Everything, Everywhere is Compliance
Why AI's Biggest Enterprise Opportunity Is Also Its Most Boring
America | Tech | Opinion | Culture | Charts
Over the last 20 years the fastest-growing occupation in the US was manicurists and pedicurists.
But following close behind? Compliance Officers.
Compliance is a bigger business than you think. Every dollar that leaves or enters a business: paying employees (payroll, wage laws), reporting revenue (tax filings), moving capital (payments, AML/KYC) is subject to compliance. In regulated industries, even the way and how often a company communicates with its customers is a compliance activity!
Today, there are more than 400,000 compliance officers employed across the United States, representing over $40 billion in annual labor spend (with many billions more in compliance-related consulting and outsourcing jobs). In banking alone, more regulatory restrictions were added to Title 12 - of the Code of Federal Regulations (CFR): Banks and Banking - from 2010 to 2014 than the entire title contained in 1980. Yet despite this demand, the talent pipeline for compliance remains strained. The U.S. Bureau of Labor Statistics (BLS) projects 33,300+ compliance openings annually over the next decade – a demand made more acute by an industry where 87% of entrants eventually leave the field and annual churn exceeds 20%, leaving organizations in a near-constant cycle of recruiting and losing expertise.
As the world has grown more complex and legal requirements for corporations have risen, the response of enterprises has been simple: throw more people at the problem.
More people, it turns out, has not meant better outcomes. For instance in 2024, TD Bank was slapped with a $3 billion fine for failing to monitor 92% of its transactions, including a backlog of 70,000 detection alerts starting in 2018. And TD Bank isn’t alone; the same pattern of ballooning teams and growing backlogs has played out at nearly every major financial institution in the last decade. In that time, the work has remained stubbornly manual.
Compliance is “schlep work” - painful, bureaucratic, and often paper-based so it has persisted as being manual and human intensive. That same friction and inertia has made compliance a historical graveyard for startups.
So, why is it different now?
1. The technology has moved from “Good Enough to Pilot” to “Good Enough to Trust”
Sometimes the market for something done very well is 100x the market for something done just okay. This is the case in compliance, where a 90% correct product is still 100% wrong.
A prime example is document processing (which makes up a lot of compliance activity). OCR has been around for decades, getting the job mostly done. However, “mostly” doesn’t cut it when you’re underwriting a mortgage, onboarding a business, or reviewing an insurance claim. But now with Vision Language Models (VLMs), which also understand the broader context of a document and produce fewer errors, suddenly enterprises can’t sign contracts fast enough. The technology didn’t just get incrementally better; it crossed the threshold from “good enough to pilot” to “good enough to trust.”
Beyond this AI has many more capabilities too. First, it can read, extract, and reason over documents with near-human accuracy: incorporation filings, financial statements, and 400-page regulatory PDFs. Second, computer use agents can navigate legacy software the way a human would, without waiting for an API or a six-month integration project. Third, long-horizon task execution means an agent can run an entire workflow end-to-end: pulling data, cross-checking databases, flagging exceptions, filing a report, not just assisting with a single step.
In legal, broad model choice and consistently high accuracy gave teams the confidence to finally embrace AI – many LLMs now score 80-100% on LegalBench’s 162 legal reasoning tasks. This matters directly for compliance, because compliance is essentially applied legal reasoning under operational constraints, built on the same core tasks: reading regulatory text, applying rules to fact patterns, identifying exceptions, and flagging ambiguities.
2. Sales cycles have moved from “slow” to “fast”
For the first time, the risk of an enterprise not modernizing its compliance stack outweighs the risk of change. Regulated enterprises have long stuck with clunky GRC (Governance, Risk, and Compliance) tools and brittle legacy systems because migrations were painful, the cost of an audit miss was too high, and “good enough” felt safer than change.
AI has changed this. Compliance is moving beyond just a cost center, to a revenue driver. In financial services, faster KYC/B means faster onboarding, which means less chance of drop-off and faster time to revenue. Better AML monitoring means fewer false positives, which means fewer legitimate customers flagged and fewer relationships damaged. Quicker marketing reviews mean ad content can be put in front of customers in a more timely manner. That reframes the competitive argument: enterprises that modernize aren’t just saving cost, they are converting customers their slower competitors are failing to onboard. The competition is not AI itself. It’s other enterprises with AI.
Furthermore, if we assume that agents will soon become the predominant purchasers on the web, this opens an entirely new category of risk. Traditional compliance was designed around human actors. We now need a modern AI approach for verifying identity, assessing intent, and establishing liability when the counterparty is an autonomous agent.
All this means that a function that historically didn’t buy software is suddenly leaning in.
The three layers of compliance
Every compliance function, at every regulated enterprise, is built from the same three ingredients:
Regulation that governs the work: rules, internal policies, and the endless translation between them.
Software systems that try to codify that regulation: GRC platforms, case management systems, sanction-screening tools, and brittle automations to tie them all together.
