S7 #2 Agentic AI: Turning compliance into a revenue engine in 2026

INTRO: Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

[00:00:18] KRISTINA: In October of last year, I spoke with Brian Bauer about AG Agentic AI in banking, and specifically about the idea that compliance doesn't have to slow down innovation, but can actually enable it. It's now February, 2026, so not a lot of time has passed, and that's intentional. Today's conversation isn't really about sweeping transformation or dramatic market shifts. Instead, it's about what's become clear, what's proving harder than expected, and where organizations are starting to feel real tension. Just as agentic AI moves from concept to controlled experimentation, AI becomes mainstream, and organizations really try to make money off of their investments. So Brian, welcome back and thanks for helping us unpack all of this today.

[00:01:02] BRIAN: Thank you, Kristina. I'm really excited to be back and you know, you said it hasn't been, that much time, but it's amazing how much has actually changed, in four or five months, fun things like deregulation, in some areas even proposed, new regulations. So we're kind of in this, this moment of change even though it's been a short period of time and really excited to talk about some of these things.

[00:01:24] KRISTINA: So what right now do you think has become clearer and what misconceptions are already falling away? Not because maybe things are moving fast, but because teams are starting to really get engaged in adopting AI more seriously, and it seems like piloting has become less of a focus at this moment.

[00:01:41] BRIAN: Hmm. I think in there are a lot of articles that are coming out, recently on this topic that maybe 2026 is the year of, of the reckoning. And, what I mean by that last year there was an article from MIT that everybody likes to cite that said something like 97% of all AI initiatives fail to produce ROI and are ultimately abandoned. We can begin unpacking that a little bit and we could say, oh, there's lots of experimentation. By definition, experiments are designed to maybe prove a concept or test a theory, and then they are abandoned. That's just part of, you know, part of it, and that's the cost of doing business. However,, when I'm out there on a daily basis talking to regulated entities, primarily in financial services, we're hearing things like, all right, you've had some time to experiment with AI.

Where's the business case? Show me the ROI and I wanna see that done with the right amount of hygiene. And what I mean by that is in the past, very recent past people might say. We wanna bring in some AI tooling and it'll increase productivity or it'll make things better for us. And a lot of money is spent into this vague space of, well, it'll improve the way we do business. That's not a hard target. And when you're on the hook to produce ROI that the CFO will sign off on, you need hard targets like. Have you reduced cost? Have you avoided cost? And depending on the kind of industry that you're in, and this is true like in service industries, have you improved the quality of the service that we're offering? Those are hard targets. And it's no longer okay, really to say. Well, we have an idea that it's gonna idu productivity and it's gonna make workers' lives better. You know, I think those days have passed and so, when I refer to 2026, possibly as a year of reckoning, banks in particular, are starting to want their money back. Meaning, investments have been made and they will continue to be made, in AI, in agents. But show me in a credible way that this investment is moving the needle on my business. Right? And when we think about a bank, or any financial services organization, there's a front, middle, and back office, right?

The front office is generally what we call first line. They're responsible for grow and transform, right? Grow revenue, transform new products and services into new markets. Middle tends to be risk management and then you get into operations after that. Each one of those segments, of a bank or a financial services organization can put together credible business cases, depending on their position in a bank. You either make money or you spend money, right? That's, that's the line down the middle. If you're not generating revenue, you're a cost center and you're spending money, but just because you're a, you know, an essential cost center like risk and compliance, it doesn't mean that you can't also be held to a very high standard, about return on investment. So, we work in these regulatory environments and some of our customers now have problems that we can solve using agents, using our reagent platform such as the regulatory and compliance obligations of a bank, depending on who your charter comes from, OCC, FDIC, et cetera. On a daily basis, you have to pay attention to thousands of regulations. Those thousands of regulations need to be translated into hundreds of policy standards and procedures. That requires, at a top 10 bank, sometimes as many as 10,000 people employed to do that kind of work. And if you ask some of these folks, what's the long pole in the tent? Or what's the worst part of your job? They say things like, well, having to read thousands of regulations and then having to read all and try to find all of the policies that are related to those regulations. And then they say, and then if something changes, I have to do it all again. So there's this churn that never goes away. And so those folks, while they're providing us an essential service, you know, to a bank, they can also be held to a standard of, Hey, we wanna employ AI to, to boost productivity, reduce cost, or avoid new costs. And we can put those business cases together to show how that happens, right? And, and we do this every day so that, that's on the cost center side. On the revenue generation side, we do similar things. This is what is really what I was getting to before about we're in this moment, of deregulation, right? There are things out there like for example, heightened standards, right? Which is a concept that banks who are growing need to understand. Heightened standards is basically, where the government has set the bar or setting the standard for how you need to comply with regulations and what kind of scrutiny you'll be under. In the past, and until, I think, very recently that bar was set at about $50 billion per bank. The rumors are out there and there there is a suggestion, and it's highly likely that this will be fully ratified, that that bar for heightened standards is gonna move from 50 billion to 700 billion. So in the United States, you've just basically said most of the banks in the United States, except for maybe three or four, no longer need to comply with this heightened standards level of scrutiny. So that's what I, one of the things I refer to is this, you know, as part of this deregulatory moment, because suddenly, you know, if you are not extra concerned, let's say about the OCC visiting your office and looking through, you know, all your compliance records. You could look at it as, oh, you know, I've got a moment to relax. You know, sort of that regulatory pressure is off. But if you're an aggressive bank, what you're actually thinking about is how do I parlay, this moment of sort of relaxed regulatory scrutiny into an opportunity to grow and transform, you know, to make more money.

