Firms invest heavily in interpreting new regulatory rules, assessing their application to particular business models, and implementing formal compliance frameworks. That work is essential, and in many areas it is done well.
Yet despite this effort, serious regulatory failures continue to arise — often in firms that can demonstrate extensive engagement with legal advice and compliance processes. The explanation is not a lack of foresight, but a gap between how regulation is analysed and how it is operationalised across organisations.
Much regulatory advice remains oriented towards questions of legal interpretation: what the rules require, how principles should be read, and how obligations map onto existing structures. Lawyers are trained to excel at this kind of analysis. What is addressed less consistently is how those interpretations translate into decision-making systems, incentives, governance arrangements and technologies that shape behaviour in practice.
Where regulatory risk really emerges
The most consequential regulatory outcomes rarely turn on a single point of legal construction. They are shaped by a sequence of judgements: how responsibility is allocated, how information flows, how risk signals are identified and escalated, and how trade-offs are managed as products, markets and technologies evolve.
When supervisory interest, investigations or enforcement risk arise, regulators do not simply ask whether a firm has interpreted the rules correctly. They assess whether accountability was real, whether oversight was effective, and whether governance functioned under pressure. These judgements are informed as much by organisational and behavioural evidence as by formal compliance artefacts.
Early decisions — about scope, ownership, data, and internal challenge — often determine how credible a firm’s response appears long before any formal conclusion is reached. By the time legal positions are tested externally, many of the outcomes that matter most have already been shaped.
Governance, conduct and the limits of formal compliance
This dynamic is particularly evident in conduct and customer outcomes. Harm typically emerges incrementally through product and process design, incentives, distribution chains and operational practices that are individually defensible but collectively problematic. Firms may have complied with specific rules at each stage, yet still find themselves facing complaints escalation, redress exposure and retrospective scrutiny.
Here, the limits of a purely interpretive approach to regulation become apparent. Policy standards and supervisory expectations evolve over time, informed by emerging case law, regulatory learning and - in the broadest sense - the politics of regulation and compliance. Compliance frameworks that are technically sound but disconnected from how risks materialise in practice struggle to deliver predictability when outcomes are judged in hindsight.
The challenge is not simply to comply with rules as written, but to anticipate how they will be applied — and how conduct will be assessed — as business models and markets change.
Digital transformation as an integration challenge
Digital and AI-enabled systems expose these tensions most starkly. Automation embeds regulatory judgements into code, data and models, often designed and maintained by specialists outside traditional legal and compliance functions. Decision-making becomes harder to trace, accountability more diffuse, and behavioural effects — on staff and customers — more difficult to foresee.
In this context, effective governance cannot be achieved through legal analysis or technical controls alone. Regulators are increasingly concerned with evidence of oversight, clarity of accountability and the ability of senior managers to demonstrate meaningful grip over systems that operate at scale. Principles-based regimes are stretched where outcomes are shaped by complex, opaque processes that cut across disciplines.
AI governance, in other words, is not a specialist compliance or IT problem. It is a test of whether the firm can integrate legal, regulatory, technological and behavioural perspectives into governance arrangements that work in practice.
From interpretation to design
The common issue across investigations, governance failures, conduct risk and digital transformation is not the absence of legal advice, but its isolation. Regulatory outcomes are shaped by how rules are translated into organisational reality: into systems, incentives, data, decision rights and escalation pathways.
Addressing this requires a shift in emphasis — from interpreting rules in isolation (or only with hindsight in the context of enforcement) to designing frameworks that bring together legal analysis, regulatory insight and expertise from compliance, technology, data, economics and behavioural science. The objective is to enhance legal certainty by embedding regulatory rules within structures and processes that support accountability, predictability and sustainable growth.
For boards and senior leaders, the question is rarely whether they have complied with the letter of the rules, but whether their governance arrangements are capable of delivering compliant outcomes as expectations evolve. Designing for that challenge, rather than defending against it after the fact, is now central to effective regulation and long-term trust.