The Four Shifts Quietly Reorganizing Compliance

For most of the last twenty years, every regulated firm has built its compliance function on the same equation. More volume produced more review queue. More review queue required more reviewers. More reviewers required more spend. The function was a fixed percentage of revenue (sometimes called the "compliance tax" by CFOs who modelled it into the unit economics), and the percentage held even as the business grew. You could not grow without growing the function.

The equation no longer balances. And anyone who runs a compliance function in 2026 has already noticed it.

The volume of customer-facing material a regulated firm produces today (campaigns, social posts, partner content, finfluencer videos, podcast read-outs, sales-team LinkedIn updates, customer-service chatbot responses) is an order of magnitude larger than it was five years ago. The regulatory framework that applies to all of it has tightened in the same window: the FCA's FG24/1 guidance on financial promotions, the SEC's amended Marketing Rule, the FTC's revised Endorsement Guides, the EU's MiCA marketing-communication provisions, FINRA's first finfluencer enforcement (an $850,000 fine in 2024), and the CFPB's continuing UDAAP scrutiny of bank-fintech BaaS arrangements. The supervisory standard regulators expect when they walk in the door has moved from sampled review to comprehensive review. The talent base for the function is bleeding out. The US Bureau of Labor Statistics counts more than 400,000 compliance officers in the country, $40 billion in annual labor spend, and 33,300 projected openings every year for the next decade. McKinsey reports that 87% of entrants eventually leave the field, with annual churn already past 20%.

In October 2024, TD Bank pleaded guilty to Bank Secrecy Act and money-laundering conspiracy violations and paid $3 billion in fines, the largest in U.S. banking history. The supervisory failure underneath the fine was straightforward. 92% of its transactions went unmonitored, and 70,000 detection alerts had piled up unaddressed since 2018. The team had not gotten worse at its job. The volume had simply outrun what the team could read.

You cannot fix this equation by hiring. The pipeline is not there. You cannot fix it by working harder. The function has been working harder for ten years. The arithmetic just does not work anymore. Something else has to change.

It has.

The work itself is changing

For three years, the AI capability set that compliance work depends on has been quietly crossing a threshold. In May 2026, Andreessen Horowitz partners James da Costa and Angela Strange described that threshold as the move from "good enough to pilot" to "good enough to trust." Their argument is worth reading in full, but the operative observation is this: frontier language models now score between 80% and 100% on LegalBench's 162 legal-reasoning tasks. Vision-language models read a 400-page regulatory PDF with near-human accuracy. Computer-use agents navigate legacy software the way a human would, without waiting for an API or a six-month integration project. Long-horizon task execution means an agent can run a workflow end-to-end (pull the asset, apply the policy, surface the exception, log the decision, file the record) rather than assist with a single step.

Compliance, da Costa and Strange note, is "essentially applied legal reasoning under operational constraints, built on the same core tasks: reading regulatory text, applying rules to fact patterns, identifying exceptions, and flagging ambiguities." That is the same capability cluster that landed in legal, in document processing, in claims adjudication, and in a half-dozen other corners of the regulated economy in the last twenty-four months. It is now landing in compliance.

This is what is shifting under your function. Not a vendor pitch. A capability set crossing a usefulness threshold inside a function whose existing economics could no longer sustain it. It is not optional. It is happening.

What follows are four consequences of that shift. Each one is a different conversation you are about to have with your CFO, your CEO, your auditors, and your team.

Shift one: the unit economics decouple from growth

This is the consequence that matters most to the CFO conversation. The compliance function moves from a variable cost that scales linearly with volume to a fixed orchestration layer with a near-zero-marginal-cost agent layer underneath. An agent reviewing the 8,000th asset of the month costs the same as the agent reviewing the 80th. A firm can ten-times its marketing volume without ten-times-ing its compliance headcount, because the headcount is no longer where the throughput lives.

This is not faster review. Faster review is a nice operational improvement; you tell your team about it in the next all-hands. Decoupling growth from compliance ARR is a different financial model. It changes how the function is budgeted, how the function is modelled into the unit economics, and how the function is described to the board.

