Firms in financial services are now seeing tangible, but uneven efficiency gains, particularly in compliance monitoring, said Steve Blossom, Global Head of Managed Services and Chief Information Security Officer at ACA Group.
On Wednesday, May 20, the firm hosted a webcast titled “State of AI in Compliance and Operations: The Shift Toward Agentic AI,” examining artificial intelligence in compliance and operations and the emerging shift toward agentic AI systems.
The session discussed survey findings from more than 200 compliance and operations professionals, alongside perspectives on how artificial intelligence is being integrated into regulated workflows.
Blossom pointed to compliance monitoring as one of the clearest areas where firms are beginning to see practical efficiency gains, particularly in the surveillance of recorded communications and call review processes.
“We’re really seeing practical value of AI in two forms,” Blossom said during the webcast. He described how AI is increasingly being used to process large volumes of call recordings through transcription and automated analysis, reducing reliance on manual review and sampling. “The AI is actually going through and looking through those transcriptions, looking for the same things that a human would listen to,” he added.
He emphasized that the shift is not eliminating human oversight but redistributing it across the review process. AI now performs initial screening in many cases, while compliance professionals focus on higher-risk alerts and exceptions, he said. Blossom described this as a hybrid operating model in which “there are certain things that AI we kind of trust a little bit on its own, and there are other ones where it’s human verifying the output.”
Joseph Kochansky, Head of Product and Engineering, ACA Group, said AI adoption across financial firms is widespread but often shallow and concentrated in desktop tools rather than embedded systems.
“84% of you said that you’re using AI, typically desktop AI, in some capacity across your organization,” Kochansky said, based on survey results from more than 200 respondents. However, he added that “only one in 10 of those functions reported actually using AI” when broken down across specific compliance and operations functions, describing the pattern as “a mile wide, but an inch deep.”
According to the survey, the most common compliance use cases include compliance program administration, electronic communications surveillance, and marketing review. Much of this activity remains reliant on desktop tools such as ChatGPT, Microsoft Copilot, or Claude, rather than fully embedded compliance systems.
Operations functions showed even lower adoption, with AI primarily used in structured processes such as reconciliation and data quality checks. Kochansky said that on average, only about 5% of operational functions reported meaningful AI use.
Despite current limitations, respondents expect adoption to increase over the next 12 months, with compliance use projected to rise from roughly 18% to 33%. Kochansky cautioned, however, that real-world adoption may already be accelerating faster than survey expectations suggest.
A central theme of the webcast was the shift toward “agentic AI,” in which systems move beyond embedded assistance to actively execute tasks through iterative interactions with enterprise tools.
Kochansky explained that in this model, “the agent itself is actually not AI,” but rather “what I call a loop” that connects AI models with external systems. In this loop, AI issues instructions, an agent executes actions via APIs or connectors, and the process repeats until a task is completed.
He highlighted the importance of connectors, sometimes referred to as MCPs or APIs, as critical infrastructure enabling AI systems to take action within regulated environments. “The connectors effectively are how the agent takes action on behalf of AI itself,” he said.
While emphasizing potential efficiency gains, speakers also raised concerns about governance and security risks, particularly around desktop-based agent tools operating under individual user permissions.
“It’s very difficult to control for what your users on their desktop are using and how they’re using it,” Kochansky said, warning that decentralized use of AI tools can create oversight and security challenges in regulated firms.
Josh Broaded, Partner, Co-Head of Regulatory Compliance Management, ACA Group, added that while AI adoption is widespread across financial firms, governance frameworks remain in early stages of development.
“More than 90% of the firms that we talk to are using AI, but that use is quite shallow,” Broaded said, adding that compliance functions are increasingly becoming central to AI governance structures within organizations.
He outlined a 90-day approach to building AI governance, starting with the formation of a cross-functional oversight team that brings together compliance, legal, information security, and business stakeholders. “This is not a IT only problem, this is not a compliance only problem,” he said.
Broaded added that firms should then strengthen vendor due diligence, including scrutiny of data handling, model change transparency, and incident response processes, while also identifying higher-risk use cases such as AI note-taking tools and other applications involving sensitive information.
The approach also includes establishing metrics to track usage and risk, formalizing approval and re-review processes for AI tools, and expanding staff training and engagement to support ongoing oversight of AI adoption, he said.
