AI Regulatory Change Management: How It Works

 Regulatory change management is among the most time-consuming and error-prone activities in a compliance function: identifying new and amended requirements, mapping their impact on the control framework, routing changes to the right owners, and maintaining an audit trail across every jurisdiction. Agentic AI handles the detection, classification, and routing stages of this process at scale, from ingesting regulatory publications continuously to drafting structured impact assessments for human review. The interpretation step, determining what a change actually requires a specific organisation to do within its control framework, stays with the compliance professional. 

Major financial institutions are subject to dozens of overlapping regulatory frameworks. DORA (the EU Digital Operational Resilience Act, EU Regulation 2022/2554) applies to in-scope financial entities and their critical ICT third-party service providers. NIS2 (the EU Network and Information Security Directive 2) applies to operators of essential services and important entities across critical sectors. Domestic obligations from the FCA, PRA, EBA, and ESMA add further layered requirements.

That volume is growing. DORA enforcement began on 17 January 2025. NIS2 transposition obligations were due across EU member states by October 2024. Domestic obligations from the FCA and PRA sit alongside these.

The FCA issued £15.7 million in regulatory fines in Q1 2026 alone. Compliance functions managing this landscape manually are absorbing a cost in analyst time and regulatory risk that compounds with every new framework added to scope.

Against this volume of regulatory output, the manual approach to regulatory change management breaks down in three predictable ways. Horizon scanning is inconsistent: coverage depends on which sources an analyst happens to monitor and on their bandwidth that week. Impact assessment is subjective: two analysts reviewing the same publication routinely reach different conclusions about which controls are affected.

And handoff is slow. Even where a change is correctly identified and assessed, getting the right control owner to act can take weeks.

Agentic AI addresses the first two weaknesses directly and accelerates the third. The fundamental analytical challenge, interpreting what a regulatory requirement means for a specific organisation's control framework, remains the domain of human compliance expertise. An agent that classifies a DORA update as relevant to access controls has done useful work. An agent that concludes the organisation's PAM configuration is now non-compliant has exceeded what the technology can reliably deliver.

The boundary between classification and interpretation is where human compliance expertise carries the work.

The table below maps each stage of the regulatory change management workflow against what a compliance team does manually today and what an agentic system handles instead. The structural cost of the manual approach is the inconsistency and delay that accumulates across every stage when coverage depends on individual analyst bandwidth.

Ingestion

The agent connects to structured regulatory data sources. These include official publication registers (FCA Handbook, EBA registers, EUR-Lex for EU legislation), specialist RegTech feeds, and direct publication alerts from named regulators. The agent ingests new publications on a continuous or near-real-time basis.

The quality of ingestion determines everything downstream. An agent that misses a publication cannot classify, map, or assess it. Organisations deploying agentic change management need to audit their regulatory feed coverage before assuming it is complete. A gap at ingestion is invisible until a missed publication becomes a compliance finding.

Classification

Each ingested publication is classified using NLP (natural language processing). Classification dimensions include jurisdiction (UK, EU, US, or cross-border), entity type (credit institution, investment firm, insurance undertaking, critical infrastructure operator), business line (retail banking, capital markets, insurance), and applicable framework (DORA, NIS2, ISO 27001:2022, Basel III, Solvency II, NIST CSF 2.0).

Classification at this stage is reliable and mature. This is a live capability in large financial institutions and specialist RegTech platforms. The result is a tagged publication queue, sorted by estimated relevance, where an analyst sees only the publications that could require action. An organisation with a narrow or outdated relevance profile will see this filter as a liability: the publications it misses surface later as compliance findings.

Control Mapping

The agent maps each classified publication to existing controls in the organisation's control library, matching the regulatory topic and framework tag to controls with the same attributes. A DORA Article 9 update on authentication and access controls for ICT systems maps to access control-related controls in the library. A NIS2 Article 21 update on security measures for essential entities maps to the relevant network security and incident management controls.

Mapping is confidence-scored. Controls with a clear, direct match score high; controls with a plausible but indirect connection score lower. High-confidence mappings proceed to draft impact assessment. Low-confidence mappings are flagged for analyst review before proceeding, ensuring the analyst's time is spent on the cases that require judgement.

Impact Assessment Drafting

For high-confidence mapped changes, the agent drafts a structured impact assessment. The draft includes the regulatory change and its effective date, the controls mapped to it, the current state of each control based on last test result and evidence, and a proposed action (no change required, policy update required, control update required, or new control needed).

