When compliance is treated as a learning system rather than a reporting obligation, it could turn from a cost center into a competitive advantage.
For decades, regulatory compliance has been treated as a necessary tax on doing business. It’s something organizations endure rather than leverage: teams manually interpret regulations, create controls, document evidence and prepare for audits. The audits often happen months after the actual work was conducted. The result is high cost, slow feedback and a compliance function that’s structurally decoupled from how software is actually built and operated.
What’s changing now isn’t regulation itself, but the economics of compliance. AI and automation are turning compliance from a retrospective, document-heavy activity into something that can increasingly run continuously and at marginal cost. Two companies that illustrate this shift particularly well are Kosli and B4Investigate.
Kosli operates in a space that most engineering teams know all too well: proving compliance with security, quality and governance requirements in software delivery. Instead of asking teams to manually assemble evidence for auditors, the solution integrates directly into the software delivery pipeline. The artifacts that already exist, such as commits, builds, deployments and approvals, become living compliance evidence. Compliance is no longer something you prepare for an audit. Instead, it’s something you continuously generate as a by-product of normal engineering work.
From a Radical perspective, this is a textbook example of collapsing distance in the value delivery system. Compliance checks are pulled closer to the moment of action, feedback cycles shrink dramatically and learning happens continuously rather than episodically. The organization doesn’t slow down to ‘do compliance.’ Instead, compliance becomes part of how value is delivered safely and repeatably.
The important point here isn’t just automation, but timing. By moving compliance closer to the point of action, Kosli reduces the associated cost while simultaneously increasing confidence. Controls are checked when they matter, deviations are detected early and audits become verification exercises rather than archaeological digs. This aligns closely with how modern software organizations already think about quality and delivery: fast feedback beats late correction.
A similar shift is happening in a very different regulatory domain: fraud detection. B4Investigate focuses on identifying suspicious behavior and financial crime, but instead of relying primarily on static rules or manually tuned thresholds, the company applies more dynamic techniques and is moving toward reinforcement learning. In simple terms, the system learns from interaction and feedback. It adapts as fraud patterns evolve, rather than assuming that yesterday’s rules will catch tomorrow’s attacks.
This matters because fraud detection is a moving target. Criminal behavior changes precisely because controls exist. Traditional rule-based systems struggle here: they either generate too many false positives or miss novel patterns entirely. By using dynamic learning and, in the near future, reinforcement learning-based approaches, B4Investigate can continuously improve detection performance while reducing the operational burden on human analysts. The system becomes better over time, not just more complex.
Seen through a Radical lens, this is compliance as a learning loop. The system observes behavior, acts, receives feedback and adjusts. Importantly, the loop runs fast enough to matter. Instead of compliance being a lagging indicator, asking “Did we catch this after the fact?”, it becomes a leading capability that improves over time.
What connects Kosli and B4Investigate isn’t their industry or use case, but a deeper architectural shift. Both embed compliance and control into the operational system itself. Compliance is no longer an external process layered on top of the organization; it becomes part of the system’s behavior. Evidence is generated automatically. Decisions improve through feedback. Cost decreases as scale increases.
There’s also a subtle but important organizational implication. When compliance becomes continuous and automated, it stops being a blocker and starts becoming an enabler. Teams can move faster because compliance risk is visible early. Regulators gain more transparency rather than less. And organizations can afford higher standards because enforcing them no longer scales linearly with headcount.
It doesn’t mean humans disappear from compliance. Judgment, accountability and interpretation still matter. This is especially the case in regulated domains. But AI changes where human effort is applied. Instead of spending time collecting evidence or reviewing endless alerts, experts can focus on edge cases, systemic risks and improvement of the underlying controls.
Seen this way, AI in regulatory compliance isn’t about replacing people or ‘beating’ regulation; it’s about aligning with how modern, software-intensive organizations operate. Kosli and B4Investigate are early examples of what happens when compliance is treated as a learning system rather than a reporting obligation. Over time, this approach could turn compliance from a cost center into a competitive advantage.
The deeper shift, then, isn’t that organizations are becoming ‘more compliant,’ but that compliance itself is being redefined. When controls are embedded in operational systems, when evidence is generated continuously and when learning loops adapt to changing risks, compliance stops being a retrospective reporting exercise; it becomes a way of managing uncertainty in real-time. In that sense, AI doesn’t weaken regulatory intent but rather strengthens it by aligning compliance with how modern systems actually behave. As corporate governance scholar John C. Coffee Jr. has observed, compliance is ultimately not about ticking boxes but about managing risk.
