Implementing AI in AML/KYC: Explainability, workflows and governance

Fireside Chat Wrap Up

AI has moved from an intriguing prototype to operational necessity in AML/KYC. The central question is no longer whether to use AI, but how to deploy it responsibly – within existing lines of defence, with clear handoffs to human investigators, and with documentation that stands up to audit and regulatory scrutiny.

A recent webinar co-hosted by Castellum.AI and Ground Truth Intelligence explored what “good” looks like when implementing AI in financial crime programmes. The panel featured Peter Piatetsky, CEO of Castellum AI, Matthew Hunt, Co-founder and COO of Ground Truth Intelligence, Ceri Lawley, Chief Compliance Officer at International Finance Corporation, and Christina Ray Baxter, Founder and CEO of Raycor Consulting. 

The discussion focused on integrating AI into existing risk governance frameworks, designing human–AI workflows, and managing data, regulatory, and operational risks – summed up below.

Treat AI as a governed capability – not a side project

AI has become table stakes. Boards increasingly expect efficiency gains and teams are being measured on AI literacy. That urgency increases the need for control. Rather than spinning up parallel governance, organisations should embed AI risks and controls into existing enterprise frameworks, especially the three lines of defence.

• First line (business teams): Operate AI-enabled workflows; understand the tools’ limits and escalation paths.
• Second line (risk & compliance): Define risk appetite, set guardrails, write policy, monitor effectiveness.
• Third line (internal audit): Assure that models, data, and processes are explainable and evidenced.

The practical upshot: AI belongs inside your risk taxonomy, with mapped controls, owners, evidence, and metrics just like any other material risk.

Build around explainability, data provenance, and jurisdictional agility

During the discussion, three risk areas surfaced repeatedly; explainability, data quality and bias, and regulatory divergence.

Explainability. If you can’t show how a model reached an outcome, you’ll struggle with regulators, auditors, and internal sign-off. Models need to output rationale, inputs, and confidence indicators in a way investigators can interrogate.

Data quality and bias. Your results are only as sound as your data pipeline. Vendor due diligence should cover sources (public, licensed, proprietary, synthetic), update cadence, provide coverage across languages and jurisdictions, and bias/fairness testing. Low-resource languages and niche domains deserve special attention.

Regulatory divergence. The EU AI Act approach differs from the US’s more decentralised model; individual US states add further variation. Governance needs to be both documented and adaptable with policy, controls, and playbooks that can flex as rules evolve.

Demand more from AI vendors: diligence, disclosure, documentation

Robust vendor diligence is now non-negotiable. Organisations should treat AI providers like critical infrastructure, especially around these five key factors:

• Training data: What is it? Where did it come from? How is it licensed and refreshed?
• Fairness & bias: What tests are run, how often, across which segments?
• Privacy & IP: How are copyright, privacy, and consent handled, especially for scraped or aggregated content?
• Auditability: Can the vendor provide end-to-end data lineage and decision logs suitable for internal audit and regulators?
• Model ownership & updates: Who owns the resulting model artefacts? What is the versioning and update process?

If a vendor cannot explain their data supply chain simply, consistently, and in writing, then that’s a red flag.

Design human–AI workflows with clear handoffs and parallelism

Humans should add value, not re-do the machine’s work. That requires clarity on when an AI agent proceeds autonomously, when it escalates, and what “good” looks like when a case lands with a human.

Two practical ideas stood out:

• Parallelism: Allow humans and AI to work concurrently, not strictly sequentially. AI can pre-assemble case packets, highlight gaps, and suggest next steps while investigators progress other tasks.
• Context-rich handoffs: When the AI escalates, it should pass a dossier: sources, reasoning, artefacts, confidence, and open questions. That turns the human from a checker into a decision-maker.

A tiered alert model offers a pragmatic starting point:

• Tier 1 – Low risk: Routine checks (e.g., basic ID verification, duplicates) can be AI-adjudicated with proportionate QA.
• Tier 2 – Medium risk: AI triages, summarises, and prioritises; humans make the final determination.
• Tier 3 – High risk: For sanctions hits, PEP complexity, or potential SARs, AI supports with summaries, but humans adjudicate.

Across all tiers, investigators should be trained to challenge AI outputs rather than rubber-stamp them.

A practical rollout blueprint

If you are moving from pilots to production, the panel’s advice converges on a straightforward program plan:

1. Extend your risk taxonomy to include AI. Add AI-specific risks (explainability, model drift, bias, data lineage), map controls, and assign owners.
2. Publish an AI policy suite. Cover permissible use, data handling, human-in-the-loop, escalation criteria, and documentation standards.
3. Standardise vendor due diligence. Create an AI vendor questionnaire and contract annex that requires transparency on data, testing, updates, and audit access.
4. Engineer explainability. Require decision rationales, input tracing, and model/version logs that are accessible to investigators and auditors.
5. Train all three lines. Give front-line teams practical playbooks; equip second line to monitor performance; prepare audit to test controls and evidence.
6. Continuously assure. Track false-positive/negative rates, quality of escalations, model drift indicators, and jurisdictional changes. Adjust thresholds and playbooks with real data.

What “good” looks like in practice

• Controlled efficiency: Faster throughput and better coverage, with fewer manual bottlenecks – and with artefacts that make decisions defensible.
• Transparent decisions: Every material decision can be reconstructed: inputs, reasoning, controls applied, and the human who signed off.
• Adaptable governance: Policies and controls that can evolve as rules and models change – without re-engineering the whole system.
• Trusted partnerships: Vendors who welcome scrutiny, provide lineage and test results, and align with your control environment.

Final thought

AI will not replace compliance professionals, but teams that govern AI well will outperform. As the panellists underscored, the organisations that thrive will treat AI as a first-class, controlled capability: integrated with the three lines of defence, transparent by design, and built for the realities of multi-jurisdictional compliance.

If you’re exploring the intersection of human investigation and AI-enabled screening, GTI’s focus remains the same: clear, defensible intelligence with the right human oversight at the right moment.