Compliance is changing faster than many organisations can comfortably absorb. From AI becoming embedded into everyday business systems to cyber security becoming a board-level governance issue. Sanctions risk is shifting faster than geopolitics while third-party risk now touches data protection, human rights, modern slavery, supply chains and operational resilience.
That was the focus of a recent VinciWorks webinar on the compliance agenda for 2030, attended by hundreds of compliance, risk, legal and HR professionals. Nick Henderson-Mayo, Head of Compliance at VinciWorks, was joined by Ruth Mittelmann Cohen, Head of Legal Compliance at VinciWorks, and Caspar Bullock, Group Strategy Director at Axiom GRC, to discuss what compliance might look like in the next five to ten years.
The audience response confirmed what many compliance teams are already feeling. When asked whether compliance feels more complex than in previous years, 89% of respondents gave an overwhelming yes. Only 1% said compliance feels less complex, and unfortunately those few people did not give their reasoning, despite how illuminating that might have been!
That sense of complexity is not just more regulations compliance teams have to deal with. What makes everything feel more complex is the convergence of risk. AI governance now overlaps with data protection, employment law, procurement and cyber security. Cyber resilience overlaps with board accountability and operational continuity. AML overlaps with sanctions, fraud, crypto and geopolitical exposure. Supply-chain compliance overlaps with human rights, environmental claims and third-party risk.
Caspar Bullock, Group Strategy Director at VinciWorks’ parent company Axiom GRC said the old siloed model of compliance is becoming increasingly difficult to sustain.
“Compliance can’t live in silos any longer, boards need a clearer view across legal, cyber, procurement, third-party risk and operational resilience, especially as regulators increasingly expect organisations to evidence how their controls work in practice.”
That theme of evidence ran through the discussion. Policies still matter, but a future-proofed compliance programme will rely on much more than just that. Regulators are increasingly interested in whether organisations can demonstrate that risks were understood, decisions were documented, controls were tested and issues were escalated appropriately.
AI will become part of the compliance infrastructure
One of the clearest predictions for the future of compliance was that AI will stop being treated as a separate, stand-alone compliance issue. The next phase of AI risk will be about AI embedded into email, document management, HR systems, customer support, contract review, KYC tools, productivity software and everyday workflows.
That creates a very different compliance challenge. If AI is summarising emails, drafting client responses, reviewing contracts or prioritising messages, compliance teams need to know what data the system can access, who can use it, what outputs it produces and what happens if sensitive information is surfaced or exposed.
The audience agreed that many organisations are not yet ready for this shift. When asked whether AI training is keeping pace with how people actually use AI at work, only 5% of respondents said they have role-specific AI training in place, while 36% said they do not currently provide AI training at all.
That in itself could be a serious governance risk in the 2030s will need to be practical, mapped and owned. Ruth Mittelmann Cohen, Head of Legal Compliance at VinciWorks said: “The legal issue here is wider than ‘do we have an AI policy?’ By 2030, organisations that still treat AI as a “side project” owned only by IT will be exposed.”
Caspar agreed that mature compliance functions will move beyond asking whether they have an AI policy. Instead, they will need to ask whether they can see their AI estate, rank AI uses by risk, assign owners, test controls and report exceptions.
Despite the challenges, compliance teams can actually deal with the AI threat by using familiar governance tools more frequently and more effectively. That could mean more Data Protection Impact Assessments where required, stronger vendor due diligence, clearer escalation routes, board reporting and role-specific training for staff who are using AI in higher-risk contexts.
In other words, AI compliance will not be solved by one acceptable use policy. By the 2030s, organisations will need live visibility over how AI is actually being used across the business.
Sanctions and AML will demand faster response
As we’re already seeing in 2026, compliance priorities in the 2030s will continue to be shaped by geopolitical volatility. Sanctions risk can change overnight, affecting customers, suppliers, counterparties, payments, ownership structures and distribution routes.
Ruth warned that sanctions risk has become much more than a simple prohibited-party screening exercise. A counterparty may not appear on a sanctions list, yet the risk may sit behind the entity in its beneficial ownership, effective control, financing, subcontracting, routing or economic benefit.
The audience poll on sanctions showed mixed confidence. Only 15% of respondents said they were very confident in their sanctions screening. This itself could prove to be a serious compliance gap. Sanctions apply to all businesses. While some sectors can face more exposure than others, even paying £5 to a sanctioned entity is a criminal offence.