People who use the software according to the regulation: reading documents, filling in forms, cross-checking databases, writing reports.
Most of the “job to be done” in compliance consists of copying information from documents, manually reviewing that information for accuracy or inconsistencies, and ongoing monitoring (repeating these first two tasks on a regular cadence).
To bring this to life, let’s take a Suspicious Activity Report (SAR) in banking. When an alert fires in NICE Actimize [software] flagging unusual transaction activity, Sarah the compliance officer [people] reviews the case, navigates to the core banking system to pull the full transaction history, then cross-references the customer’s KYC file across a separate database and a shared drive for onboarding docs, ID verification, and source of funds. She checks internal policy guidelines and rules [regulation] to assess whether the activity crosses the threshold for a SAR and makes a judgement call, then returns to NICE Actimize to write her “narrative,” manually copying in transaction details and customer data from every system she just visited.
Any of these make for great wedges to build your AI startup.
1. Turn regulation into code
Every new entry in Title 12 (OCC, Fed, FDIC - across 70+ chapters!), FINRA, SEC, CFTC, and every state-level policy variation lands as a PDF that humans have to read, interpret, and translate into internal policy, and then monitor for changes.
AI can turn regulation into code: structured, auto-updating, interpretable by agents. A 400-page regulatory document can now be parsed into a structured set of obligations that software can check against. Regulation stops being a document that people interpret and becomes code that systems execute. Two things change as a result: monitoring becomes continuous instead of periodic, and a regulatory change propagates through an enterprise in minutes instead of quarters. In the case of payroll in Brazil, a compliance officer’s entire job is refreshing government websites for rule updates, pulling affected employees into a spreadsheet, and manually recalculating payroll.
Example: Tako converts Brazil’s labor regulations (over 10,000 unions and nearly 900 rule changes per year) into a “system of intelligence” that audits payroll and union rules in your company’s context, answers complex people operations questions in natural language, and flags off-policy actions in real time before they become violations.
2. Rip and replace legacy systems
Many compliance functions run on platforms that predate the cloud, stitched together by humans copy-pasting and clicking between systems. That’s why every workflow feels slow even when each individual tool isn’t: the integration layer is a person. Furthermore, replacing any one of these systems meant a multi-year migration that no Chief Risk Officer wanted to sign off on.
This has meant that many enterprises (especially banks) are sitting on decades of infrastructure debt, and that debt is now the single biggest obstacle to AI adoption.
So, enterprise buyers now have three choices to take advantage of AI:
Keep the incumbent, but go “headless”: Use the incumbent system as the backend and build agents or new interfaces on top.
Vibe code a replacement: Rebuild the system of record yourself, including the data model, permissions, workflows, integrations, and auditability.
Buy the new AI native version: Move to a system built from the ground up for agents, machine readability, and orchestration.
If your system holds compliance-critical data, connects to dozens of internal and external data sources and partners, and codifies years of institutional logic — your risk aversion will tempt you toward (1). But then you are setting yourself up to lose to your competitors who are able to dramatically lower costs + boost revenue with AI (try adding an effective voice agent that needs to read/write to 1990s software)
It’s now not only possible to replace legacy systems but it’s also necessary to realize value from AI. Legacy systems were built for humans: data is siloed and hard to access, rules are hardcoded and slow to update, and workflows run in batches rather than in real time. In banking, this may be anything from Jack Henry (core banking), NICE Actimize (transaction monitoring), or Smash (Employee oversight).
Example:
Valon (mortgage servicing) built a mortgage servicer from scratch to prove software could turn breakeven margin operations into 60%+ margins. They codified complex servicing workflows into ValonOS: an AI-native operating system that replaces 25+ disparate legacy systems with structured workflows, auditable ledgers, and programmable actions. Now they’re licensing this system of record to power the entire $100B+ mortgage servicing industry, with each new customer strengthening the data flywheel that makes AI agents increasingly intelligent.
Vesta (mortgage loan origination) manages and coordinates all the compliance rules on origination across CFPB (TRID, HMDA, etc), differences across 50 states, plus all the compliance reporting to federal and state agencies. Therefore, compliance updates are a code push vs. an enterprise update that requires implementation services. Lenders get precise auditability, not to mention the 25-50% efficiency gains.
Sardine (fraud & transaction monitoring) is replacing NICE Actimize. Sardine is cloud based and can perform both inline real time fraud as well as run complex post-facto AML scenarios. Agents sit on top of Sardine’s live data to improve compliance reviews up to 30x. For example, the SAR (Suspicious Activity Report) summarizer agent fully automates filling out 60-100 different fields per entity (pulled from multiple systems) thereby reducing the amount of time taken per SAR submission from 30+ minutes to <1 minute.
3. Augment the work of people
Most compliance work consists of the same three human activities repeated endlessly: (1) document analysis, (2) manual review workflows, and (3) ongoing monitoring of (1) and (2).
The connective tissue between these activities has historically been a person clicking through legacy software, which is where computer-use agents come in.
