Don’t Hand These Compliance Tasks Over to AI (Yet)

October 3, 2025

By Ogie Sheehy, Global CEO

Tech integrators who are evaluating the best use cases for AI are wrestling with a number of big questions. Chief among them: Which tasks are too precious to automate?

When the answer is crystal clear, it’s a relief. The trouble is crystal-clear answers in the age of AI are exceedingly rare.

This ambiguity is especially strong in the regulatory technology (regtech) space. The governance, risk and compliance (GRC) functions that regtech innovators are building for are already complex. Add the uncertain future of regulatory oversight, and the calculus of which use cases to prioritize has become something of a moving target for credit unions and beyond.

Regtech Must Respect GRC’s Deliberate Nature

Even amid shifting trends, however, certain GRC pillars remain steady. Enduring responsibilities like audit prep, policy management, regulatory reporting and business continuity form the backbone of GRC. These are the areas where regtech innovation is currently concentrated. Innovators are using AI and automation to boost efficiency, accuracy — and importantly, the user experience — of legacy GRC workflows that are unlikely to change unless a clear catalyst emerges.

It’s no surprise that change in GRC tends to happen slowly. That’s because leaders of the discipline are deliberate by nature. And, for good reason. Tasked with maintaining safety and soundness, ensuring compliance and protecting organizational integrity, credit union GRC specialists operate in an environment where the cost of getting it wrong is simply too high for any other posture.

For that reason, our team of regtech builders has come to see well-defined and collaborative boundaries not as roadblocks, but as a valuable exercise in empathy. As we co-create alongside some of the most highly regarded credit union GRC pros in the movement, we are also co-discovering principled boundaries for AI and automation in GRC. What follows are some of the areas we have determined, in partnership with our GRC clients, that should never be handed over to AI — at least not today.

A year from now, perhaps even six months down the road, these lines may shift. For now, however, the following GRC tasks are best performed by a qualified professional.

Final Approval of Policies and Procedures

Generative AI is well-suited to developing starting-point documents for policies and procedures, especially if the GenAI tool is able to apply a prompt for specific updates to existing documents. The technology is also proficient at reviewing policies for things like alignment with new regulatory guidance and inconsistencies across procedures. Beyond that, GenAI can be a helpful ally in flagging unclear language and even surfacing potential opportunities for staff training based on procedural steps.

Automation has a role here, as well. Workflow management systems can assist credit union GRC specialists in making sure nothing falls through the cracks. The tech can make assignments to specific personnel and track status to encourage accountability. In the vendor management space, automation can manage jobs like onboarding, due diligence, contract tracking and periodic reviews, alerting human GRC managers at various milestones along the way.

For each of the above, however, final sign-off should remain firmly in human hands. Policies require contextual awareness, and humans are best suited to applying considerations like cultural readiness, tone and alignment with the credit union’s values — not to mention board and C-suite priorities. Even with a well-crafted GenAI prompt, the risk of hallucination remains too high for end-to-end automation of policy management today.

Interpretation of Regulatory Ambiguities

The same threat of AI misunderstanding applies to the analysis of new laws and regulations. Notoriously vague, regulatory rules require more than pattern recognition to be adequately interpreted. Determining how to apply them in a particular organizational or industry context calls for deep legal, industry and cultural understanding from tenured credit union GRC specialists.

AI and automation can still improve regulatory intelligence workflows, however. AI-powered regulation alerting tools, for instance, ensure GRC leaders who operate across jurisdictions are aware of changes in state and federal rules as they happen, as well as assisted in the application of those rules to their specific operations. Users designate which regulatory agencies they want to monitor and are then alerted when something new has been published or a critical deadline is approaching.

Discussing Risk Tolerance and Setting Strategy

Certain AI models can help GRC pros and the boards they report to consider different scenarios for risk management purposes. Capable of processing large volumes of internal and external data, these models can be a good launching pad for discussions around emerging threats and adequate controls.

AI can also use third-party data to inform risk scoring based on what’s occurring across a credit union or environment, offering a more dynamic picture of the credit union’s exposure. Some platforms are even introducing predictive analytics to support conversations about what might happen next, leveraging AI to help leadership visualize evolving risks and regulatory trends.

While these tools can extend visibility, credit union boards and executives must remain heavily involved. In highly regulated industries, this isn’t just a best practice; it’s often mandated. Many regulators explicitly require board participation in risk oversight and policy direction, underscoring the importance of human judgment to effective GRC, no matter how sophisticated the technology becomes.

AI is an Optimizer of Human Ingenuity

Like nearly every profession, AI is transforming GRC. Yet, its most valuable contribution today is as an optimizer of human talent and expertise. The strongest regtech solutions are those that introduce speed and clarity without removing the need for truly human inputs like ingenuity and compassion.

As regulations continue to shift and technology continues to advance, the line between what should and shouldn't be automated will keep moving. But for now, the most responsible use of AI in GRC is one that keeps people, especially those with deep commitment to safety and soundness, firmly in the loop.

Originally published in Finopotamus on September 12, 2025.