While many organisations have sanctions screening tools, screening alone is not the same as sanctions governance. A mature system should connect sanctions monitoring to customer data, supplier records, beneficial ownership information, payments, contracts, high-risk jurisdictions and escalation workflows.
Manually searching through spreadsheets or CRM data to identify a sanctions risk when the speed of change can happen within hours can leave organisations severely vulnerable to a breach. A mature organisation should be able to trigger a workflow, identify affected suppliers, customers, beneficial owners, invoices and shipments, pause activity where needed and record the decision.
Compliance technology could become a saving grace
Despite the challenges facing the compliance future, technological progress could offer some effective ways to adapt and improve how organisations manage and respond to risk. Caspar said:
“The old way of working was often built around human memory and heroic effort. We had to remember where the spreadsheet lived, what the last policy change was, then chase managers for approvals and update the tracker before the audit committee. That can work when the organisation is small, the risk is simple and the volume is manageable but it breaks down when the business grows.”
Expensive technology doesn’t always have to be the answer. Ruth said:
“Manual processes can still be legally defensible. There is nothing inherently wrong with a spreadsheet. But the organisation has to be honest about whether the process is still fit for purpose.”
Nevertheless, compliance technology can become resilience infrastructure. It can connect evidence across functions, show which suppliers or customers carry higher risk, identify overdue reviews, highlight incomplete beneficial ownership checks and produce a defensible record of decisions.
The audience appears to expect more investment in this area. Asked whether their organisation expects to spend more on compliance technology over the next 12 months, 49% said yes. Of those, 12% expect to spend a lot more and 37% expect to spend a little more. Only 3% expect to spend less.
That does not mean technology is a magic bullet. Ruth warned that poorly configured tools can create false confidence. A sanctions system with poor data quality is dangerous. A risk register that no one updates is decorative. A dashboard based on incomplete inputs gives the board comfort it has not earned.
Both Caspar and Ruth agreed that the future is not technology replacing compliance judgement, but technology making that judgement more consistent, timely and evidenced.
Compliance professionals will move closer to strategy
One of the most important predictions from the session was that compliance roles will become less administrative and more strategic.
Automation should reduce the amount of time compliance professionals spend chasing completions, updating trackers and reconciling spreadsheets. That should free them to interpret risk, challenge the business and decide what proportionate action looks like.
Caspar captured this shift clearly:
“In the 2030s, the compliance function should be smaller in manual drag and larger in strategic influence.”
Better data should allow compliance teams to target training, identify emerging risks and intervene earlier. For example, a technology-enabled system might detect that a business unit with low training engagement, high staff turnover, delayed third-party reviews and increased complaints is becoming a conduct risk. It might identify that a supplier’s risk profile is deteriorating before a formal incident occurs.
That kind of forward-looking compliance function would be very different from the traditional annual policy review model. It would be more live, more connected and more embedded in how the business actually operates.
GRC in the 2030s: less paperwork, more proof
The final message from the webinar was that GRC in the 2030s will be judged less by the volume of policies and more by the organisation’s ability to prove that its systems work.
If an organisation says it has an AI governance framework, it will need to show where AI is used, what data it touches, who owns the risk and how decisions are reviewed. If it says it cares about wellbeing and neurodiversity, it will need to show how managers were trained, how concerns were handled and how adjustments were considered. If it says it monitors sanctions risk, it will need to show that screening, ownership checks, escalation and decision records are connected.
Ruth said the future of GRC will be:
“less about having more policies and more about being able to prove that the organisation understood the risk, made a reasonable decision and acted quickly when the facts changed.”
Caspar’s prediction was that GRC will become embedded into day-to-day operations, giving organisations live visibility over third parties, customers, controls, incidents, training, regulatory change and emerging risk.
“That is what I think GRC becomes,” he said, “not more paperwork, but better connective tissue.”
For compliance professionals, that is the challenge of the 2030s. The function will need to be faster, more connected, more evidence-led and more strategically influential. The organisations that prepare now will be better placed to manage the next decade of regulatory, technological and geopolitical disruption. Those that rely on static policies, fragmented spreadsheets and annual reviews may find that the future of compliance has already moved past them.
