One point in here that deserves more attention: "if we assume that agents will soon become the predominant purchasers on the web, this opens an entirely new category of risk."
This is exactly right, and it's the hardest version of the compliance problem. When the counterparty is an autonomous agent, you can't verify identity the way you do with humans. You can't assess intent through behavioral signals designed for people. And liability becomes an open question that current frameworks don't answer.
That's the problem I built SovereignGate to solve. It's an XRPL-native deterministic governance layer purpose-built for autonomous actors: AI agents, DAOs, DUNAs. Every transaction an agent attempts gets evaluated against a policy ruleset before it executes, with multi-sig governance and cryptographic receipts proving exactly what was authorized, by whom, under what rules, at what time.
The article frames agent risk as a new category. I'd go further: it's a new enforcement surface that requires infrastructure the current compliance stack was never designed to touch. You can't govern autonomous agents with tools built for humans filling out forms. You need mechanical enforcement at the protocol layer, not review workflows bolted on after the fact.
Cryptographic receipts answer "what was authorized and when," but the question every system seems to dodge is whether a human actually stands behind the authorization. Amazon's five healthcare agents shipped with HIPAA, evidence mapping, and clinician review, and still skipped the layer proving a human authorized the agent to act. Worth checking which of those five questions SovereignGate answers, and which it leaves to the policy author. https://thesynthesisai.substack.com/p/the-prescription gets at the gap.
SovereignGate's answer: the human stands behind the policy, not behind every individual action. That's the architectural distinction that matters.
If you require a human to authorize every agent action, you don't have an autonomous agent. You have a bot with a human approver. That doesn't scale and it defeats the point of deploying agents in the first place.
SovereignGate pushes human authority upstream. Governance principals define the policy ruleset: what the agent can do, under what conditions, with what limits. The agent operates within those boundaries. Every action that hits a boundary gets evaluated deterministically before execution. Multi-sig thresholds mean no single actor can modify the rules unilaterally. The Merkle-anchored receipt chain proves which policy version governed which action and who authorized that policy.
So to your question directly: the policy author isn't a gap. The policy author is the human principal. The receipts prove that chain of authority is intact all the way down. The full architecture is here: https://doi.org/10.5281/zenodo.20280613
The Amazon example actually reinforces this. Clinician review is a human-in-the-loop pattern that works when a human is already present in the workflow. It doesn't work for agents transacting autonomously at machine speed across decentralized protocols. Different enforcement surface, different architecture required.
Compliance only feels crushing when it’s treated as an overlay instead of an operating principle.
Most companies bolt compliance onto fragmented systems after the fact — which creates operational drag, duplicate work, expensive audits, brittle controls, and armies of vendors trying to stitch it all together.
The companies that win long term build compliance directly into the architecture, workflows, data model, and decisioning layer from day one. At that point, compliance stops being a tax and starts becoming operational leverage.
That’s part of the thesis behind what we’re building at adapfin. Banking infrastructure shouldn’t require institutions to choose between speed, innovation, and regulatory discipline. Those things should coexist natively.
James and Angela — "regulation stops being a document that people interpret and becomes code that systems execute" is the sentence that reframes the entire compliance industry. That's not an efficiency upgrade — that's a category shift.
The 90%-accurate-is-100%-wrong threshold is the part most people building in this space don't want to say out loud.
I build custom AI agents for small businesses and the trust gap is the whole game. A solo attorney or a one-person financial advisory doesn't need a GRC platform — they need an agent that knows THEIR compliance landscape specifically and flags before they file, not after. The enterprise framing here is right for the $40B number but the real unlock is when this trickles down to the 30-million small businesses who are currently doing compliance on sticky notes and prayers.
Curious whether you see the "turn regulation into code" layer eating the other two over time, or if all three coexist.
The framing of compliance moving from cost center to revenue driver is the shift that most GRC practitioners haven’t fully internalized yet. In financial services, I’ve watched compliance teams argue for headcount using risk avoidance language for years — the argument that faster KYC means faster onboarding means less revenue leakage is a fundamentally different conversation, and it opens doors that the traditional risk narrative never could.
The SAR example really lands. That workflow — Sarah copying transaction data across five systems to write a narrative — is not a compliance problem. It’s a data architecture problem that compliance inherited. The reason AI unlocks it isn’t because AI understands AML better than Sarah; it’s because AI doesn’t care how messy the underlying systems are.