And we see that with, you know, maybe a spike up in M&A interest, let's go buy banks. There's a little bit less regulatory scrutiny right now. This is the moment. It's also a moment where we can say, Hey, let's bring new financial products to market, like new consumer products to market. There may be less regulatory scrutiny, so some banks are thinking, ah, let's take a deep breath. You know, the OCC not really on our back anymore, and other banks are saying, hit it full gas. Let's go score some points. Let's go make more money.

[00:08:15] KRISTINA: Well, and banks, whether they're looking to go after cost savings or if they're looking to make more money, at the end of the day, they still have some level of risk aversion, they just sort of the nature of the beast, I and so where we're thinking about sort of compliance frameworks or banks certainly making money but not going crazy, right? They still wanna have some level of risk protection, some level of brand protection. So what are some of the examples where you're seeing compliance frameworks that can help accelerate measurable innovation? Especially as these banks look at it and say, look, I wanna innovate and I need to be fast at that because I have other people eating my lunch potentially. Where should they focus? Like what are some concrete examples where you say, look, you gotta compliance framework, but you can turn that dial and just go for broke. Or at least you know, speed up.

[00:09:04] BRIAN: I think you bring up a really, really important point and it's, it's when we start using the word prudence, right? Prudence is doing the right things for the right reason without necessarily having to be told that you must. Do them. And that, that's how one of the lenses we can look through when we think about, regulations, and, and regulatory scrutiny. Just because someone isn't necessarily knocking on your door saying, I'm gonna perform an audit, that does not mean there aren't certain things that you should do. Because they're prudent, like prudent risk management should be in the DNA, of every bank.

[00:09:41] KRISTINA: Like when you say prudent, prudence and DNA, I'm kind of wondering what does that really look like tangibly day-to-day, especially in operations.

[00:09:50] BRIAN: When we talk about regulations, we kind of, we use words like normative and non-normative. Like you're being told you must do something. And then there are other kinds of guidelines that are suggestions and we're saying, Hey, these things are kind of good ideas. And it's really, kind of at the discretion sometimes that, within the risk management departments, and this is why, a chief risk officer has an important job because you're filtering through and you're thinking about, okay, I'm, I'm told by a law I must do these things. But I've also been in this business for a long time and I know that we need to keep careful track of of credit and liquidity, and we need to ensure, because it's good hygiene that there are rules and regulations, and it's our obligation to ensure that we're providing adequate coverage to those regulations. And adequate coverage is basically a portfolio concept that comes into play when you look at policy standards and procedures. Those are the internal documents, and processes that a bank maintains to ensure that they're meeting, normative and non-normative guidelines coming from the government. So the concrete examples are: you've got laws and suggestions and then, those are in, you know, ingested and interpreted at a bank and translated into policy, standards, procedures, and controls. One example I think of where you might back off because you may be, are not being so heavily scrutinized by regulators, you may feel like you've got a good portfolio of policies, that are addressing in general your regulatory obligations. And I'm gonna get into some really arcane stuff for just a moment. In these policy documents, there actually is a very formal and strict kind of hygiene that you should comply with when you look at the content of a policy document or even the number of policies that you should have. And then in a policy, for example, you should not expect to see procedures or standards, right? Those are different kinds. It's different kinds of language. They've got different purposes, but in many banks, they've kind of conflated all of these concepts together and they exist in one document. This is very common. And one of the things that that can result in is that you've got far too many policy documents, right? You might have hundreds when you should have less than 100, but like, why are there so many? And then you're like, oh. 'cause all the standards and procedures are in these documents if you're under intense,

[00:12:14] KRISTINA: And I just say, by the way, I'm thinking anybody in a regulated field has that same disease.

