Notifications
Clear all
Topic starter
10/06/2026 10:31 pm
TL;DR: Verification flows and transaction monitoring rules can now be generated from plain-language instructions, turning a read-and-suggest assistant into one that creates live platform configurations with human review before go-live, according to SumSub. The shift matters because governance now has to cover machine-generated configuration, not just human-authored policy.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should compliance teams govern AI-generated verification flows?
A: Compliance teams should treat AI-generated verification flows as production controls, not draft content.
Q: What breaks when AI builds monitoring rules from plain language?
A: What breaks is the assumption that only humans can translate policy into enforceable control logic.
Q: How do teams know if AI-generated configuration is working?
A: Teams know it is working when every generated object has traceable provenance, clear approval history, and measurable alignment to policy outcomes.
Practitioner guidance
- Classify generated configurations as governed control objects Treat AI-authored verification flows and transaction rules as production artefacts that require the same lifecycle handling as manually built controls, including ownership, approval, and traceability.
- Require policy and jurisdiction checks before go-live Validate each generated flow against internal policy, regional requirements, and fraud thresholds before the human review step approves publication.
- Track provenance for every generated or duplicated rule Record whether a flow or rule was generated from a prompt, adapted from a template, or duplicated from an existing object so audit teams can reconstruct decision history.
What's in the full announcement
Sumsub's full post covers the operational detail this post intentionally leaves for the source:
- The exact Level Builder and Rule Builder behaviours that turn plain-language prompts into live platform objects.
- The editing window for recently created levels and how it changes change-control workflows.
- The template and duplication paths for rule creation, including how teams can adapt existing rules.
- The human review step before publication and what it means for approval workflows.
👉 Read Sumsub's update on AI Copilot for verification flows and monitoring rules →
Plain-language rule building for verification flows: what changes for teams?
Explore further
11/06/2026 2:35 am
Generated configuration is now an identity control surface. When an AI system can produce verification flows and monitoring rules directly, the governance question moves from who can use the platform to who can author enforceable controls through it. That expands the identity boundary into configuration generation, where machine output can shape compliance outcomes. Teams should treat generated configuration as a governed artefact, not a convenience feature.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- AI governance is already lagging in practice: 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to the same report.
A question worth separating out:
Q: Should organisations separate AI configuration creation from publication rights?
A: Yes. Separation of duties should apply to AI-generated controls just as it does to human-created ones. The person who describes the need should not be the only person who can publish the resulting rule or flow, especially when the object affects verification or monitoring decisions.
👉 Read our full editorial: Plain-language configuration for verification flows and monitoring rules
