One point in here that deserves more attention: "if we assume that agents will soon become the predominant purchasers on the web, this opens an entirely new category of risk."
This is exactly right, and it's the hardest version of the compliance problem. When the counterparty is an autonomous agent, you can't verify identity the way you do with humans. You can't assess intent through behavioral signals designed for people. And liability becomes an open question that current frameworks don't answer.
That's the problem I built SovereignGate to solve. It's an XRPL-native deterministic governance layer purpose-built for autonomous actors: AI agents, DAOs, DUNAs. Every transaction an agent attempts gets evaluated against a policy ruleset before it executes, with multi-sig governance and cryptographic receipts proving exactly what was authorized, by whom, under what rules, at what time.
The article frames agent risk as a new category. I'd go further: it's a new enforcement surface that requires infrastructure the current compliance stack was never designed to touch. You can't govern autonomous agents with tools built for humans filling out forms. You need mechanical enforcement at the protocol layer, not review workflows bolted on after the fact.
Cryptographic receipts answer "what was authorized and when," but the question every system seems to dodge is whether a human actually stands behind the authorization. Amazon's five healthcare agents shipped with HIPAA, evidence mapping, and clinician review, and still skipped the layer proving a human authorized the agent to act. Worth checking which of those five questions SovereignGate answers, and which it leaves to the policy author. https://thesynthesisai.substack.com/p/the-prescription gets at the gap.
James and Angela — "regulation stops being a document that people interpret and becomes code that systems execute" is the sentence that reframes the entire compliance industry. That's not an efficiency upgrade — that's a category shift.
The 90%-accurate-is-100%-wrong threshold is the part most people building in this space don't want to say out loud.
I build custom AI agents for small businesses and the trust gap is the whole game. A solo attorney or a one-person financial advisory doesn't need a GRC platform — they need an agent that knows THEIR compliance landscape specifically and flags before they file, not after. The enterprise framing here is right for the $40B number but the real unlock is when this trickles down to the 30-million small businesses who are currently doing compliance on sticky notes and prayers.
Curious whether you see the "turn regulation into code" layer eating the other two over time, or if all three coexist.
The framing of compliance moving from cost center to revenue driver is the shift that most GRC practitioners haven’t fully internalized yet. In financial services, I’ve watched compliance teams argue for headcount using risk avoidance language for years — the argument that faster KYC means faster onboarding means less revenue leakage is a fundamentally different conversation, and it opens doors that the traditional risk narrative never could.
The SAR example really lands. That workflow — Sarah copying transaction data across five systems to write a narrative — is not a compliance problem. It’s a data architecture problem that compliance inherited. The reason AI unlocks it isn’t because AI understands AML better than Sarah; it’s because AI doesn’t care how messy the underlying systems are.
One thing I’d add to the three layers: the evidence and audit trail layer. As AI agents start executing compliance workflows end-to-end, regulators will ask “who approved this, under what authority, and can you prove it?” The audit trail question becomes harder, not easier, when humans are removed from the loop. The winning platforms will be those that make agent actions as auditable as human actions — because that’s what will determine whether regulators actually trust the output.
The agent-as-counterparty risk point at the end deserves its own post. That’s a genuinely new problem that current frameworks aren’t designed for.
This is a useful reminder that “boring” is often where the market is hiding.
Compliance has never looked glamorous, but it sits exactly where language, judgment, risk, and workflow meet. That makes it a far more serious AI opportunity than many shinier use cases.
Fair framing of a real market, yet the article is blind to what will matter as this space matures.
The three layers described — regulation as code, systems of record, and agent augmentation — all address a similar question: how do you deploy AI to do compliance work faster? They do not address what happens when the AI gets it wrong while doing the work.
TD Bank is the right case study, but the diagnosis is incomplete. TD did not fail only because compliance officers were too slow to clear alerts. It failed because enforcement was structurally decoupled from execution. If you replace a 70,000-alert backlog with an agent that clears SARs in under a minute, the throughput problem may improve, but the accountability problem gets worse. Now the institution has hundreds of thousands of agent-generated narratives whose substantive quality no one has verified.
Compliance is not just about output quality. It is about a demonstrable process. A regulator examining an AI-generated SAR narrative will not only want to know that the final document looks correct. They will want to know that required transaction details were covered, applicable policy thresholds were referenced, material facts were not omitted, and the process that produced the narrative was governed. A clean PDF is an assertion. A governed process is evidence.
That is the missing layer in the stack: runtime control and evidence for the agents producing the compliance work. The system needs to maintain a declared operating contract during generation, measure deviation from that contract in real time, and produce an exportable audit trail of the process — not just the output. The EU AI Act points in this direction for AI systems, and Sarbanes-Oxley made the same lesson unavoidable in financial reporting: trust depends on controls, records, and auditability built into the process.
That is what we are building at Assiduity AI. We maintain a semantic contract — required facts, policy constraints, evidence obligations — and steer generation step by step while logging deviation, regime classification, and evidence artifacts for review. The goal is runtime evidence that the process remained governed while the work was generated.
