The Risks of AI in Regulatory Change Management
- May 28
- 4 min read
AI is changing compliance. But honest questions about accuracy, hallucination, and auditability need answers before firms commit.
There is a lot of enthusiasm about AI in regulatory change management right now. Much of it is justified. The ability to process large volumes of regulatory content, surface relevant changes, and support faster decision-making is genuinely valuable in an environment where the volume and pace of change keeps increasing.
But enthusiasm without scrutiny is its own kind of risk. And in a discipline where the consequences of getting it wrong include regulatory censure, financial penalties, and reputational damage, scrutiny is not optional.
This piece is an honest assessment of where AI introduces risk in regulatory change management - and what firms need to think about before they rely on it.
The hallucination problem
The most widely discussed risk with large language models is hallucination - the tendency to generate plausible-sounding outputs that are factually incorrect. In many contexts, this is an inconvenience. In regulatory compliance, it is a serious problem.
A compliance team relying on an AI tool to summarise a regulatory update needs to know that the summary is accurate. A firm using AI to assess the relevance of a change to its business needs to be confident the assessment is based on what the regulation actually says - not a confident-sounding approximation of it.
The challenge is that hallucinations are not always obvious. An AI tool can produce an output that reads as authoritative, is largely correct, and contains one material error - an error that a busy compliance professional, under time pressure, may not catch. In a high-stakes regulatory context, that one error is the one that matters.
This is not an argument against using AI. It is an argument for understanding what kind of AI you are using, how it has been trained, and what safeguards are in place to catch errors before they become decisions.
The accuracy problem
Related to hallucination, but distinct from it, is the broader question of accuracy in regulatory interpretation.
Regulation is not plain language. It is precise, technical, and frequently ambiguous - deliberately so, in some cases, to allow for supervisory discretion. Interpreting regulatory text correctly requires not just reading comprehension but contextual knowledge: understanding how a rule fits within a broader framework, how it has been interpreted by regulators in practice, and how it interacts with other obligations the firm is subject to.
General-purpose AI tools are not built for this. They are trained on broad datasets that may include regulatory content, but they are not optimised for regulatory interpretation. The outputs they produce may be broadly accurate - but broadly accurate is not the standard compliance requires.
The risk is not just incorrect outputs. It is over-reliance on outputs that feel authoritative because they are fluent and confident, without the underlying precision that regulatory work demands.
The auditability problem
Even where AI produces accurate outputs, there is a further challenge: can you show your work?
Regulators do not just want to know what a firm decided. They want to know how it decided - what information it relied on, what analysis it conducted, who was responsible, and when. That audit trail is not a nice-to-have. It is increasingly a regulatory expectation.
Many AI tools are not designed with auditability in mind. They produce outputs, but the reasoning behind those outputs is opaque. When a regulator asks how a firm identified and assessed a particular regulatory change, "our AI flagged it" is not an answer that will satisfy a supervisory review.
The auditability problem has two dimensions. The first is process: can the firm demonstrate a clear, documented workflow from regulatory change to compliance decision? The second is substance: can it show that the AI-generated analysis was reviewed, validated, and approved by a human with appropriate expertise and accountability?
Without both, AI in regulatory change management creates a documentation gap that may only become visible when it is too late to close it.
The governance problem
Underlying all of these risks is a governance question that too many firms are not yet asking clearly: who is accountable for an AI-assisted compliance decision?
When a compliance team uses AI to assess the relevance of a regulatory change and gets it wrong, accountability doesn't transfer to the technology. It stays with the firm, and with the individuals who signed off on the decision. The introduction of AI into the workflow does not reduce accountability - it changes where the accountability sits and how it needs to be evidenced.
This means firms need governance frameworks that are specifically designed for AI-assisted compliance work. Not generic AI policies. Not technology risk frameworks bolted onto compliance processes. Specific, operational guidance on how AI outputs are reviewed, validated, challenged, and documented — and who is responsible for each step.
Getting it right
None of this is a reason to avoid AI in regulatory change management. The efficiency gains are real, and firms that ignore AI entirely will find themselves at a disadvantage as the technology matures.
But there is a meaningful difference between AI that has been purpose-built for regulatory content — trained on regulatory documents, optimised for regulatory interpretation, and designed with auditability in mind — and general-purpose tools applied to a compliance use case.
The firms that get this right will be the ones that ask hard questions before they deploy: How was this trained? What does it do when it is uncertain? How does it handle ambiguity in regulatory text? What does the audit trail look like? Who is accountable when it gets something wrong?
Those are not technology questions. They are governance questions. And answering them is the work that has to happen before the efficiency gains become real.
In our next piece, we explain why we partnered with RegGenome — and what structured regulatory tagging actually solves.
Single Rulebook is built on RegPulse, our specialist AI engine trained solely on regulatory documents.
Comments