Compliance is Probabilistic

In my three decades as a compliance engineer, I've watched our profession's obsession with check-boxes undermine effective risk management. Today, as AI reshapes our field, there's a new reality we must confront: compliance is probabilistic.

This revelation isn't cause for alarm—it's an opportunity. By embracing Bayesian probability, we can transform how we measure, report, and improve compliance assurance.

In this article I challenge conventional compliance wisdom by asking: What will you do when AI predicts your compliance probability is less than perfect.

The answer might revolutionize how you approach assurance altogether.

If you're ready to move beyond audit check-boxes and embrace the power of probabilistic thinking, this perspective may challenge—and potentially transform—your compliance

A Bayesian Approach to Compliance Assurance

As a compliance engineer with over 30 years in the field, I've seen how limited single-point, audit-based assessments can be. Today's compliance landscape demands a more sophisticated probabilistic approach.

Current Probability Usage in Compliance

Probability concepts already permeate modern compliance programs:

• Risk-Based Programs: Financial institutions routinely express compliance risk as probability metrics ("70% probability of meeting regulatory expectations"), while pharmaceutical companies apply statistical probability to clinical trial compliance.

• Sampling-Based Testing: Organizations use statistical sampling to generate statements like "95% confidence that controls are effective" or "90% confidence that compliance exceeds 95%."

• Advanced Analytics: Predictive models assign probability scores to potential violations, with machine learning systems flagging transactions that exceed specific non-compliance thresholds.

• Industry Applications: From AML suspicious transaction scoring in financial services to statistical confidence levels in healthcare billing and probabilistic assessments in environmental compliance, industry-specific applications abound.

Moving Beyond Single Points with Bayes

Despite these uses of probability, most programs still rely on periodic audits that produce single-point estimates of compliance. Bayes' theorem provides a framework to synthesize these various probability measures into a cohesive, dynamic approach:

P(C|E) = [P(E|C) × P(C)](#) / P(E)

Where:

• P(C|E) is the probability of compliance given new evidence

• P(E|C) is the probability of observing the evidence if compliant

• P(C) is the prior probability of compliance

• P(E) is the probability of observing the evidence

This formula allows us to:

1. Start with prior observations from various sources

2. Continuously update our assurance levels as new evidence emerges

3. Express assurance as distributions rather than single points

The Practical Advantage

By applying Bayesian methods to existing probability measures, we gain significant advantages:

• Integrate sampling results with predictive analytics and risk-based assessments into a unified view

• Update assurance continuously rather than waiting for audit cycles

• Express uncertainty explicitly through probability distributions

• Allocate resources based on the full distribution, not just central tendencies

So What Will You Do?

So what will you do when AI predicts that the confidence level (assurance) in meeting your obligations is less than 1? This isn't a theoretical question—it's the practical reality facing every compliance program. Perfect assurance is a mathematical impossibility in complex systems.

The answer lies not in pursuing the unattainable perfect score, but in making informed decisions under acknowledged uncertainty. You'll prioritize interventions based on probability distributions, communicate transparently about confidence levels, and create a compliance function that values honesty about uncertainty over false precision.

In the end, effective compliance isn't about claiming perfect assurance—it's about understanding exactly how imperfect your assurance is, and acting accordingly.