Most compliance teams don’t have a due diligence system. They have a collection of point solutions acquired over several years, held together by email threads, shared drives, and the institutional memory of two or three people who know where everything lives.
This isn’t a criticism. It’s how the industry evolved. Screening vendors were procured to solve one problem. Investigation firms were engaged for another. Monitoring was bolted on when regulators started asking about ongoing oversight. AI got layered on top when the board started asking why everything took so long.
Each decision was rational in isolation. But the result is an architecture that nobody designed – and one that is increasingly unfit for the complexity compliance teams now face.
What this actually looks like in practice
A multinational is expanding into Southeast Asia. New manufacturing partners, new distribution relationships, new beneficial ownership structures stretching across three jurisdictions with limited corporate transparency.
The compliance team knows what needs to happen. Screen the entities. Run adverse media. Investigate the beneficial owners. Assess the political exposure. Document the rationale. Monitor ongoing.
Here’s what actually happens:
Screening runs through one platform. It flags a partial name match against a sanctions list – but the match is ambiguous, and the platform offers no way to record the analyst’s reasoning for clearing it. That judgment lives in someone’s head, or maybe in a footnote in a Word document saved to a subfolder nobody else can find.
Adverse media pulls back 200+ results across three languages. The AI summariser produces a report – but it’s a wall of information with no materiality assessment. Is the fraud allegation from 2019 relevant to this engagement? The tool doesn’t know. The analyst spends two hours trying to figure it out, then writes up a summary that gets forwarded over email to a senior stakeholder who may or may not read it before approving.
An on-the-ground investigation is commissioned separately. The provider delivers a PDF three weeks later. It contradicts something in the screening output. Nobody notices, because the outputs live in different systems and nobody is comparing them side by side.
Six months later, the partner’s name appears in a media report linked to a bribery investigation. The board asks: what did we know, and when? The compliance team scrambles to reconstruct a decision trail from emails, PDFs, screening logs, and half-remembered conversations.
This isn’t a hypothetical. Variations of this play out constantly across large enterprises. The specifics change. The pattern doesn’t.
The real problem isn’t the tools. It’s the gaps between them.
When people talk about “compliance technology,” the conversation tends to focus on capability – what each tool can do. Can it screen in real time? Does it cover PEPs and sanctions? Does it use AI?
These are the wrong questions. The right question is: when your tools produce conflicting or ambiguous signals, what happens next?
In most organisations, the answer is: a human figures it out manually, documents it manually, escalates it manually, and hopes the audit trail holds up if someone asks questions two years from now.
This is the actual operating model for a significant portion of enterprise compliance. Not because people are careless, but because the tooling was never designed to support the full decision chain – from initial signal, through interpretation, to documented conclusion.
AI has made this worse, not better. Not because AI is bad at compliance tasks – it’s increasingly good at many of them. But because most AI in due diligence is deployed to generate more information, faster, without any corresponding improvement in how that information gets interpreted, weighed, and acted upon.
The result is what we call the “volume-without-judgment” problem: teams that can screen a thousand entities in an afternoon but still take weeks to reach a defensible conclusion on the three that actually matter.
What “good” looks like – and why it’s hard to get there
The answer isn’t another tool. It isn’t a better AI model. It isn’t hiring more analysts.
It’s designing the system as a system.
That means the screening output, the adverse media analysis, the human investigation, and the ongoing monitoring all feed into a single decision environment where an analyst can see everything in context, record their reasoning in a structured way, and produce an output that a regulator or board member could follow years later.
It means AI is deployed not just to retrieve information but to assess materiality – trained on compliance reasoning, not just keyword matching. And it means human intelligence – investigators on the ground who can verify what databases can’t – is embedded into the workflow rather than commissioned as a separate workstream that arrives as a disconnected PDF.
This is genuinely difficult to build. It requires domain expertise in how compliance decisions actually get made, not just what data sources exist. It’s why most attempts at “integrated compliance platforms” end up being dashboards that sit on top of the same fragmented architecture.
But it’s also where the industry has to go. The regulatory environment is getting more complex, not less. Enforcement actions are increasingly focused not just on whether you caught the risk, but on whether your process for catching it was defensible. “We ran a screening check” isn’t enough anymore. “Here is the structured rationale for how we assessed and dispositioned this risk, with full provenance” – that’s what holds up.
The question worth asking
If your Chief Ethics and Compliance Officer were asked tomorrow to explain exactly how a third-party approval decision was made eighteen months ago – who assessed what, what was known, what was escalated, and why the conclusion was reached – could your current system answer that question?
Not in theory. In practice.
If the honest answer is “it depends on whether the right person is still in the building,” that’s worth paying attention to.
Want to bring your due diligence into one solution? Contact us.