book_the_diagnostic →
Field notes

The boring stack: why your compliance system should be unexciting

There's a category of sales pitch landing in every compliance director's inbox right now: an "AI agent" that will watch your back office and handle things. The demo is impressive. The pitch is fluent. And for a regulated firm, it's the wrong shape of solution - not because AI is overhyped, but because the pitch puts it in the wrong place.

What a regulator reads

When the FCA asks how you monitor client outcomes, "a model decides" is not an answer. What works as an answer is: here are the rules we check, here's the version history of those rules, here's every result, and here's what happened to each exception. That answer requires technology with three properties:

  1. Determinism. The same client data produces the same check result, every time. You can re-run last quarter and get last quarter's answers.
  2. Legibility. A rule is written down somewhere a human - your compliance officer, your auditor, a regulator - can read. SQL is genuinely good at this; a WHERE clause is a compliance rule in a form three professions can read.
  3. Memory. Every check, change and resolution is recorded as it happens, not reconstructed later.

None of this is exotic. Relational databases have had these properties for forty years. That's the point: the boring stack is the safe stack - not because it's old, but because four decades of firms have already found its failure modes for you.

So where does AI belong?

In two places, and they're both real:

Building the system. This is the quiet revolution. The engineering that made a checks engine a six-figure consultancy programme in 2022 - the data plumbing, the integration code, the test coverage - is dramatically faster to produce now. That doesn't change what gets built; it changes who can afford it. Mid-size firms can now have infrastructure that was previously enterprise-only. (It's most of the reason we can price the way we do.)

Inside the system, behind controls. Extracting fields from a scanned document, classifying an inbound email, drafting a letter for human review - tasks where a model's output is checked by deterministic rules or a person before anything depends on it. AI as a component with a supervisor, never as the decision-maker of record.

The test for any AI in a regulated workflow is one question: if this goes wrong, can you show exactly what happened and why? Components pass that test. Autonomous agents, today, do not.

The buying heuristic

If a vendor leads with the model, ask what's underneath. If they can't show you the database schema, the audit log, and the rule definitions - the boring parts - the exciting parts are decoration on a system that can't answer a regulator's first question.

We build the boring parts first, on purpose. If you want to see what that looks like for your firm, book the diagnostic - twenty minutes, no deck, just numbers.