One thing I’d add to the three layers: the evidence and audit trail layer. As AI agents start executing compliance workflows end-to-end, regulators will ask “who approved this, under what authority, and can you prove it?” The audit trail question becomes harder, not easier, when humans are removed from the loop. The winning platforms will be those that make agent actions as auditable as human actions — because that’s what will determine whether regulators actually trust the output.
The agent-as-counterparty risk point at the end deserves its own post. That’s a genuinely new problem that current frameworks aren’t designed for.
Really good framing - compliance isn’t a department anymore, it’s becoming the default layer embedded in every system, transaction, and workflow. AI just makes that shift explicit and programmable.
"Any of these make for great wedges to build your AI startup."
That's where I disagree. All of these challenges are a good jobs for an in-house AI nerd department. Stitching the systems together is much more easy from the inside, there doesn't need to be another product. It is the time of the great move inwards.
Regulations become code is a great wedge. It also enables organizations to prioritize building (fast) HR workflows, traditionally governing employees, into the IT asset management tools for AI agents. They become the digital employee when regulatory compliance is a pure code layer.
This is a useful reminder that “boring” is often where the market is hiding.
Compliance has never looked glamorous, but it sits exactly where language, judgment, risk, and workflow meet. That makes it a far more serious AI opportunity than many shinier use cases.
Fair framing of a real market, yet the article is blind to what will matter as this space matures.
The three layers described — regulation as code, systems of record, and agent augmentation — all address a similar question: how do you deploy AI to do compliance work faster? They do not address what happens when the AI gets it wrong while doing the work.
TD Bank is the right case study, but the diagnosis is incomplete. TD did not fail only because compliance officers were too slow to clear alerts. It failed because enforcement was structurally decoupled from execution. If you replace a 70,000-alert backlog with an agent that clears SARs in under a minute, the throughput problem may improve, but the accountability problem gets worse. Now the institution has hundreds of thousands of agent-generated narratives whose substantive quality no one has verified.
Compliance is not just about output quality. It is about a demonstrable process. A regulator examining an AI-generated SAR narrative will not only want to know that the final document looks correct. They will want to know that required transaction details were covered, applicable policy thresholds were referenced, material facts were not omitted, and the process that produced the narrative was governed. A clean PDF is an assertion. A governed process is evidence.
That is the missing layer in the stack: runtime control and evidence for the agents producing the compliance work. The system needs to maintain a declared operating contract during generation, measure deviation from that contract in real time, and produce an exportable audit trail of the process — not just the output. The EU AI Act points in this direction for AI systems, and Sarbanes-Oxley made the same lesson unavoidable in financial reporting: trust depends on controls, records, and auditability built into the process.
That is what we are building at Assiduity AI. We maintain a semantic contract — required facts, policy constraints, evidence obligations — and steer generation step by step while logging deviation, regime classification, and evidence artifacts for review. The goal is runtime evidence that the process remained governed while the work was generated.
The convergence thesis at the end of the article is right: regulation as code, systems of record, and agents on top. But there is a fourth layer this framework does not name: the governance substrate underneath the agents that makes their process auditable and their alignment to declared obligations measurable in real time.
Without that layer, the industry will automate compliance work faster than it can govern it.
You're naming the same pattern from https://thesynthesisai.substack.com/p/the-missing-loop: the variable excluded from the governing model becomes dominant once you optimize the others. Speeding alert clearance just relocates the queue to second-line review, where audit evidence accumulates faster than humans can sample-check. Throughput gains in execution create verification debt in supervision.
One point in here that deserves more attention: "if we assume that agents will soon become the predominant purchasers on the web, this opens an entirely new category of risk."
This is exactly right, and it's the hardest version of the compliance problem. When the counterparty is an autonomous agent, you can't verify identity the way you do with humans. You can't assess intent through behavioral signals designed for people. And liability becomes an open question that current frameworks don't answer.
That's the problem I built SovereignGate to solve. It's an XRPL-native deterministic governance layer purpose-built for autonomous actors: AI agents, DAOs, DUNAs. Every transaction an agent attempts gets evaluated against a policy ruleset before it executes, with multi-sig governance and cryptographic receipts proving exactly what was authorized, by whom, under what rules, at what time.
The article frames agent risk as a new category. I'd go further: it's a new enforcement surface that requires infrastructure the current compliance stack was never designed to touch. You can't govern autonomous agents with tools built for humans filling out forms. You need mechanical enforcement at the protocol layer, not review workflows bolted on after the fact.
That's the layer beneath the layer.
#ExecLayer ✈️ #Web3Governance
Cryptographic receipts answer "what was authorized and when," but the question every system seems to dodge is whether a human actually stands behind the authorization. Amazon's five healthcare agents shipped with HIPAA, evidence mapping, and clinician review, and still skipped the layer proving a human authorized the agent to act. Worth checking which of those five questions SovereignGate answers, and which it leaves to the policy author. https://thesynthesisai.substack.com/p/the-prescription gets at the gap.
Good question, and the right one to ask.
SovereignGate's answer: the human stands behind the policy, not behind every individual action. That's the architectural distinction that matters.
If you require a human to authorize every agent action, you don't have an autonomous agent. You have a bot with a human approver. That doesn't scale and it defeats the point of deploying agents in the first place.
SovereignGate pushes human authority upstream. Governance principals define the policy ruleset: what the agent can do, under what conditions, with what limits. The agent operates within those boundaries. Every action that hits a boundary gets evaluated deterministically before execution. Multi-sig thresholds mean no single actor can modify the rules unilaterally. The Merkle-anchored receipt chain proves which policy version governed which action and who authorized that policy.
So to your question directly: the policy author isn't a gap. The policy author is the human principal. The receipts prove that chain of authority is intact all the way down. The full architecture is here: https://doi.org/10.5281/zenodo.20280613
The Amazon example actually reinforces this. Clinician review is a human-in-the-loop pattern that works when a human is already present in the workflow. It doesn't work for agents transacting autonomously at machine speed across decentralized protocols. Different enforcement surface, different architecture required.
#ExecLayer✈️ #Web3Governance
Compliance only feels crushing when it’s treated as an overlay instead of an operating principle.
Most companies bolt compliance onto fragmented systems after the fact — which creates operational drag, duplicate work, expensive audits, brittle controls, and armies of vendors trying to stitch it all together.
The companies that win long term build compliance directly into the architecture, workflows, data model, and decisioning layer from day one. At that point, compliance stops being a tax and starts becoming operational leverage.
That’s part of the thesis behind what we’re building at adapfin. Banking infrastructure shouldn’t require institutions to choose between speed, innovation, and regulatory discipline. Those things should coexist natively.
James and Angela — "regulation stops being a document that people interpret and becomes code that systems execute" is the sentence that reframes the entire compliance industry. That's not an efficiency upgrade — that's a category shift.
The 90%-accurate-is-100%-wrong threshold is the part most people building in this space don't want to say out loud.
I build custom AI agents for small businesses and the trust gap is the whole game. A solo attorney or a one-person financial advisory doesn't need a GRC platform — they need an agent that knows THEIR compliance landscape specifically and flags before they file, not after. The enterprise framing here is right for the $40B number but the real unlock is when this trickles down to the 30-million small businesses who are currently doing compliance on sticky notes and prayers.
Curious whether you see the "turn regulation into code" layer eating the other two over time, or if all three coexist.
The framing of compliance moving from cost center to revenue driver is the shift that most GRC practitioners haven’t fully internalized yet. In financial services, I’ve watched compliance teams argue for headcount using risk avoidance language for years — the argument that faster KYC means faster onboarding means less revenue leakage is a fundamentally different conversation, and it opens doors that the traditional risk narrative never could.
The SAR example really lands. That workflow — Sarah copying transaction data across five systems to write a narrative — is not a compliance problem. It’s a data architecture problem that compliance inherited. The reason AI unlocks it isn’t because AI understands AML better than Sarah; it’s because AI doesn’t care how messy the underlying systems are.
One thing I’d add to the three layers: the evidence and audit trail layer. As AI agents start executing compliance workflows end-to-end, regulators will ask “who approved this, under what authority, and can you prove it?” The audit trail question becomes harder, not easier, when humans are removed from the loop. The winning platforms will be those that make agent actions as auditable as human actions — because that’s what will determine whether regulators actually trust the output.
The agent-as-counterparty risk point at the end deserves its own post. That’s a genuinely new problem that current frameworks aren’t designed for.
Automate to extinction.
That is all.