The line that used to scale linearly does not anymore. The function that was a brake on growth becomes an enabler. That sentence is the one your CFO is going to want to hear before any of the rest of this matters.

Shift two: the system of action becomes the system of record

This is the consequence that matters most to the auditor and the regulator. For as long as compliance has had software, that software has been a system of record. GRC platforms, case-management systems, communications archives, and sanction-screening tools all recorded what a human did. The case the human opened, the note the human logged, the asset the human approved. The system was a database of human decisions stored for the regulator on first request.

The agentic layer changes what the system is. The agent does not record what a human did; the agent does the work, and the record of what the agent did is the audit trail. The same primitive, the agent reviewing an asset, produces both the action (the review decision, the flag, the takedown, the disclosure correction) and the record (the timestamped, attributable, exportable log of every step). The system of action becomes the system of record.

This is the shift da Costa and Strange describe when they argue that winning companies in this space will turn regulation into code, own a new system of record, and deploy a fleet of agents on top. The three are not separable wedges that converge later. They are the same architecture from day one. The regulation encoded into the policy library is what the agent reads. The agent's decisions are the system of record. The system of record is the audit-ready evidence the regulator examines.

For the compliance officer asked by an examiner "how did you review this Q3 campaign?", the answer is not a manual approval log pulled out of a separate system. The answer is the agent's review history, exportable in the format the regulator expects, with the policy version it was reviewed against attached. The audit narrative writes itself.

There is a second-order consequence worth noting: the new system of record is queryable in ways the old one wasn't. Every decision is structured rather than free-text. When a regulator updates guidance, as the SEC did with its December 2025 risk alert on Marketing Rule disclosure prominence, the agentic layer that reviews tomorrow's campaign can re-review the last twelve months retrospectively against the updated guidance. The old system of record was a passive archive. The new one is a live evidence layer.

Shift three: the service shrinks, the product expands

This is the consequence that matters most to procurement.

Compliance has historically been delivered as a service. In-house teams. Consulting engagements. Big Four advisory hours. Specialist law-firm reviews. Outsourced operations centres. Per-asset reviewer fees. The function has billed hourly, in headcount, in seats, in retainers, because the inputs (regulator-aware judgment applied to specific content under operational constraints) were considered too nuanced, too judgment-laden, and too situational to productise. That assumption has held for the entire history of regulated commerce.

It is no longer true. The compliance officer's judgment, encoded into policy and applied consistently by an agent across every asset, every channel, every jurisdiction, becomes a product feature. The Big Four advisory hour, the in-house reviewer's check, and the consulting deliverable are not eliminated, but the long-tail volume that previously required them is now handled by the agent. The service shrinks to the genuine judgment cases; the productised layer absorbs the rest.

This is the pattern Andreessen Horowitz and Foundation Capital have called "service as a software": work that historically required human hours, packaged into a software product that delivers the outcome rather than the assistance. Compliance is one of the cleanest examples of the pattern, because the work is high-volume, rules-based, applied legal reasoning under operational constraints. Exactly the work agents are now capable of completing end-to-end.

For the procurement conversation, the implication is direct. The line items on your compliance budget that have grown the fastest for the last five years (outsourced review queues, partner-content monitoring, surveillance sampling) are the line items most exposed to compression as the productised layer takes over. The line items on the budget that grow are different. The platform, the agent capacity, the policy team. The mix shifts.

Shift four: the compliance officer becomes the orchestrator

This is the consequence that matters most to your team, and to the talent equation McKinsey has been writing about.

The pre-shift compliance officer spent the majority of the working week reading. Reading regulatory PDFs. Reading marketing copy. Reading transcripts of calls flagged by sample. Reading partner content. Reading FINRA notices, SEC risk alerts, FCA Dear-CEO letters. The work was bounded by the reading speed of the team. The 87% McKinsey leave-rate is not, in our experience inside regulated firms, primarily about pay. It is about the work. Reading the same asset queue for the eighth year is unrewarding.

