Kunal's Blog

Three Ways To Use AI Agents Without Scaring Compliance

Written by:

kunalsharda

Practical patterns that pass audits and actually cut work
TL;DR

Most AI failures in regulated teams are not technical. They are governance failures. If control is visible, Compliance becomes an ally. I use three patterns again and again:

  • Suggest, not decide
  • Explainable by default
  • Policy-bound prompts

Wrap them with simple risk tiers, shared telemetry, and basic change control. You will move fast and stay defensible.

The moment Compliance became a champion

A mid-market lender asked us to “add AI” to underwriting. Operations wanted speed. Compliance wanted fewer audit escalations. Day one felt like a tug of war. By week four the head of Compliance was our loudest supporter. Nothing magical happened in the model. What changed was the workflow. We made control obvious and easy to prove.

That experience shaped the patterns below.

Pattern 1: Suggest, not decide

Story
We resisted the early request to auto-approve low-risk files. Instead, the agent assembled the decision and a human committed it. The agent built a one-screen packet: inputs, rules hit, confidence, policy references, and the exact steps it took. The underwriter had three buttons: AcceptEdit, or Request Info. Every click wrote to an immutable log with user, timestamp, model version, and prompt ID.

Why it works
Regulators do not object to acceleration. They object to unauthorized authority. Suggest-mode keeps accountability with a person and still removes a lot of boilerplate. On clean files we saw 30 to 50 percent time saved without any loss of control.

How to implement
Create a structured “decision packet” object that always includes inputs, features, rules matched, and links to evidence. Keep the review screen uncluttered so the human can commit with confidence. No silent auto-commits above trivial risk.

Pattern 2: Explainable by default

Story
Audit once asked why the system recommended a referral on June 12. We hit Replay. Up came the model version, retrieval sources with citations, top rules and thresholds, and the final confidence score. Two clicks later we exported the trail. The conversation ended there.

Why it works
“Trust me” does not pass an audit. Every agent output should carry a receipt. For classification, show the rules and thresholds. For generation, show the sources and the exact retrieval chunks. Keep inputs and outputs so you can reproduce an answer when someone asks “why.”

How to implement
For decisions, display top rules and their contributions. For content, show citations and chunk IDs. Keep a hot retention window for quick debugging and a long retention window for audit. Tokenize or encrypt PII at rest. Add a weekly sampling habit. Review a small random set and confirm that replay reproduces the result.

Pattern 3: Policy-bound prompts

Story
A collections team wanted the agent to draft borrower emails. Risk flagged tone and data-leak concerns. We treated the prompt like a controlled document. Versioned. Approved. Tied to specific control objectives and a scoped dataset. The prompt banned free-text requests for sensitive data and enforced approved clauses. Any change required a small change request with rollback notes.

Why it works
Prompts are policy. When you treat them that way you can prove the model is fenced by rules, not by hope.

How to implement
Create a prompt registry. Each prompt has an owner, version, approval record, data scope, redaction rules, and rollback steps. Put static guardrails in the prompt and runtime guardrails in code: role checks, redaction, and rate limits. Keep a change log with risk tags and test results.

The operating model that makes this stick

Risk tiers decide autonomy

Not every case deserves the same freedom.

  • Low risk. The agent can auto-approve within tight thresholds. Use random sampling for QA.
  • Medium risk. Suggest-only. The human commits.
  • High risk. Manual decision. The agent helps with summaries, checklists, and retrieval.

Set the tiers with Compliance at the start. The debate shifts from “AI versus human” to “Which lane is this case in.”

The four numbers that matter

Every agent should emit the same telemetry, visible to Operations and Compliance.

  • Latency. Show p50 and p90.
  • Override rate. How often a human disagrees.
  • Top failure reasons. Missing data, weak source, bad rule.
  • Drift signal. How today’s inputs differ from the last stable baseline.

If overrides spike or drift crosses a threshold, drop the agent from auto-approve to suggest-only until you fix the cause.

A simple architecture that survives audit

  • UI and workflow in a platform like Appian for intake, queues, assignment, and the decision screen.
  • A decision layer for explicit rules, the model API, and a composer that builds the decision packet.
  • Guardrails for prompts, roles, redaction, and rate limiting.
  • An event bus or audit store that records inputs, outputs, versions, and user actions as immutable events.
  • An evidence store for documents, retrieval chunks, and citations, linked by case ID.
  • Monitoring dashboards for latency, overrides, drift, and sampling results.

Keep the interfaces boring. REST for decisions. Webhooks for events. Boring is reliable in audits.

What this changes for the business

  • Time to value. You move in weeks because you prove control from day one.
  • Quality. First-time-right rises because the agent handles structure and the human handles judgment.
  • Change velocity. Policy tweaks become prompt and rule versions, not month-long code changes.
  • Audit readiness. Evidence becomes a by-product of doing the work, not a scramble before an exam.

A very short implementation checklist

  • Write down your risk tiers.
  • Build the decision packet and the one-screen reviewer UI.
  • Stand up the prompt registry with approvals and rollback.
  • Log everything: inputs, outputs, versions, user actions, source IDs.
  • Enable replay and weekly sampling.
  • Wire telemetry to a small dashboard and define thresholds that trigger a mode downgrade.

Common pitfalls and how to avoid them

  • Auto-approval too early. Start with suggest-only and earn your way to autonomy.
  • Opaque retrieval. If you cannot show sources you will lose the room.
  • Prompt sprawl. One-off prompts multiply risk. Centralize and version them.
  • Data leakage. Redact by default. Keep access minimal.
  • Misaligned dashboards. If Ops and Compliance do not see the same numbers you will argue through proxies.

Closing

The safest way to ship AI in regulated environments is not to add more meetings. It is to design control into the flow. Suggest-mode. Built-in explainability. Policy-bound prompts. Add risk tiers and shared telemetry. Compliance stops being a blocker and starts being a partner. You cut handling time, reduce rework, and sleep well during audits.

Leave a comment

Latest Articles

Previous: