A new regulation drops on a Friday afternoon. Hundreds of pages, dense and cross-referenced, and somewhere in there is the answer to a question your business needs by Monday: what does this change about how we operate? The compliance team clears their calendars, orders the coffee, and braces for a week of reading. Meanwhile, the work that depends on the answer just sits.
A few years ago, that week of reading was the only option. It is not anymore, and the teams that figured that out are pulling ahead of the ones still bracing for the long weekend.
Why "too risky to touch" became the riskier choice
Plenty of regulated teams have looked at generative AI and decided it is too risky, so they wait. I understand the instinct. In a world of model risk management, explainability requirements, and real penalties, caution feels like the responsible posture.
But waiting is also a decision, and its cost keeps climbing. Regulatory volume is not shrinking, manual interpretation does not get cheaper, and the institutions that learned to use AI inside their guardrails are outrunning the ones that banned it outright. "We don't touch AI" is no longer the safe seat. It is a different risk, taken quietly.
Caution that never gets revisited stops being caution. It hardens into a habit that costs you something real, and nobody notices, because that cost never shows up on a dashboard.
What the leaders actually did
The organizations getting value are not using AI to dodge the rules. They point it at the parts of compliance that are high in volume and low in judgment, and they keep humans firmly on the judgment.
Reading the rulebook
When US regulators released a 1,089-page proposal on new bank capital rules, Citigroup's risk and compliance team used generative AI to read it and assess the impact, then brought the distilled points to their treasurer for the decision. The AI did the first pass. The humans made the call. That division of labor is the pattern worth copying.
Source: Bloomberg, Citi used generative AI to read 1,089 pages of new capital rules: bloomberg.com
Watching the money
Mastercard built generative AI into its Decision Intelligence platform to score transactions for fraud risk in under a second. By its own account, a generative AI predictive model doubled the rate at which it spots potentially compromised cards, letting it warn banks before the fraud lands. In financial crime, faster detection is not a convenience. It is the control itself.
Source: Mastercard, Mastercard supercharges consumer protection with gen AI: mastercard.com
Staying ready for the audit
Across bank risk and compliance, the common shape is three jobs: a virtual regulatory expert that answers questions from long policy documents, automation of repetitive work like drafting suspicious-activity reports, and code acceleration that checks software for compliance gaps. Done well, this shifts audit prep from a periodic fire drill toward continuous readiness, with evidence and source traceability produced as the work happens, not reconstructed under deadline.
Source: McKinsey, How generative AI can help banks manage risk and compliance: mckinsey.com
Moving faster in development, without moving faster into trouble
The same pull shows up on the build side. AI coding assistants genuinely speed teams up, and in regulated shops that is tempting, because the backlog of controls work never ends. The honest part is what comes next.
DORA's 2024 research found that AI lifted individual productivity while delivery throughput and stability moved the other way for many teams. Speed at the keyboard is not the same as speed to a safe release, and in high-stakes work that gap matters more, not less.
One analysis of AI-assisted development at large companies found roughly three to four times the commit speed, and over the same six months a tenfold rise in security findings, with architectural flaws climbing fastest of all. I wrote about who owns that code when it ships in a piece on the chain of human accountability. The short version: speed is nearly free, accountability is not, and in regulated work accountability is the actual product.
A first pilot that almost always works
Pick one task that is high in volume and low in judgment. First-pass summarization of a new regulation, a draft of a routine regulatory report, or evidence gathering for an upcoming audit are good candidates. Avoid anything where a wrong call carries immediate legal weight; that comes later, once you trust the workflow.
Run it through AI with two non-negotiables. First, a named human reviews and owns the output, the four-eyes principle. Second, every AI-assisted result carries source traceability back to the document or data it came from. Then match the task to a risk tier, low, medium, or high, so the depth of human review is proportional to the stakes rather than uniform across everything.
That is the NIST AI Risk Management Framework in practice: govern, map, measure, and manage, run as a continuous loop instead of a one-time approval at the finish line. It is the same continuous-governance idea behind governance that protects rather than governance that just slows you down.
Three traps to avoid
The first is the blanket ban. Outlawing AI feels safe, but it just relocates the risk to your competitiveness and your team's patience. The fix is a small governed pilot, not a policy memo.
The second is unsupervised speed. Handing developers powerful tools with no agreement on what needs review is how three to four times the velocity becomes ten times the vulnerabilities. The fix is a named reviewer of record on anything that touches sensitive paths.
The third is treating AI output as finished. An AI-drafted suspicious-activity report or policy summary is a first draft, not a filing. The fix is four-eyes review and source traceability before anything leaves the building.
Try this next week
Pick one compliance task that is high in volume and low in judgment. First-pass summarization of a recent regulatory change is a good one. Run it through your approved AI tool once, with a named human reviewer and a link back to the source document for every claim the AI makes.
Then do the boring, convincing thing. Run the same task the old way in parallel and compare. Time saved on one side, accuracy and traceability on the other. That single comparison hands you evidence instead of opinion, and evidence is what lets you decide where AI earns more room next.
The step after that, once you trust the output, is to write down which categories of work may use AI with light review and which require deep review. That one agreement is where real governance starts. If you want a structured way to build these habits, our AI for Product Management workshop walks through responsible-AI guardrails, including a compliance checklist aligned with the NIST framework, so you can put AI into the workflow without losing control.
Once you have run a governed pilot, this lays out lightweight governance and AI risk tiers as part of a full operating model, so the habit scales past a single task.