The convergence thesis at the end of the article is right: regulation as code, systems of record, and agents on top. But there is a fourth layer this framework does not name: the governance substrate underneath the agents that makes their process auditable and their alignment to declared obligations measurable in real time.
Without that layer, the industry will automate compliance work faster than it can govern it.
You're naming the same pattern from https://thesynthesisai.substack.com/p/the-missing-loop: the variable excluded from the governing model becomes dominant once you optimize the others. Speeding alert clearance just relocates the queue to second-line review, where audit evidence accumulates faster than humans can sample-check. Throughput gains in execution create verification debt in supervision.
This is the clearest articulation I’ve seen of why compliance is finally getting its moment. But I’d push on one thing: the framing still assumes compliance is a workflow problem that AI agents can accelerate.
That’s the right lens for catching up on backlogs and reducing manual review. But it doesn’t solve the root cause. TD Bank didn’t fail because their compliance officers were too slow. They failed because enforcement was decoupled from execution. The rules existed. The monitoring existed. The gap was structural.
That’s why I built ExecLayer. Not to make compliance faster, but to make non-compliance mechanically impossible. Deterministic governance infrastructure where policy is evaluated and enforced at the point of execution, not reviewed after the fact by a human or an agent reading logs. Rules don’t get interpreted. They get executed. No backlog, no alert queue, no 70,000 unreviewed flags, because there’s nothing to review when the system won’t let a violating action through in the first place.
The article nails the convergence thesis: regulation as code, new systems of record, agents on top. I’d add a fourth layer underneath all three: a deterministic enforcement kernel that every agent, every system, every workflow is governed by. Not a compliance copilot. A compliance constraint.
That’s the infrastructure layer this space is missing.
One point in here that deserves more attention: "if we assume that agents will soon become the predominant purchasers on the web, this opens an entirely new category of risk."
This is exactly right, and it's the hardest version of the compliance problem. When the counterparty is an autonomous agent, you can't verify identity the way you do with humans. You can't assess intent through behavioral signals designed for people. And liability becomes an open question that current frameworks don't answer.
That's the problem I built SovereignGate to solve. It's an XRPL-native deterministic governance layer purpose-built for autonomous actors: AI agents, DAOs, DUNAs. Every transaction an agent attempts gets evaluated against a policy ruleset before it executes, with multi-sig governance and cryptographic receipts proving exactly what was authorized, by whom, under what rules, at what time.
The article frames agent risk as a new category. I'd go further: it's a new enforcement surface that requires infrastructure the current compliance stack was never designed to touch. You can't govern autonomous agents with tools built for humans filling out forms. You need mechanical enforcement at the protocol layer, not review workflows bolted on after the fact.
That's the layer beneath the layer.
#ExecLayer ✈️ #Web3Governance
Cryptographic receipts answer "what was authorized and when," but the question every system seems to dodge is whether a human actually stands behind the authorization. Amazon's five healthcare agents shipped with HIPAA, evidence mapping, and clinician review, and still skipped the layer proving a human authorized the agent to act. Worth checking which of those five questions SovereignGate answers, and which it leaves to the policy author. https://thesynthesisai.substack.com/p/the-prescription gets at the gap.
Automate to extinction.
That is all.
James and Angela — "regulation stops being a document that people interpret and becomes code that systems execute" is the sentence that reframes the entire compliance industry. That's not an efficiency upgrade — that's a category shift.
The 90%-accurate-is-100%-wrong threshold is the part most people building in this space don't want to say out loud.
I build custom AI agents for small businesses and the trust gap is the whole game. A solo attorney or a one-person financial advisory doesn't need a GRC platform — they need an agent that knows THEIR compliance landscape specifically and flags before they file, not after. The enterprise framing here is right for the $40B number but the real unlock is when this trickles down to the 30-million small businesses who are currently doing compliance on sticky notes and prayers.
Curious whether you see the "turn regulation into code" layer eating the other two over time, or if all three coexist.
Once humans are removed from the workplace, compliance will become much simpler.
Compliance may become AI’s first trillion dollar “boring” market.
The strange thing about modern life is that convenience keeps increasing while human friction keeps disappearing
And yet people seem more exhausted, anxious, and emotionally disconnected than ever….
The framing of compliance moving from cost center to revenue driver is the shift that most GRC practitioners haven’t fully internalized yet. In financial services, I’ve watched compliance teams argue for headcount using risk avoidance language for years — the argument that faster KYC means faster onboarding means less revenue leakage is a fundamentally different conversation, and it opens doors that the traditional risk narrative never could.
The SAR example really lands. That workflow — Sarah copying transaction data across five systems to write a narrative — is not a compliance problem. It’s a data architecture problem that compliance inherited. The reason AI unlocks it isn’t because AI understands AML better than Sarah; it’s because AI doesn’t care how messy the underlying systems are.
