Why 50% of compliance work lives where AI cannot reach

Why real-time compliance fails before the detection model ever fires

Most banks treat compliance failures as a detection problem. They invest in better models, lower alert thresholds, and faster data pipelines. But the handoff from alert to action is the actual compliance problem. No current tool owns it. The breakdown happens the moment an alert fires and needs a human response. That handoff lives in the whitespace between systems that no single tool owns.

That whitespace is bigger than most compliance teams realize. Roughly 50% of frontline work happens outside any core system, in manual coordination, exception handling, policy checks, and inter-team handoffs. Every real-time compliance alert follows that same path. It gets triaged in one tool, escalated in another, documented in a third. No system owns the full sequence, and no one has the complete picture at the moment it matters.

AI makes this structural problem worse before it makes it better. An AI agent deployed on a fragmented foundation operates on partial customer data, applies inconsistent rules, and writes decisions back to different systems of record. Faster processing on a fragmented backend means the same handoff failures happen more often. The agent cannot act with authority because it has no single source of truth to act from. It also has no governed channel to record what it decided or why.

Fix the detection model all you want. Until the operational handoff from alert to action is structurally owned, real-time compliance monitoring stays theoretical.

The whitespace problem where compliance alerts go to die

When a real-time monitoring system fires an alert, the detection has already worked. The signal is there. What happens next is the problem. The alert moves into a handoff zone - a space between the transaction monitoring tool, the case management platform, the customer data system, and the frontline banker who needs to act. Nobody owns that zone, and no system does either.

Research behind the Banking OS value proposition puts a precise number on this: roughly 50% of frontline work lives in exactly that whitespace. Handoffs, manual coordination, exception handling, policy checks - work that falls between systems rather than inside them. Compliance alert-to-action chains are a textbook example. The monitoring tool raises a flag. A compliance officer opens a separate system to check customer history. Someone emails a relationship manager. The manager logs into a third platform to freeze or review an account. Each step is a manual transfer across a boundary no system governs.

Jouk Pleter puts the consequence directly: "If you don't solve the guard function, I don't see AI at scale in banks at all. I basically see the risk and compliance argument paralyzing innovation." That is what whitespace does to AI compliance programs. The detection model performs well in isolation. But the operational handoff — the moment alert becomes action — lives in a zone AI cannot reach because no single system holds authority there. The result is latency, inconsistency, and audit trails that nobody can reconstruct cleanly after the fact.

Stream processing and event-driven architecture are necessary but not sufficient

Kafka-style event buses and continuous controls monitoring represent real progress. Banks can now process millions of transaction events per second and trigger compliance checks without batch delays. But the infrastructure layer is only half the problem, and it's the easier half.

The harder problem sits on the receiving end. When a streaming pipeline fires a compliance alert, something has to act on it. That something is increasingly an AI agent. But an AI agent without unified customer context, a shared source of truth, and clear decision authority doesn't produce faster compliance. It produces faster confusion. It operates on partial data pulled from whichever system it can reach. It applies rules inconsistently because different systems hold different rule sets. It writes decisions back to different records, meaning no audit trail reconciles. Perfect stream processing with a fragmented backend doesn't solve the compliance problem - it accelerates the fragmentation.

This is where the structural argument becomes concrete. Event-driven architecture tells you something happened. It doesn't tell the AI agent what the full customer relationship looks like, which policy applies, or where the decision needs to be recorded for a regulator. Each alert lands in a zone that no compliance tool owns. The AI agent fills that zone with guesswork. Guesswork at machine speed is a governance risk, not a compliance control.

The guard function - governed AI authority as the missing compliance layer

Most banks treat AI compliance investment as a detection problem. They buy better models, train them on more transaction data, and tune thresholds. But Jouk Pleiter and the team at 11FS have identified a different blocker: without solving the guard function, compliance and legal teams will end AI deployment entirely. Governed AI authority and hard risk controls are what that guard function requires. The detection model is never the final obstacle. The infrastructure governing what AI can authorize, and under what limits, is.

The guard function is an architectural concept, not a product feature. It asks a specific regulator-facing question: when an AI agent takes a compliance action, who authorized it, under what scope, and where is the audit record? Across more than 120 bank implementations, this is where deployment stalls. The authority lives in policy documents, the action happens in a system of record, and the human handoff sits in email or a ticketing tool. Nothing owns the space between them. Gartner research on AI in finance consistently identifies this governance issue as the primary barrier to scaled AI deployment in regulated institutions.

Backbase's Banking OS addresses this directly. It operates as a Control Plane above systems of record, routing decisions across customers, employees, and AI agents under a single authority layer. Every AI action carries a Decision Token - a structured, auditable record of what was authorized and why. That architecture turns a real-time compliance signal into a response a regulator can inspect. The infrastructure layer is the compliance investment banks are currently skipping.

How Banking OS connects real-time signal to auditable response

Most compliance architectures treat detection and response as separate problems owned by separate systems. A monitoring tool fires an alert. A case management tool queues it. A human works it. Somewhere in that handoff, the governed chain of authority breaks down. No single system owns the whitespace between signal and action. Regulators reconstructing a decision trail must piece together logs from three or four platforms that were never designed to talk to each other.

