The 800% Problem: Why Criminal AI Growth Is a Governance Issue, Not a Technology Gap

A statistic from ComplyAdvantage's June 2026 Future of Compliance summit deserves more attention than it has received. Criminal networks have increased their use of AI tools by an estimated 800% over the past two years. These networks operate entirely free from the regulatory obligations, explainability requirements, and documentation standards that apply to compliance teams. At the same moment, financial institutions spend more than $200 billion per year on compliance and intercept less than 2% of illicit financial flows.

The compliance industry has heard this gap before. The typical response is: compliance teams need more AI, better AI, faster AI. The instinct is understandable. The diagnosis is wrong.

What the Summit Found

At ComplyAdvantage's Future of Compliance summit in June 2026, Todd Raque, deputy BSA officer at Citizens Financial Group, laid out a practical framework for how compliance programmes should respond to AI-enabled criminal threat evolution. His central argument was not about matching the criminal's technology level. It was about governance.

The principle Raque described is "full contact governance": risk management should be an active co-designer of any AI-assisted compliance solution from the outset, not a gatekeeper reviewing a near-complete system at the end of the process. When compliance and risk functions are brought in only to approve a finished product, two things follow: outcomes fall short of regulatory expectations and course-correction is expensive.

The finding that criminal AI use has grown 800% while detection rates have stagnated below 2% is not, in Raque's framing, primarily a technology gap. It is a governance gap.

The Structural Asymmetry

Criminal AI has one criterion: evade detection. It does not need to be explainable. It does not need a named model owner. It does not need to produce audit-ready outputs. When a criminal AI tool stops working, it gets updated, with no documentation required.

Compliance AI operates under a different set of constraints. When an AI model produces a risk score that informs a CDD decision, and that decision is later reviewed by a supervisor, the examiner's question is not whether the firm had AI in its workflow. The questions are: can the firm explain the model's output? Was the model appropriate for its specific client base? Was it governed and monitored? Does a reasoning trail connect the AI's output to the final CDD decision?

Every governance requirement on the compliance side is a structural constraint that does not exist on the criminal side. Describing the compliance challenge as an "arms race" implies that matching the criminal's technology level solves the problem. It does not. The compliance team is not in a race it can win by running faster. It is in a different kind of competition, one where the quality of documentation is the decisive variable.

Analysis published in Compliance Week by Arun Maheshwari, a senior model risk executive at a Tier 1 global bank, describes what sophisticated AML operations are actually building: not replacement of rule-based systems with AI, but layering of AI alongside rules, with machine learning handling alert scoring and enrichment while rule-based systems provide backstops. GenAI in this environment is positioned as a "copilot, not an adjudicator." Unsupervised AI decision-making in high-risk areas is not accelerated. It is avoided. The institutions moving fastest toward AI adoption are the same institutions most carefully documenting each component of their compliance stack.

This is not caution constraining performance. This is what deploying AI inside a governance framework looks like.

The Model Risk Gap at Non-Bank Entities

Banks in most major jurisdictions operate under model risk management (MRM) frameworks that govern how AI and ML models must be validated, monitored, and documented. They maintain model inventories. They validate models before deployment. They monitor for drift after deployment. When a vendor updates a risk scoring algorithm, a bank's MRM team documents what changed and confirms the update is appropriate for the bank's use case.

TCSPs and management companies typically do not have MRM functions. When they deploy a third-party screening tool or a vendor-provided risk scoring engine, the vendor manages the model. The firm manages the data. Nobody manages the governance.

This matters because AMLR does not distinguish between AI outputs from a proprietary model and AI outputs from a vendor tool. The obliged entity is accountable for the CDD decision, regardless of which technology produced the inputs to that decision. "The vendor handles the model" is not an answer to a supervisory question about how a client's risk rating was determined, or how a screening hit was resolved.

AMLA's 2026 supervisory work programme places CDD quality, individualized risk scoring, and audit-trail completeness at the centre of its examination priorities. A risk score produced by a vendor AI tool, where the firm cannot describe the model's logic, has no record of model updates, and cannot confirm that the configuration is appropriate for its specific client base, does not meet that standard.

What TCSPs and Management Companies Actually Need to Ask

The practical question for firms in this audience is not whether to use AI in compliance workflows. Most already are. Identity verification at onboarding uses AI. Sanctions screening tools use AI. Risk scoring engines use AI. Transaction monitoring uses AI. The question is whether any of these tools are governed.

Governed, in this context, means four things. First, a documented assessment of whether the tool's configuration is appropriate for the firm's specific client base, product mix, and risk profile. A behavioral analytics tool configured with defaults designed for retail banking clients is not appropriate for a TCSP serving Luxembourg alternative investment fund structures. Second, a named owner within the firm who is accountable for the model's outputs and responsible for reviewing vendor updates. Third, a record of what the model is doing: what inputs it processes, what thresholds it applies, and what outputs it generates. Fourth, a connection between the model's output and the documented CDD decision: not just a risk score in a file, but a record showing that a human reviewer assessed that score against the specific facts of the specific client.

These are governance questions, not technology questions. They require documentation, accountability, and process. They are not supplied by the vendor.

The Position

The 800% increase in criminal AI use is a real and material threat. Criminal networks are using generative AI to build synthetic identities that survive rule-based detection, deepfakes that evade biometric verification, and behavioral patterns calibrated to stay below monitoring thresholds. This is not rhetorical.

But the compliance response is not to match the criminal's pace. The criminal's AI wins when your compliance team cannot explain what it saw, when, and why. It fails when your infrastructure can produce, for every CDD decision, a documented reasoning trail connecting structured client data to a specific risk assessment, made by a specific person or by a model with a named owner, at a specific time, against a documented policy.

That infrastructure is not a product of faster AI. It is a product of governance around whatever AI the firm already uses.

Compliance teams that read the 800% figure as a technology deficit will build faster tools they cannot explain. Compliance teams that read it as a governance problem will build the documentation discipline that makes AI-assisted decisions defensible. AMLA will examine both kinds of programmes, using the same standard. Only one will hold up.

If your firm uses AI-assisted tools in its KYC or AML workflow and needs to assess whether its governance infrastructure meets the AMLR standard, we can help.