The orchestrator reads policy, not volume. They write the policy library and refine it as regulation evolves and as the firm's incident history surfaces new patterns. They handle the exceptions the agent flags: the ambiguous calls, the judgment cases, the high-risk material. They own the regulator relationship. They walk the examiner through the audit trail the agent produced. They explain the supervisory framework. They document the override decisions when their judgment overruled the model. They scale the function not by hiring more readers but by sharpening the policy and managing the agent fleet.

The role is closer to a head of risk than to a documentation processor. The function the BLS counts as "compliance officer" and McKinsey reports as bleeding talent is the function that goes away. The function that replaces it is more strategic, less manual, and harder to leave. For the CCO trying to retain senior talent in a market that has been losing it for a decade, this is the most important thing on the page.

A name for what is happening

Taken together, the four shifts amount to a structural reorganization of the compliance function. Some people in the industry have started calling the resulting architecture agentic compliance: software that doesn't assist the compliance reviewer but runs the workflow end-to-end, with the human compliance officer in the orchestrator role. The label matters less than the underlying change. What matters is that the function is moving from a queue-clearing operation bounded by human reading speed to a policy-driven orchestration of agents that produce the audit trail as a byproduct of doing the work. The shift is not optional. It is already happening at the firms that have started it, and the unit economics it produces are unavailable to the firms that have not.

Where Sedric operates inside this

Sedric works in the marketing, communications, partner, and brand compliance surfaces of regulated financial services. These are the surfaces where the volume problem is most acute, the regulatory framework is most active (FCA, SEC, FTC, FINRA, MiCA, ASIC, CFPB), and the cost of getting it wrong is most public. Across four workstreams, the same architecture applies: encoded policy, an agent that reads the work product, a decision log that doubles as the audit trail, an orchestrator (the human compliance officer) who manages the agent fleet rather than reading every asset.

Marketing compliance. The agent ingests campaigns, ads, landing pages, video, and audio. It applies a firm-configurable policy library encoding both brand standards and regulatory frameworks (the marketing compliance pillar covers the regulatory side, the brand marketing compliance pillar covers the brand overlay), flags violations before publication, and retains the full evidentiary record.

Communications compliance. The agent monitors customer interactions across calls, chats, emails, and messaging in real time. It checks against the firm's policy library and the relevant regulatory frameworks (FINRA Rule 2210 for broker-dealers, FCA Consumer Duty for UK firms, MiFID II for in-scope EU activity), and creates the supervisory record the regulator expects.

Partner compliance. The agent extends the same supervisory architecture to affiliates, spokespeople, finfluencers, AR networks, brokers, and IBs: all the third parties carrying the firm's brand on platforms the firm doesn't own. Pre-publication review, post-publication monitoring, and drift detection. The influencer compliance pillar details the same supervisory stack at the partner layer.

Real-time agent assistance. The agent sits alongside the human in live conversations (call centre, advisor desk, agent contact), surfacing compliance flags as the conversation happens.

The verticals adapt the policy library to the regulator and the product: banks and issuers, fintechs and neobanks, trading and securities firms, crypto platforms, debt-collection operations. But the architecture underneath is one system. One policy library. One audit trail. One orchestration layer. The work that previously sat in three different review tracks and a separate recordkeeping system sits in one place, executed by the agent fleet and orchestrated by the compliance officer.

What this means in twenty-four months

The four shifts are happening at the function level whether or not your firm participates in them. The firms that have started this reorganization are already shipping marketing faster, retaining senior compliance talent longer, and producing audit-ready evidence on demand rather than at quarter-end. The firms that have not are still buying headcount against a structural talent shortage and still asking their teams to read more than they can read.

In twenty-four months, the compliance functions of large regulated firms will look very different from how they look today. The choice in front of you is not whether that change happens to your function. The choice is what shape your function takes when you come out the other side. Whether you have spent the intervening eighteen months building the policy library, training the orchestrators, and operationalising the agent fleet, or whether you are starting that work after the regulator has noticed that your competitor is faster, your CFO has noticed that their compliance cost is half of yours, and your senior compliance officers have left for the firm that gave them the orchestrator role first.

We are happy to walk through what any of this looks like on your own content, your own partners, and your own policy. Book a 30-minute demo and we'll show you.