The Backbase Banking OS works differently because it sits above systems of record as a Control Plane. It routes decisions across customers, employees, and AI agents under a single governed authority layer. When a compliance event fires, the Control Plane routes it through a defined authorization structure. There's no ambiguity about who or what acted, under what limits, or at what point in the process a human was in the loop. That structure is built in, not added after the fact.

Every decision the Banking OS makes or routes carries a Decision Token. That token encodes the full context of the action - what triggered it, which agent or employee handled it, and what authority governed the response. When a regulator asks who authorized a freeze or escalation, the answer is already structured and ready. Banks don't reconstruct the audit trail, they present it. That distinction matters when examiners work to tight deadlines and expect machine-readable evidence rather than narrative summaries assembled from spreadsheets. BCG analysis of AI governance in banking underscores that audit-ready decision records are becoming a baseline regulatory expectation, not a differentiator.

Detection models can surface risk in real time. Only a Control Plane with built-in auditability can turn that signal into a governed, documentable response that holds up under regulatory scrutiny at scale.

Decision tokens and the auditability standard regulators require

Most banks reconstruct decision trails after a compliance event. An auditor asks why an AI agent froze an account or escalated a transaction, and compliance teams piece together logs from three different systems. That approach worked when reviews happened quarterly. It breaks down when regulators expect continuous assurance across thousands of daily AI-driven actions.

The Banking OS treats auditability as a point-of-action property, not a post-hoc reporting task. Every decision an AI agent makes carries a Decision Token - a structured record built at the moment of action, not assembled later from scattered system logs. When a compliance event triggers a response, the full decision trail is already formatted for regulatory review. There is no reconstruction step, because there was never a missing link to fill.

This matters because regulators are moving toward real-time assurance models. The EU AI Act and evolving Basel guidance both push banks to demonstrate that AI decisions are explainable at any point in time - not just during scheduled audits. A Decision Token architecture satisfies that requirement by design. Banks stop treating auditability as a compliance cost and start treating it as evidence that their AI operates under genuine governance. PwC's research on AI in financial services highlights explainability and real-time auditability as the two capabilities regulators most frequently cite as deficient in current AI deployments.

Shifting from batch-based reporting to continuous assurance in core banking workflows

Batch reporting cycles were built for a world where compliance was a back-office function. Banks ran overnight jobs, produced reports, and filed them days after the underlying transactions settled. That model doesn't hold when regulators expect real-time accountability and customers expect instant decisions. The window between when something happens and when compliance teams know about it is where exposure lives.

Closing that window doesn't require replacing systems of record. It requires a Control Plane sitting above them. Backbase Banking OS routes execution across customers, employees, and AI agents under governed authority. That matters to regulators, who increasingly ask a pointed question: who authorized this compliance action, and under what limits? A Control Plane answers that question with a complete audit trail rather than a patchwork of system logs from disconnected tools.

Without that foundation, AI agents deployed for compliance operate on partial data, follow inconsistent rules, and write back to different systems. Faster processing on a fragmented backend means the same handoff failures happen more often. Continuous assurance only works when every agent draws from a shared source of truth and holds authorized decision authority. Banks that build that structure into daily workflow execution change their compliance posture without removing the core banking infrastructure they've spent years building.

Banks that treat real-time compliance monitoring as a detection investment while leaving the alert-to-action handoff unengineered will find that faster signals only accelerate the same fragmentation failures. The institutions that move first to govern AI authority at the infrastructure layer will set the auditability standard regulators formalize next.

Frequently asked questions

What is the difference between real-time transaction monitoring and continuous compliance assurance in banking?

Real-time transaction monitoring detects a risk signal the moment it occurs. Continuous compliance assurance means that signal triggers a governed, auditable response without manual handoffs. Most banks have the first capability but lack the second, because no single system owns the operational chain from alert to documented action.

Why do AI compliance systems in banks still require so much manual intervention after an alert is generated?

Because roughly 50 percent of frontline compliance work happens in the whitespace between systems. An alert fires in one tool, gets triaged in another, and escalated through email or ticketing platforms. No system owns that full sequence, so human coordinators fill the spaces that AI cannot reach without a unified operational layer.

What does a Control Plane do in an AI-native banking compliance architecture?

A Control Plane sits above systems of record and routes every compliance action across customers, employees, and AI agents under a single governed authority layer. It eliminates the whitespace where alerts get lost, ensures each action follows a defined authorization structure, and produces a complete, reconcilable decision record that regulators can inspect.

How do Decision Tokens satisfy regulatory audit requirements for AI-driven compliance actions?

A Decision Token is built at the moment an AI agent acts, encoding what triggered the action, which agent or employee handled it, and what authority governed the response. Because the audit record is created in real time rather than reconstructed later from scattered logs, banks can present structured evidence to regulators instantly and at scale.

Can banks implement real-time compliance monitoring without replacing their existing systems of record?

Yes. The Banking OS approach adds a Control Plane above existing systems of record rather than replacing them. Detection models and core infrastructure stay in place. The Control Plane provides the unified context, governed authority, and Decision Token auditability that existing systems lack, so the space between a monitoring signal and a compliant, documentable response is closed at the infrastructure level.