources have gaps, or your customer data is outdated, the agent's decisions will reflect those limitations. Garbage in, garbage out applies to AI agents just as it does to human analysts.
Getting started
If you are considering deploying AI agents in your compliance operations, here is a practical starting point.
Start with a high-volume, well-defined task. Screening alert disposition is the most common starting point because the task is well-defined, the volume is high, and the impact of automation is immediately measurable.
Run a parallel pilot. For a defined period, have the AI agent process the same alerts as your human team. Compare decisions. Measure agreement rates. Identify the cases where the agent and the human disagree, and understand why.
Define the agent's authority boundaries. Determine which alert types and risk levels the agent can handle autonomously, and which must be escalated to humans. Start conservative and expand as confidence builds.
Build the oversight framework from day one. Quality assurance sampling, performance dashboards, and regular reviews of the agent's decision patterns should be in place before the agent handles any live cases.
