Notifications
Clear all
Topic starter
22/06/2026 9:52 am
TL;DR: The bigger issue is that governance now has to cover not just day-to-day operations, but the setup layer where policy becomes live access control, as SumSub says its MCP integration lets AI agents turn AML policy documents into fully configured verification workflows in minutes, shifting compliance setup from manual translation to agent-driven configuration while keeping sensitive actions in a human-reviewed sandbox.
NHIMG editorial — what this means for AI and NHI governance
Questions worth separating out
Q: How should security teams govern AI agents that can configure compliance workflows?
A: Security teams should treat agent-written configuration as privileged access to the control plane.
Q: When does AI-assisted policy translation become a governance risk?
A: It becomes a governance risk when the agent can convert ambiguous policy language into live system rules without a robust human review step.
Q: What breaks when AI agents can write verification settings directly?
A: Separation of duties breaks first, followed by change control and auditability.
Practitioner guidance
- Define a privileged entitlement for agent-written configuration Separate read-only agent assistance from any ability to modify verification levels, questionnaires, or onboarding workflows.
- Require deterministic review of generated workflow changes Capture the policy document, the generated configuration diff, and the approver identity before deployment.
- Test the sandbox as an enforceable boundary Validate that sensitive actions cannot be executed from the agent session itself and that approval is required outside the runtime path.
What's in the full announcement
SumSub's full article covers the operational detail this post intentionally leaves for the source:
- The exact policy-to-configuration workflow for AML documents and how the agent maps policy text into live settings.
- Details of the AI agent skills package and the single-command install path for the open-source components.
- How the sandboxed approval flow is structured for sensitive actions and where human review sits in the process.
- What the platform can do day to day for applicants, analytics, and verification link generation once configured.
👉 Read SumSub's analysis of MCP-driven AI agent setup for compliance workflows →
AI agents and compliance setup: are verification controls keeping up?
Explore further
22/06/2026 10:31 am
Configuration access is now a privileged identity boundary, not a convenience feature. When an AI agent can turn policy into live verification settings, it crosses from assistance into control-plane influence. That means the real risk is not the model asking for help, but the model being allowed to author the rules that determine who enters the system. Practitioners should treat agent write access to configuration as a privileged entitlement with explicit governance, not a feature toggle.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What should organisations verify before allowing AI agents into compliance tooling?
A: They should verify that the agent can only propose changes, not activate them, and that sensitive actions are isolated from the agent runtime. They should also confirm that the workflow records who approved each change and why. Without that evidence, the integration creates convenience without control.
👉 Read our full editorial: AI agents in compliance setup change how verification workflows are built