One thing I’d add to the three layers: the evidence and audit trail layer. As AI agents start executing compliance workflows end-to-end, regulators will ask “who approved this, under what authority, and can you prove it?” The audit trail question becomes harder, not easier, when humans are removed from the loop. The winning platforms will be those that make agent actions as auditable as human actions — because that’s what will determine whether regulators actually trust the output.
The agent-as-counterparty risk point at the end deserves its own post. That’s a genuinely new problem that current frameworks aren’t designed for.
Great insight!
Let’s grow together by supporting one another if you’re also new on Substack, feel free to subscribe and I’ll gladly do the same.
This is a useful reminder that “boring” is often where the market is hiding.
Compliance has never looked glamorous, but it sits exactly where language, judgment, risk, and workflow meet. That makes it a far more serious AI opportunity than many shinier use cases.
Compliance is necessary because humans make mistakes and are greedy. Once humans are out of the equation, the need for compliance disappears.
That’s an interesting point, though I’m not sure humans ever fully leave the equation.
Even when AI is making the decision, humans still define the goals, choose the data, set the incentives, and decide what counts as acceptable harm.
Compliance may change shape, but the need for accountability doesn’t disappear with the human hand. It just moves upstream. Maybe I am wrong.
Fair framing of a real market, yet the article is blind to what will matter as this space matures.
The three layers described — regulation as code, systems of record, and agent augmentation — all address a similar question: how do you deploy AI to do compliance work faster? They do not address what happens when the AI gets it wrong while doing the work.
TD Bank is the right case study, but the diagnosis is incomplete. TD did not fail only because compliance officers were too slow to clear alerts. It failed because enforcement was structurally decoupled from execution. If you replace a 70,000-alert backlog with an agent that clears SARs in under a minute, the throughput problem may improve, but the accountability problem gets worse. Now the institution has hundreds of thousands of agent-generated narratives whose substantive quality no one has verified.
Compliance is not just about output quality. It is about a demonstrable process. A regulator examining an AI-generated SAR narrative will not only want to know that the final document looks correct. They will want to know that required transaction details were covered, applicable policy thresholds were referenced, material facts were not omitted, and the process that produced the narrative was governed. A clean PDF is an assertion. A governed process is evidence.
That is the missing layer in the stack: runtime control and evidence for the agents producing the compliance work. The system needs to maintain a declared operating contract during generation, measure deviation from that contract in real time, and produce an exportable audit trail of the process — not just the output. The EU AI Act points in this direction for AI systems, and Sarbanes-Oxley made the same lesson unavoidable in financial reporting: trust depends on controls, records, and auditability built into the process.
That is what we are building at Assiduity AI. We maintain a semantic contract — required facts, policy constraints, evidence obligations — and steer generation step by step while logging deviation, regime classification, and evidence artifacts for review. The goal is runtime evidence that the process remained governed while the work was generated.
The convergence thesis at the end of the article is right: regulation as code, systems of record, and agents on top. But there is a fourth layer this framework does not name: the governance substrate underneath the agents that makes their process auditable and their alignment to declared obligations measurable in real time.
Without that layer, the industry will automate compliance work faster than it can govern it.
— Dr. Jason Prole
Founder, Assiduity AI
assiduity.ai
You're naming the same pattern from https://thesynthesisai.substack.com/p/the-missing-loop: the variable excluded from the governing model becomes dominant once you optimize the others. Speeding alert clearance just relocates the queue to second-line review, where audit evidence accumulates faster than humans can sample-check. Throughput gains in execution create verification debt in supervision.
Interesting ... Your views on Pope Leo's encyclical "Magifica Humanitas" would be of interest.
Pope Leo has declared a new Crusade against AI. Saddle up those horses! Get ready to tilt at the silicon windmills!
If you actually read the encyclical, you will know it’s not a crusade against AI, but the lifting up of humanity in collaboration with technology.
This is the clearest articulation I’ve seen of why compliance is finally getting its moment. But I’d push on one thing: the framing still assumes compliance is a workflow problem that AI agents can accelerate.
That’s the right lens for catching up on backlogs and reducing manual review. But it doesn’t solve the root cause. TD Bank didn’t fail because their compliance officers were too slow. They failed because enforcement was decoupled from execution. The rules existed. The monitoring existed. The gap was structural.
That’s why I built ExecLayer. Not to make compliance faster, but to make non-compliance mechanically impossible. Deterministic governance infrastructure where policy is evaluated and enforced at the point of execution, not reviewed after the fact by a human or an agent reading logs. Rules don’t get interpreted. They get executed. No backlog, no alert queue, no 70,000 unreviewed flags, because there’s nothing to review when the system won’t let a violating action through in the first place.
The article nails the convergence thesis: regulation as code, new systems of record, agents on top. I’d add a fourth layer underneath all three: a deterministic enforcement kernel that every agent, every system, every workflow is governed by. Not a compliance copilot. A compliance constraint.
That’s the infrastructure layer this space is missing.
#ExecLayer✈️ #AIGovernance