Permission, Not Indemnity

What the Investor Frame Missed About Compliance

A few weeks ago, James da Costa and Angela Strange at a16z published a piece called “Everything, Everywhere is Compliance.” It is the clearest articulation yet of why investor capital is moving into compliance technology. It names the category. It maps three archetypes. It draws the market.

They named the category. They mapped the archetypes. They treated compliance as a serious market rather than as overhead. The operator view starts where their map ends.

The operator view is that compliance dysfunction is not one problem. It is three problems compounding across three stacks, and the three stacks were never designed to talk to each other. Most software bets in the category work at one stack at a time. The dysfunction is not in any single stack. It is in the seams.

The architectural argument in one frame.

The Three Stacks

The first stack is data. Every compliance function inherits a data layer that was assembled to serve the lines of business, not to serve compliance. Customer data sits in a CRM. Transaction data sits in the core. KYC data sits in the onboarding vendor. Sanctions screening sits in a separate tool. Adverse media sits in a third-party feed. None of these systems were architected to produce a single coherent picture of a customer. Compliance analysts spend the bulk of their working hours stitching that picture together by hand, account by account, in spreadsheets and Word documents that no auditor will ever see.

The second stack is system. The transaction monitoring system, the case management system, the SAR filing system. These are not one system. They are three or four systems procured in different years from different vendors with different data models. The rules engine speaks one schema. The case manager speaks another. The filing system speaks a third. Analysts re-key the same facts at every step. The audit trail is a sequence of copy-paste artifacts that hold together only because nobody has ever asked them to bear real weight.

The third stack is people. The human stack. Analysts who are distant from the customer base they are reviewing — distant from the customer’s lived context, which they were never given. An analyst who has never bought a used car at a buy-here-pay-here lot will not recognize the transaction shape of one. An analyst who has never sent money home will read remittance flows as anomalies. The failure is not in the analyst. The failure is in the data the analyst is working with, the system the analyst is forced to navigate, and the context the analyst was never given.

Why One-Stack Bets Do Not Compound

Every category of compliance software the a16z piece describes is a one-stack bet. The rules engines. The case managers. The AI-native analyst copilots. Each one a good bet on its own. The buyers are real. The deals are getting done.

The problem is that a buyer can procure the best rules engine on the market and the dysfunction will reassert itself in the data stack feeding it and in the people stack interpreting it. The rules engine fires alerts on bad data and the analysts cannot tell which alerts are noise because they cannot see the underlying context. The case manager closes those alerts in volume without ever changing the program’s posture. The SAR filing system receives the boilerplate narrative the analyst cut and pasted from the last fifty cases. Volume goes up. Quality stays flat. Examiners notice.

The natural reply is that one-stack winners become multi-stack platforms over time. A great rules engine, a great case manager, and a great filing system from the same vendor eventually become a bridge. The reply has limits. Architectural composition is not architectural design. Stacks acquired and integrated by acquisition carry their seams forward, often into the integration layer itself. The bridge has to be designed in. It cannot be assembled from outside the system it is bridging.

The piece names TD Bank — failed to monitor 92% of transactions, a backlog of over one million suspicious activity alerts, a $3 billion fine. The investor read of that outcome is that a better transaction monitoring system would have prevented it. The operator read is different. A 92% monitoring gap and a backlog of more than a million alerts are not a transaction monitoring tool failure. They are a governance and program-oversight failure that surfaced at the transaction monitoring layer because that is where the metric was easiest to count. A better TM tool alone does not prevent the next TD Bank. A bridge across all three stacks might.

The deeper point. The three stacks were never built to be a system. They were built as separate procurements over twenty years to satisfy separate regulatory expectations. The architecture is not broken at the implementation layer. It is broken at the architectural layer it was built on. You cannot fix it by buying better implementations of each stack separately. Better implementations of separate stacks produce a higher- resolution version of the same compounding failure.

Where AI Actually Changes the Picture

This is where the investor framing and the operator framing diverge most sharply. The investor framing treats AI as labor replacement. The headline number is analysts per million dollars of monitored volume. The pitch is that an AI-native compliance function does in three analysts what a traditional function does in fifteen.

The labor-replacement framing is what investors arrive at first because it is the cleanest valuation story. It is also the part of the story most likely to be wrong on its own. The number that matters more sits one layer deeper.

AI’s real leverage in compliance is not labor replacement. It is bridge. AI is the first technology that can sit across all three stacks at once and act as the layer the three stacks have never had between them. The labor-replacement number is downstream of the bridge. If the bridge is real, the analyst count falls and the work that remains gets better. If the analyst count falls without a bridge, the program collapses under the next exam.

Three concrete mechanisms.

Across the data stack: cross-source entity resolution. The bridge pulls identity, transaction, behavior, sanctions, and adverse-media signals from heterogeneous sources into a single semantic layer the analyst can query. The stitching that consumed an analyst’s morning is now machine work, and the semantic layer is durable across cases. The data stack stops being something the analyst rebuilds from scratch for every alert.