This is where the automation boundary matters most. The agent generates a structured draft based on pattern matching and prior data, leaving the interpretation to the analyst. A compliance professional must review the draft, confirm or correct the mapping, and apply their knowledge of the organisation's specific operating context before the impact assessment is finalised. That review converts a structured draft into a confirmed compliance position.

Assignment and Tracking

Once an impact assessment is confirmed by the analyst, the agent creates a task in the GRC platform, assigns it to the relevant control owner, sets a completion deadline based on the regulatory effective date, and sends a notification. If the task is not acknowledged within a defined period, the agent escalates to the programme manager.

SureCloud's Gracie AI Agents with Personas and Skills operationalises this routing and escalation logic through the Regulatory Change Persona, with task assignment driven by the control owner structure defined in the GRC programme. All actions are logged with timestamps and assigned author, whether analyst or agent, creating an audit trail that demonstrates the organisation has a structured process for responding to regulatory change.

Closure and Framework Update

When the control owner completes the required update, whether a policy revision, control design change, or additional testing, the agent marks the task complete, links the updated control or policy document to the regulatory change record, and updates the framework mapping. SureCloud's workflow automation handles the linking and status update automatically, removing the manual administration that delays closure in spreadsheet-based programmes.

The change history is retained, allowing future auditors or examiners to trace when and why a specific control was updated. For organisations subject to DORA Article 5, which requires management bodies to maintain an up-to-date view of the ICT risk management framework, this traceable update history demonstrates that the framework reflects the current regulatory environment.

Not all six steps have the same deployment maturity. Compliance leaders evaluating platforms need to understand which capabilities are production-ready and which are still maturing, so they can sequence implementation and set realistic expectations for what the technology will deliver in year one.

Live and broadly deployed

Regulatory feed ingestion and NLP-based classification by jurisdiction, entity type, and framework are mature, live capabilities in both large financial institutions and specialist RegTech platforms. The accuracy of classification at this stage is high, and the technology is stable enough for production deployment without significant analyst oversight. Feed ingestion and classification are the right place to start: they are the dependency every subsequent step runs on, and where the technology is most likely to outperform the manual baseline from day one.

Live, less uniformly implemented

Confidence-scored control mapping and draft impact assessment generation for high-confidence cases are live in platforms targeting financial services regulatory change. Implementation quality varies widely between vendors, particularly in the specificity of the mapping logic and the usefulness of the draft impact assessment output. Evaluate both in a proof of concept before committing to production deployment.

Automated task routing and escalation is also live but depends heavily on the quality of the control owner structure in the GRC platform. Organisations with well-maintained control libraries and defined ownership hierarchies will see faster returns than those where this structure needs building first.

Emerging: where the gap is closing

Automated closure and framework update is available in mature deployments but requires tighter integration between the regulatory change module and the broader GRC platform than some vendors currently offer. Cross-framework deduplication, handling a single regulatory change that affects DORA, NIS2, and ISO 27001:2022 controls simultaneously without generating duplicate tasks, is the current technical limitation most commonly cited by practitioners. Some platforms address this with a unified control taxonomy; others do not. Test this specifically when evaluating platforms.

Over the next 12 to 18 months, the most significant development to watch is the narrowing gap between classification and interpretation. Current systems classify reliably but cannot interpret complex regulatory text in context. Progress here will be incremental rather than step-change, and organisations should continue to design workflows with human analyst review at the interpretation stage regardless of vendor claims.

Any ML (machine learning) model used in a regulatory change management workflow needs documented governance. This includes model validation, testing the model's classification and mapping accuracy against a labelled dataset; drift monitoring, tracking whether accuracy degrades as regulatory language evolves; and explainability, being able to show an examiner why the model mapped a given publication to a given control.

The EBA's guidelines on internal governance (EBA/GL/2021/05) require the management body to bear ultimate accountability for the firm's risk management and compliance framework, including any AI-assisted processes operating within it. The FCA's Senior Managers and Certification Regime (SMCR) goes further: it maps accountability for specific compliance functions to named Senior Managers, whose Statements of Responsibilities should reflect their oversight of AI tools used in regulated activities. In both frameworks, accountability rests with the firm, not the vendor.

Regulators and examiners expect to see this documentation. It belongs in the compliance programme alongside the AI output it governs.