[00:12:19] BRIAN: Exactly I and, and, and I should be clear about that. We've designed software to work in any sort of regulated entity, and that includes government, healthcare, tax, as well as financial services. I tend to spend a lot of my time in financial services, so I, I'm skewed a little bit in the way I talk about these things, but an example of when you don't have the OCC sitting next to you and you're looking at a policy document and you're like, you know what? This document has standards and procedures in there. I get it. They shouldn't really be there, but. Worked so far. Nobody's looking over my shoulder. I'm not gonna put in the effort to clean that up right now because I don't need to. I'm gonna repurpose that time and energy into doing something else. When our tooling comes along, you know, our, our product reagent, we really have, two primary goals. One is to ensure that in second line and even third line, the compliance and risk groups, that you are being prudent and you are meeting your regulatory obligations. However, we're, we're able to, you know, we operate as a force multiplier, kind of amplifying the resources that you've got. Like in second line risk and compliance, freeing up some of their time to become business enablers. And this is a brand new concept that we have developed. We've spent the last year bringing it to market. And it's important because again, it back to this world of banking or financial services where we've, where I've said previously, you're either making money or you're spending money. Well, it occurred to me last year. Why can't the folks you know who run this essential service called risk and compliance help, you know, enable the business, help them to make more money, right? And you think, well, how can we do that, right? And how can, how's that possible? And when you look at sort of the workflows and the progressions coming from the front office when new products and services are being ideated and you wanna bring those to market. Once you've sketched out that idea, the first thing you're gonna have to do is you're gonna have to go to risk compliance and legal. They're gonna have to review and they're gonna have an opinion. And quite often that opinion comes back as, no, because your idea is not compliant with regulation A or policy B, or you don't have a control. So what we've been able to do is shift a lot of that, review and analysis left, putting in the hands of these first line business users. A new a workbench. We call it Business Catalyst Workbench. So I can sit there as the new product guy and let's say ideate a new credit card. I've got a new credit card concept. As I'm ideating in our reagent workbench tool, I'm gonna give immediate, real time feedback on every feature of this product and whether or not it is compliant with regulation policy and is there an existing control. And so instead of taking the idea and then throwing it over the fence to second line, in legal and waiting potentially months to get an answer. I've got real time feedback on my desktop right now as the first line business guy, and so what I can do is I can craft this new financial product concept, provide a package of evidence saying it's compliant with regulations and policy. Or by the way, I'm gonna ask for a policy exception. I can pass that to the second line compliance team and say everything that you need to make a decision to approve this product is now nicely packaged with a bow on it. I've presented it in front of you, even indicating where the precedence for prior approvals for things that are similar and because, one, there's tooling, you know, that that second line has, and also because we've created efficiency in those second line groups, they can now have the time to look at this new product concept coming from the business to say the way you've presented it makes sense. I see the evidence, I see your request for an exception, I can approve this very quickly. Right? And that's a good example of something in the past that has taken, months or years, in a financial services group. And we're contracting that down to days now.

[00:16:28] KRISTINA: Brian, I had this conversation a few weeks ago with somebody over coffee and we were talking about the fact that he's in pharma, another regulatory space, and the team had gotten together. They had this really great marketing idea, pulled it together, worked on it, really got excited about it. Pharma doesn't necessarily move really fast, so I'm not really sure that it's a big deal if they had to wait an extra a week to walk through their ideas with compliance and legal. But they were super excited about it and they wanted to get their, OGC input as soon as possible. Turns out, you know, their OGC partner went on vacation, was gonna be out for like 10 days, and he said, you know, it was really frustrating. I'm waiting 10 days to move on this marketing idea. Again, it's not life or death, but it could be in pharma, right? I mean, when we've had Ebola outbreaks, it does become a life or death issue day to day, so does this solution kind of permeate beyond financial services and banking? Which obviously the use cases are there as you've discussed, but I can see the applicability to anybody else really that has to look to compliance risk legal, and has to partner with them and always go back and ask the same question, which is, mother, may I, and how does this apply? Does it sort of shift, like you said the compliance part left. What does that really look like for everybody else?

