Global Software AI
4 Min. Lesezeit

Why AI-assisted compliance review still needs a human signature

AI can read a marketing document against MiFID II requirements faster than any human. It still shouldn't be the one who approves it — and that's a design principle, not a limitation.

Von Tim Crouch

There's a tempting pitch in compliance technology right now: point an AI at your documents, let it flag the problems, and watch the review queue disappear. We're building CompylotAI, an AI-assisted compliance platform for EU financial institutions, so you might expect us to make that pitch. We won't — because it's wrong, and in a regulated context it's dangerously wrong.

Here's the principle we build on instead: AI accelerates the review; a human signs the decision. Every time.

What AI is genuinely good at here

Let's be fair to the technology first. In compliance review — checking a fund factsheet against disclosure requirements, screening marketing copy for prohibited claims, verifying that risk warnings are present and prominent — modern language models are remarkably capable at the mechanical layer:

  • Reading a fifty-page document and mapping every claim to the regulatory requirements it touches
  • Catching the omission a tired reviewer misses on a Friday afternoon: the absent risk disclosure, the performance figure without its mandatory context
  • Applying a rule set consistently across thousands of documents, without the drift that creeps into human review over time
  • Producing a structured trail of what was checked and why it was flagged

This is real value. A compliance officer who spends four hours locating potential issues in a document set can spend forty minutes reviewing pre-located, pre-explained findings instead. Speed matters — marketing teams wait on these reviews, and slow compliance quietly becomes bypassed compliance.

Why the signature stays human

So why not let the model approve the clean documents and be done with it? Three reasons, and none of them are "the AI isn't smart enough yet."

Accountability is not transferable. Under MiFID II, a firm's obligation that client communications be fair, clear, and not misleading belongs to the firm — and supervisory regimes like BaFin's expect identifiable people behind compliance functions. When a regulator asks "who approved this document and on what basis?", the answer "a model scored it 0.97" is not an answer. An accountable person must be able to say: I reviewed this, I understood the findings, I made the call. Software can make that person dramatically better informed. It cannot become that person.

Judgment lives in context the document doesn't contain. Is this performance projection misleading? That can depend on the target audience, the distribution channel, what the client relationship history looks like, and what the regulator emphasised in its last industry letter. A model sees the document. The compliance officer sees the situation. The genuinely hard calls in compliance are rarely about what the text says — they're about what it will do.

Errors compound silently when nobody is looking. Any automated classifier will be confidently wrong sometimes. In a human-approves workflow, a wrong AI finding costs minutes: the reviewer sees it, overrides it, moves on — and that override becomes signal for improving the system. In an auto-approve workflow, the same error ships to clients, and you discover it during an audit. The cost asymmetry is enormous, and it only takes one.

Designing for the human, not around them

The practical consequence is that "human in the loop" has to be an architecture, not a checkbox. If the human's role is to click "approve" on a hundred AI verdicts an hour, you've built automation with a fig leaf — rubber-stamping with extra steps. What we aim for instead:

  • Findings, not verdicts. The system presents evidence — this claim, this rule, this reason — and the reviewer concludes.
  • Overrides as first-class data. When the human disagrees, that's recorded, auditable, and used to make the checks better.
  • An audit trail built for regulators, showing both the machine's analysis and the human's decision, separately and traceably.

The honest trade-off

Yes, this is slower than full automation. That's the point. The value proposition isn't "remove your compliance team" — it's "let your compliance team cover ten times the ground at the same depth, with a better paper trail than manual review ever produced."

Regulated financial services run on accountable human judgment. The right ambition for AI isn't to replace that judgment but to feed it better, faster, and more consistently than any manual process could. That's the product we're building — and when we get it wrong, we'd rather a human catches it before a regulator does.

CompylotAI is in early access with EU financial institutions. If document compliance review is part of your team's week, we'd like to compare notes.