Take business banking onboarding. When a customer onboards, Sarah the compliance officer needs to review and extract key information from that potential customer’s identity documents (ID, passports, incorporation) and financial statements. She then needs to input that information into a set of legacy software tools, and run checks against different databases to validate it (sanctions, business registers, etc). With AI, that entire workflow can be automated end-to-end: documents are ingested and parsed instantly, databases are checked in parallel, and exceptions are flagged for human review rather than human execution.
Example: Factor Labs sits on top of legacy systems rather than replacing them. Its computer use agents automate chargeback dispute handling for banks and payment companies. Each agent task follows a “playbook”, essentially step-by-step instructions tailored to each merchant and complying with the card networks’ processes. The agent mimics what a human analyst would do: logging into company systems (Outlook, Excel, anti-fraud platforms like CyberSource), pulling evidence, compiling it into a formatted Word document with the client’s letterhead, and sending the final PDF back to the client.
Conclusion
We like all of these approaches, and eventually most new systems will do all three. The most effective starting wedge will depend on your market:
(1) High flux regulatory environments: those with many regulations across different jurisdictions that change constantly, or where enforcement actions, exam findings frequently require a company to update its supervisory/compliance environment – favor starting with “turn regulation into code.”
(2) Going after the system of record makes sense when:
(a) There is an opportunity to go greenfield i.e., no entrenched incumbent for a new subset of customers. If a customer is choosing a system of record from scratch, preference for a modern AI-native stack is the default e.g., new banks being formed in Saudi (e.g., Stitch) or the many RIAs going independent and setting up shop in the US right now.
(b) The old systems are so operationally costly and hard to write back into that you have to rip replace to take advantage of AI.
(3) Output-driven workstreams with large backlogs and/or labor shortages favor augmenting the work of people. When compliance work results in a specific artifact (a report, a filing, a certification), the most burning need might be to add people (in this case agents who work 24/7 and don’t make mistakes) to the queue. For example, clearing alert queues (per TD Bank’s 70k backlog)
Ultimately we think these approaches converge together. Winning companies in this space will turn regulation into code, own a new system of record, and deploy a fleet of agents on top.
If that’s what you’re building, come and talk to us.
This newsletter is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. Furthermore, this content is not investment advice, nor is it intended for use by any investors or prospective investors in any a16z funds. This newsletter may link to other websites or contain other information obtained from third-party sources - a16z has not independently verified nor makes any representations about the current or enduring accuracy of such information. If this content includes third-party advertisements, a16z has not reviewed such advertisements and does not endorse any advertising content or related companies contained therein. Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z; visit https://a16z.com/investment-list/ for a full list of investments. Other important information can be found at a16z.com/disclosures. You’re receiving this newsletter since you opted in earlier; if you would like to opt out of future newsletters you may unsubscribe immediately.
One point in here that deserves more attention: "if we assume that agents will soon become the predominant purchasers on the web, this opens an entirely new category of risk."
This is exactly right, and it's the hardest version of the compliance problem. When the counterparty is an autonomous agent, you can't verify identity the way you do with humans. You can't assess intent through behavioral signals designed for people. And liability becomes an open question that current frameworks don't answer.
That's the problem I built SovereignGate to solve. It's an XRPL-native deterministic governance layer purpose-built for autonomous actors: AI agents, DAOs, DUNAs. Every transaction an agent attempts gets evaluated against a policy ruleset before it executes, with multi-sig governance and cryptographic receipts proving exactly what was authorized, by whom, under what rules, at what time.
The article frames agent risk as a new category. I'd go further: it's a new enforcement surface that requires infrastructure the current compliance stack was never designed to touch. You can't govern autonomous agents with tools built for humans filling out forms. You need mechanical enforcement at the protocol layer, not review workflows bolted on after the fact.
That's the layer beneath the layer.
#ExecLayer ✈️ #Web3Governance
This is the clearest articulation I’ve seen of why compliance is finally getting its moment. But I’d push on one thing: the framing still assumes compliance is a workflow problem that AI agents can accelerate.
That’s the right lens for catching up on backlogs and reducing manual review. But it doesn’t solve the root cause. TD Bank didn’t fail because their compliance officers were too slow. They failed because enforcement was decoupled from execution. The rules existed. The monitoring existed. The gap was structural.
That’s why I built ExecLayer. Not to make compliance faster, but to make non-compliance mechanically impossible. Deterministic governance infrastructure where policy is evaluated and enforced at the point of execution, not reviewed after the fact by a human or an agent reading logs. Rules don’t get interpreted. They get executed. No backlog, no alert queue, no 70,000 unreviewed flags, because there’s nothing to review when the system won’t let a violating action through in the first place.
The article nails the convergence thesis: regulation as code, new systems of record, agents on top. I’d add a fourth layer underneath all three: a deterministic enforcement kernel that every agent, every system, every workflow is governed by. Not a compliance copilot. A compliance constraint.
That’s the infrastructure layer this space is missing.
#ExecLayer✈️ #AIGovernance