The AI Adoption Journey—Risks, Use Cases and Implementation

While the appetite for artificial intelligence (AI) in financial crime compliance is undeniable, with a recent global survey showing 93% of compliance decision-makers are now using or piloting AI for customer screening, the bridge between a flashy proof-of-concept (PoC) and live production is littered with governance gaps and data silos. Firms are realizing that AI is not plug-and-play software; it requires a fundamental operational transformation.

This article maps the practical hurdles UK firms face and outlines the core requirements to transition from experimentation to safe execution, balancing innovation with strict regulatory expectations. Caution is well founded: Kroll’s 2026 cyber resilience research found that 76% of organizations have experienced a security incident involving AI applications or models in the past two years, underlining how quickly AI adoption can outpace governance and security fundamentals.

Understanding the Journey: Breaking “PoC Paralysis”

Despite industry interest, many UK investment and wealth management firms are stuck in a state of “PoC paralysis,” trialing AI but hesitating to deploy it. Forward-leaning platforms successfully use third-party AI to reduce false positives in transaction monitoring, but major institutions often remain anchored at the pilot stage. A money laundering reporting officers (MLRO) recently conceded its AI usage in financial crime compliance remains “very limited” highlighting the industry’s widespread caution.

The friction points are primarily internal, not technical:

• Governance Gaps: According to a 2026 Omdia study on managed services and technology adoption, 51% of organizations cite governance and compliance as their primary barrier to AI implementation. Without defined model ownership and sign-off protocols, such as approval by a compliance executive and a model risk committee before deployment, senior management and boards will not approve live deployment.
• Data Integrity: “Bad data in, bad data out” remains the golden rule. AI models fed on fragmented, siloed, or inconsistent legacy data, such as customer info spread across platforms and spreadsheets with missing identifiers, will yield unreliable outputs and unsound correlations. The Financial Conduct Authority (FCA) and Bank of England have repeatedly emphasized that under regulations like SYSC, AI systems must maintain robust data management without introducing vulnerabilities.
• Cultural Resistance: The perceived “black box” nature of AI triggers internal fears regarding regulatory defensibility, unintended bias, and job security. A lack of technology background among many compliance officers further slows understanding and acceptance of these tools.

The Regulatory Guardrails: The UK’s Pro-Innovation Stance

The FCA is not applying the brakes to AI; it is actively steering firms toward responsible implementation. Unlike the European Union’s prescriptive AI Act, which enforces strict requirements on “high-risk” tools by mid-2026, the UK maintains a principles-based, tech-neutral posture. The FCA applies existing rules to AI regarding senior management responsibility, fair customer treatment and effective controls, avoiding new technology-specific regulations. As FCA director Charlotte Clark noted in late 2025, the goal is enabling safe adoption without having to “rewrite rules every time a new technology emerges.”

• Focus on Accountability: As highlighted by the FCA’s recent January 2026 Mills Review exploring AI in retail finance, the regulator’s focus remains squarely on existing frameworks like the Senior Managers and Certification Regime (SM&CR). Firms must maintain accountability for AI, meaning its use in anti-money laundering (AML) must be subject to oversight; a human must always “own” the outcome.
• Active Testing: The FCA is facilitating live, supervised experimentation. After the launch of the “Supercharged” AI Sandbox with NVIDIA, which allowed firms to test models on synthetic data, the FCA’s initiative saw its first sandbox cohort in late 2025 and a second cohort in April 2026.

Core Considerations: Engineering Trust in Production

Moving a model into production requires engineering trust across three core operational pillars:

• Traceability and Explainability: Regulators expect a clear and robust audit trail. If an AI model flags a transaction as suspicious at 2:30 p.m. on a specific date, the firm must be able to later show what exact data was fed in and how the model arrived at its conclusion. Explainable AI techniques must translate complex algorithms into defensible, human-readable rationales (e.g., “Alert because: unusually large transaction; out of client’s normal pattern”). Some vendors now offer “white-box“ AI, which makes the decision-making process transparent and explainable, or proxy models to ensure compliance officers can answer regulators without blaming a mysterious algorithm.
• Integration and Data Readiness: An AI tool isolated from core banking or case management systems creates workflow friction, forcing analysts to manually switch between platforms and source data. IT, cybersecurity, and data privacy teams must align early to evaluate vendor risk and ensure the AI architecture complies with the FCA’s operational resilience and outsourcing rules, including securing contractual rights to audit the vendor.
• Agentic AI and Human-in-the-Loop: Firms are transitioning from basic decision-support tools to “agentic AI” systems capable of taking autonomous actions like auto-closing low-risk alerts or gathering data to draft initial Suspicious Activity Reports (SARs). While McKinsey research suggests a single compliance professional could supervise 20+ AI agents (yielding up to 2000% productivity gains in transaction monitoring), a human override mechanism remains a non-negotiable requirement for high-impact decisions like account closures.

The Procurement Checklist: Defining a “Good” AI Tool

Whether building in-house AI capabilities or procuring solutions from a vendor, compliance leaders must evaluate AI systems through a strict risk-based lens. A deployable AI solution must feature:

• Regulatory Alignment: The architecture must inherently support FCA obligations (e.g., risk-based tiering) and, if operating cross-border, must produce audit logs capable of satisfying EU AI Act transparency requirements for high-risk systems.
• Configurability: Firms require a user-friendly interface to tweak scenarios and thresholds to match their specific institutional risk appetite. A number of firms have highlighted this exact capability when integrating their platforms, allowing them to easily adjust sensitivity of detection tools to suit their needs. Rigid, unalterable “black box” solutions create unacceptable regulatory vulnerability.
• Benchmarking and Parallel Testing: Empirical performance evidence is key. The AI should be run in parallel with legacy systems and human analysts to track false-positive reduction against true-positive detection. Trust is built by proving the AI catches what legacy rules miss, without burying investigators in operational noise. Any deployed tool should also provide transparency into metrics, such as monthly alert volumes and conversion rates.
• Security and Contingency Planning: Any new technology could introduce vulnerabilities. Firms must evaluate AI solutions for risks like adversarial attacks or poisoned training data. Regulators expect operational resilience plans for third-party tech, meaning if a cloud-based AI service goes down, firms must have a tested fallback procedure, such as reverting to a rules-based system or manual reviews. Team capacity should be considered and documented prior to any rollout to ensure a manual fallback can be managed with no impact on the effectiveness of the control. This is particularly pertinent in a world where firms and compliance teams are much leaner.

Conclusion

While the upfront investment in data hygiene, model governance, and human upskilling is substantial, the operational dividends of AI use are considerable. Firms that can operationalize AI responsibly, turning compliance from a reactive cost center into a proactive, scalable defense, will see the most success. With 82% of financial institutions in the UK, U.S., and Singapore reporting staff already use advanced AI tools in AML/ know-your-customer (KYC) processes, the transition to AI-enabled compliance is not a matter of if, but when.

How Kroll Can Help

Kroll helps firms advance AI from PoC to production by combining regulatory, risk and technical expertise. Through model validation, governance frameworks and risk assessments, Kroll ensures AI systems are secure, compliant and trustworthy, enabling confident and defensible adoption.