Really good framing - compliance isn’t a department anymore, it’s becoming the default layer embedded in every system, transaction, and workflow. AI just makes that shift explicit and programmable.
Email.shaikhnajmul42@gmail.com
"Any of these make for great wedges to build your AI startup."
That's where I disagree. All of these challenges are a good jobs for an in-house AI nerd department. Stitching the systems together is much more easy from the inside, there doesn't need to be another product. It is the time of the great move inwards.
Regulations become code is a great wedge. It also enables organizations to prioritize building (fast) HR workflows, traditionally governing employees, into the IT asset management tools for AI agents. They become the digital employee when regulatory compliance is a pure code layer.
Once humans are removed from the workplace, compliance will become much simpler.
Compliance may become AI’s first trillion dollar “boring” market.
The strange thing about modern life is that convenience keeps increasing while human friction keeps disappearing
And yet people seem more exhausted, anxious, and emotionally disconnected than ever….
Great insight!
Let’s grow together by supporting one another if you’re also new on Substack, feel free to subscribe and I’ll gladly do the same.
This is a useful reminder that “boring” is often where the market is hiding.
Compliance has never looked glamorous, but it sits exactly where language, judgment, risk, and workflow meet. That makes it a far more serious AI opportunity than many shinier use cases.
Compliance is necessary because humans make mistakes and are greedy. Once humans are out of the equation, the need for compliance disappears.
That’s an interesting point, though I’m not sure humans ever fully leave the equation.
Even when AI is making the decision, humans still define the goals, choose the data, set the incentives, and decide what counts as acceptable harm.
Compliance may change shape, but the need for accountability doesn’t disappear with the human hand. It just moves upstream. Maybe I am wrong.
Humans will be completely out of the loop within 10 years from now, possibly less.
Fair framing of a real market, yet the article is blind to what will matter as this space matures.
The three layers described — regulation as code, systems of record, and agent augmentation — all address a similar question: how do you deploy AI to do compliance work faster? They do not address what happens when the AI gets it wrong while doing the work.
TD Bank is the right case study, but the diagnosis is incomplete. TD did not fail only because compliance officers were too slow to clear alerts. It failed because enforcement was structurally decoupled from execution. If you replace a 70,000-alert backlog with an agent that clears SARs in under a minute, the throughput problem may improve, but the accountability problem gets worse. Now the institution has hundreds of thousands of agent-generated narratives whose substantive quality no one has verified.
Compliance is not just about output quality. It is about a demonstrable process. A regulator examining an AI-generated SAR narrative will not only want to know that the final document looks correct. They will want to know that required transaction details were covered, applicable policy thresholds were referenced, material facts were not omitted, and the process that produced the narrative was governed. A clean PDF is an assertion. A governed process is evidence.
That is the missing layer in the stack: runtime control and evidence for the agents producing the compliance work. The system needs to maintain a declared operating contract during generation, measure deviation from that contract in real time, and produce an exportable audit trail of the process — not just the output. The EU AI Act points in this direction for AI systems, and Sarbanes-Oxley made the same lesson unavoidable in financial reporting: trust depends on controls, records, and auditability built into the process.
That is what we are building at Assiduity AI. We maintain a semantic contract — required facts, policy constraints, evidence obligations — and steer generation step by step while logging deviation, regime classification, and evidence artifacts for review. The goal is runtime evidence that the process remained governed while the work was generated.
The convergence thesis at the end of the article is right: regulation as code, systems of record, and agents on top. But there is a fourth layer this framework does not name: the governance substrate underneath the agents that makes their process auditable and their alignment to declared obligations measurable in real time.
Without that layer, the industry will automate compliance work faster than it can govern it.
— Dr. Jason Prole
Founder, Assiduity AI
assiduity.ai
You're naming the same pattern from https://thesynthesisai.substack.com/p/the-missing-loop: the variable excluded from the governing model becomes dominant once you optimize the others. Speeding alert clearance just relocates the queue to second-line review, where audit evidence accumulates faster than humans can sample-check. Throughput gains in execution create verification debt in supervision.
Interesting ... Your views on Pope Leo's encyclical "Magifica Humanitas" would be of interest.
Pope Leo has declared a new Crusade against AI. Saddle up those horses! Get ready to tilt at the silicon windmills!
If you actually read the encyclical, you will know it’s not a crusade against AI, but the lifting up of humanity in collaboration with technology.