Everyone Has AI in Compliance Now. Almost Nobody Has Governed It.

AI in Compliance · Thought Leadership · 11 June 2026

Everyone has AI in compliance now.
Almost nobody has governed it.

83% of compliance functions are using AI. About a quarter have a governance framework around it. The gap between those two numbers is the most important story in RegTech this year — and the regulators have started saying so out loud.

AI Governance RegTech EU AI Act Agentic AI Supervision

Published 11 June 2026 · Morclear Europe · 7 min read

Adoption is over. That was the easy part.

For three years, every AI-in-compliance survey asked the same question: are you using it yet? That question is now settled. In Compliance Week’s 2026 survey of 193 compliance, ethics, risk and audit leaders, more than 83% report using AI tools, with generative AI leading the stack and executive leadership pushing adoption from the top down — in many cases faster than the compliance function itself can keep up.

The interesting numbers are the ones underneath. The same survey found only about 25% of organisations have implemented a strong AI governance framework. ACA Group’s new benchmarking of financial services firms describes AI use in compliance as “widespread but shallow”: average integration across compliance functions sits below 20%, and in operations closer to 5%. EY’s 2026 research adds the uncomfortable detail that over half of department-level AI initiatives are running without formal approval or oversight, while 78% of leaders admit adoption is outpacing their governance.

Put those together and you get the actual state of AI in compliance in mid-2026. Not a sector that has transformed. A sector that has subscribed.

The adoption-governance gap · 2026 survey data
Compliance functions using AI tools 83%
With a strong AI governance framework in place ~25%
Average depth of AI integration across compliance functions <20%
Department AI initiatives running without formal oversight 52%

Sources: Compliance Week / konaAI 2026 AI & Compliance Survey · ACA Group 2026 State of AI in Compliance and Operations · EY 2026 Technology Pulse.

Why shallow adoption is worse than none

A compliance function that uses no AI has a productivity problem. A compliance function where staff paste regulated data into unapproved tools, where AI-drafted policies enter the document register with no named reviewer, and where nobody can list which models touch which decisions has a compliance problem — created, with some irony, inside the team whose job is preventing exactly that.

Ungoverned AI use is not a neutral state. It generates outputs that look authoritative and carry no evidence trail. It creates data protection exposure every time client information enters a tool nobody assessed. And since the EU AI Act began applying in stages, it has become a regulated activity in its own right: deployer obligations, transparency duties and, for the high-risk categories that cover credit scoring, insurance underwriting and employment decisions, a full conformity regime arriving in December 2027.

The question boards should be asking is no longer “are we using AI in compliance?” It is “who is accountable for what our AI produces?”

The regulators have picked their words carefully

In February, ECB Banking Supervision delivered a speech on AI adoption in banking titled “Technology is neutral, governance is not.” That is not a regulator hedging. Under the ECB’s supervisory priorities for 2026–28, AI monitoring continues with a sharpened focus on generative AI applications, following workshops with banks on credit scoring and fraud detection use cases. BaFin issued AI risk guidance in January. ESMA published a supervisory briefing on algorithmic trading in February. Across jurisdictions, 2026 guidance is converging on the same short list: model explainability, bias management, human-in-the-loop oversight, and AI use cases mapped into the existing risk management framework rather than bolted on beside it.

Notice what is absent from that list: any suggestion that firms should use less AI. Supervisors are not anti-AI. They are anti-unowned-output. The supervisory model being built across the EU assumes firms will automate heavily and asks one question of the result — can a named human stand behind it?

The next wave is arriving before the last one was governed

While most firms are still working out who approved last year’s chatbot, the market has moved to agentic AI: systems that plan and execute multi-step work across tools rather than answering single prompts. Thomson Reuters finds 15% of professional services organisations have already adopted some form of agentic tool. Gartner predicts that by 2030 half of organisations will use AI agents to interpret governance policies and automate compliance enforcement — and, in the same breath, that half of agent deployment failures will stem from inadequate governance.

For compliance specifically, the agentic promise is real: continuous control monitoring, automated evidence collection, regulatory change tracked as it publishes rather than at the quarterly review. The RegTech market is being priced accordingly, with forecasts in the range of $23bn in 2026 growing at roughly 20% a year through the early 2030s.

But an agent is, in governance terms, a privileged user that never sleeps. It reads records, executes tasks and touches systems. Handing one a compliance workflow without ownership, logging and sign-off does not automate the function. It automates the gap.

What closing the gap actually involves

1
An AI inventory with an owner per system. Every model and tool in use, including the unofficial ones, mapped to a named accountable person. Organisations with explicit AI accountability score materially higher on every maturity measure than those without — this is the single highest-leverage step.
2
Human review as architecture, not aspiration. “Human in the loop” in a policy document means nothing. A workflow where no AI output reaches a regulator, a client or the document register without a named reviewer’s sign-off means everything.
3
An evidence trail per output. What the AI was given, what it produced, who reviewed it, what changed. The difference between a defensible programme and a folder of confident-looking documents is the audit trail underneath them.
4
One framework, five regimes. AI governance is not a sixth compliance programme. The same controls map across the EU AI Act, DORA, NIS2, GDPR and ISO 27001 — firms that build it once move faster on every deadline that follows.
5
Govern the agents before deploying them. Defined permissions, logged actions, human checkpoints on anything that leaves the building. The firms that do this will get the productivity. The firms that don’t will get the case studies.

The Morclear view

The compliance professional with AI beats AI without one. We have said that since the day we opened, and 2026 is the year the data and the regulators caught up with it. The 83% who adopted AI got the easy win. The 25% who governed it got the durable one — because a compliance output is only worth what someone is willing to sign their name to.

CORA™ — Morclear’s Compliance Operations & Risk Automation platform — was built on that principle before it was fashionable. Eight specialist modules covering the EU AI Act, DORA, NIS2, GDPR and ISO 27001. AI does the heavy lifting. A named compliance professional reviews and signs off every output. Delivered as a managed service, with the evidence trail built in — not bolted on.

Next step

Which side of the 83/25 gap is your firm on?

The free assessment maps your AI use against the obligations that already apply — in 10 minutes, with a scored report.

10 minutes · scored report · no follow-up unless you want it.

Morclear Europe is an Irish RegTech firm delivering AI-powered, expert-reviewed compliance services to mid-market regulated organisations across the EU. CORA™ is powered by the Anthropic Claude API. All outputs are reviewed by a named compliance professional before delivery.

Sources: Compliance Week / konaAI 2026 AI & Compliance Survey · ACA Group · EY · Thomson Reuters Institute 2026 AI in Professional Services Report · Gartner · ECB Banking Supervision · Cambridge Centre for Alternative Finance 2026 Global AI in Financial Services Report · Fortune Business Insights. Primary regulatory sources: EU AI Act — Reg. (EU) 2024/1689 · DORA — Reg. (EU) 2022/2554 · GDPR — Reg. (EU) 2016/679 · NIS2 — Dir. (EU) 2022/2555 · ISO 27001:2022.

morclear.com · morclear.ai · hello@morclear.com

TAKE ACTION

The August 2026 deadline is 4 months away.

Run your free assessment and download the playbook — both free, both ready now.

Run Free Assessment → Download Playbook
← Back to Morclear Brief