Agentic compliance — the quiet shift
KYC refresh used to be a quarterly project. At three regulated institutions we interviewed, it is now a continuous agent-driven process — and nobody wrote a press release.
Talk to a compliance officer at a mid-sized regulated institution about their KYC refresh process and, five years ago, they would have described a quarterly project with a dedicated team, spreadsheets, and a punishing rhythm of manual outreach and document collection. Talk to the same officer today at three of the institutions we have been tracking and the conversation is unrecognisable.
The process is continuous. An agent — in one case the Sumsub KYC relay, in another the institution's own internal tooling — pulls updated identity documents under signed mandate, re-runs the verification logic, flags any material change, and writes an attestation to the audit chain. The compliance officer is consulted when the agent escalates, which happens for a small fraction of refreshes. The rest happen without human attention, quietly, on the agent's schedule.
No institution we interviewed framed this as a transformation. All of them described it as a gradual tooling improvement. But the aggregate effect — measured in compliance-FTE per billion AUM, in refresh cycle time, in the incidence of expired attestations — is a step change, even if no single institution experienced it as one.
The quiet nature of the shift is, we suspect, the most important feature of it. Agentic automation in regulated compliance is not arriving as a dramatic product launch. It is arriving as a series of small operational improvements, each defensible on its own terms, whose cumulative effect is a different operating model.
The regulatory conversation has been focused on whether to allow agentic compliance. The operational conversation has moved past this. The useful regulatory question now is how to audit it — which is the subject of our recent research report (BA-2026-02) and of ongoing work by the AI Attestation working group.