Across the system stack: agent-based monitoring that surfaces typology matches with the underlying reasoning visible. Not “the model flagged this,” which is the failure mode of every previous generation of monitoring technology. The bridge says, here is the typology this pattern matches, here are the corroborating signals, here are the exculpatory signals, here is what would have to be true for this to be a false positive. Explainable surfacing instead of black-box scoring. The case manager and the filing system can finally see what the rules engine saw, because the bridge is producing reasoning, not just scores.

Across the people stack: automated second-line review with citation-gated outputs. The second line of defense was always supposed to be the check on the first line. In practice, the second line spends most of its working hours on the same data-stitching problem the first line is on, because the same three stacks are feeding both. A bridge layer that has done the stitching frees the second line to actually be a second line. To review judgment rather than to redo data assembly. Citation-gating means every second-line output carries the underlying source trail. Examiners get an audit trail that holds together because it was never assembled by hand.

Speed Is the Wrong Number

The piece reports SAR workflows that once took thirty-plus minutes now take under a minute per submission. That number deserves a careful read. It is the headline that closes the investor deck. It is also the number an operator should treat with the most suspicion.

A SAR is not a throughput artifact. It is an evidentiary artifact submitted to a federal regulator who can use it in a criminal proceeding. Speed matters. Defensibility matters more. A SAR filed in forty-five seconds that cannot survive a FinCEN review is worse than a SAR filed in thirty minutes that holds up. The practitioner question is not “how fast.” The practitioner question is “how defensible.” Examiners do not score on per-SAR throughput speed. They score on whether the narrative supports the conclusion and whether the underlying facts are sourced and verifiable.

The throughput number is real. It is also a distraction from the harder problem the bridge has to solve. A bridge that produces a defensible SAR happens to produce a fast one, because most of the thirty minutes was the data-stitching the analyst should never have had to do.

None of this is new. As early as 2017, legacy financial institutions were being shown demos of AI-driven compliance reporting tools — automated SAR and CTR generation, narrative drafting, alert disposition. The technology was demonstrable. The takers were rare. The reason was not technical readiness. It was liability allocation.

At an industry conference in 2021, a senior regulator was asked directly about automating SAR and CTR filings. The answer was carefully shaped. The regulations do not forbid automation. Institutions have permission to automate. But the liability for a missed filing or a wrong filing still lives with the institution. The compliance officer hearing that answer correctly hears it as a yellow light. The institution gets the efficiency. The institution also gets the enforcement action when the model is wrong.

This is what AI-as-bridge has to solve that AI-as-labor-replacement does not. A bridge that produces a citable, sourced, defensible filing changes the liability calculus. A labor-replacement tool that produces an unsourced filing under an institutional signature changes only the analyst headcount. The risk-averse compliance officer is not being slow. The compliance officer is being structurally correct.

The Boredom Is the Gap

The a16z piece calls compliance schlep work. The most boring sector in financial services. The framing is doing a lot of work in that piece, and it is the one place where the investor view obscures the operator view most heavily.

Compliance is not boring. The dysfunction is boring. Ninety percent of an analyst’s day is the data-stitching the three stacks force. That part is boring because it is mechanical work being done by a human who has been trained for judgment work. The remaining ten percent is the actual judgment work. Typology recognition. Network detection across a portfolio. Neither boring nor schlep.

The day analysts are hired for, versus the day the architecture gives them.

That part is the work an experienced analyst spent a career learning to do.

The dysfunction has been hiding the interesting work behind the boring work for two decades. The investor framing is correct that the day is boring. The operator framing is that the day is boring because the architecture makes it boring, and that the moment a bridge layer takes the boring ninety percent out, what is left is a discipline that looks nothing like what investors have been told the category is.

The Paradigm Shift

The investor framing names a market. That is useful. It is not the same as naming what the market is buying.

What buyers are actually buying, when they buy compliance software well, is a bridge between three stacks that were never designed to be one, and an output that holds up when an examiner pulls on it. The labor-replacement number falls out of the bridge. The pricing power falls out of the bridge. The exam posture falls out of the bridge. None of those fall out of any single stack on its own, and none of them fall out of a faster version of the same indefensible workflow.

The category will keep producing one-stack winners for the next several years. Those companies will do real revenue and serve real customers. They will also leave the compounding dysfunction in place. The bet that pays off over the next decade is the bet that sits across all three stacks, takes the seams seriously, and treats defensibility as the load-bearing constraint rather than as a downstream side-effect of throughput.

Too often, the humans who need eyes on the risky work are too busy doing the mechanical work to do the work that matters.

The boredom is the gap. The gap is where the next generation of compliance infrastructure gets built.

By Andres Garcia, CEO, Rupture Labs Posted on The Record