[00:17:39] BRIAN: I think that's a fantastic example for a couple of reasons. And it's also the reason that as we've developed our reagent, software product, we've intentionally designed the central intelligence to be context and domain agnostic because, the tooling, the agents that we're creating, the logic and the reasoning that we're introducing apply to your point just as well, and say healthcare space, or a pharma space as it does in financial services and in your example specifically, someone has created content and we know that that's regulated content. Particularly in pharma, there are all kinds of rules, sunshine laws and all of these things where you have to be very careful about what you say and how you say it. These same kinds of things exist particularly in consumer products and financial services. One of the long poles in the tent, really in financial services is kind of the marketing literature that is going to come with a new product concept, right? Marketing literature is, let's say, the way you're advertising a new credit. Everything sounds great, and there's a person on TV talking about it, and they're saying kind of things, and everybody's happy. They're buying coffee. That is heavily scripted. That has been reviewed by compliance and legal, you know, and nothing is said accidentally. Everything is intentional, you know, and exactly the same thing, how happens in healthcare, but back to the point when we're thinking about long poles in the tent and these work progressions, how do you contract those cycles? And that's something that's really interesting about the way, we're using AI and and AI based agents, because I may be creating a new financial product concept, but I need someone's opinion on the way I'm describing that product. It's got a bunch of features and I'm describing them in a certain way. Risk and compliance, and legal, they're gonna have to have an opinion on that. But one of the things that we can do now is using the intelligence on our system. It can kind of represent the opinions that are coming from second and third line, right? And, and what that means quite often, the opinions, and I'm using, just using the word opinions, because opinions are basically the content and the feedback that you are going to get from risk and legal, much of which is based on either law or internal policy and or including the influence of risk appetite, how close to the line as an organization culturally, do you want to get. We're able to using our system, we know what all the laws are. We know what all the rules are, and when we've been working with a customer, we know what all your policies are. We know what your procedures are, we know what your controls, and we've also tuned the system to understand things like risk appetite, so I can basically create a synthetic opinion. Like you show the concept in your example marketing literature or in mine where it's a product concept. You show that the concept to reagent. Reagent has the benefit of understanding kind of the cultural and organizational opinions of risk, legal and ops. So I can show, you know, the first line user that information immediately while the person may be on vacation for 10 days, I'm ideating and getting feedback in reagent in real time. And what that is allowing me to do is to tune that package that I'm seeking approval for in 10 days. So I may have to wait for the human to get back, but you're far more likely to be approval ready because you've been using reagent. It's almost like a simulated approval workload.

[00:21:05] KRISTINA: Thinking about it in this new paradigm, which is, you know what? Let's not have the age old process of, I'm a product manager. I'm coming up with a lovely idea. I'm gonna toss it over the fence. Hope for compliance. We're gonna go back to the pan, right? We're in this new world that you've described where policy and engineering are no longer struggling to align. We have ways of not having to live that paradigm anymore. Sounds great. But as agents are coming to come online, what should leaders really be pressure testing. What should they they be thinking about? What should even like boards be thinking about right now? Or decisions that they should be thinking about baking into this new way of living, whether it's with your software or something that they decide to cook up in-house, but thinking about, what are the decisions that are hardest to unwind later? What would you really refine in that world?

[00:21:54] BRIAN: I think you just hit on a really important question. And part of a lot of my answer is gonna be around what I'll just call organizational readiness. I think we're at a point in time right now, you know, again, I'll, I'll cite some statistics that came out in various reports last year. I think, again, it was another MIT report and I think they were saying something like. Up to nearly 20% of knowledge work, right? As it as it's understood in the United States could actually be performed by AI as it exists today. Right. So that's effectively saying that 20% of these knowledge worker jobs could be performed by agents, AI driven agents. Interesting, right. Another labor statistic came out at the end of last year that said there were only about 50,000 jobs in the United States that were eliminated. With the source of, or being attributed to AI agents for having replaced those jobs. So there's this massive misalignment between what agents are ready to do. What they're actually being acknowledged as doing. And a lot of that comes from organizational readiness. And this is where you're, you know, the, the pressure testing answer comes in. The technology in many cases is ready to do the job, but most organizations are not ready to allow aI to do the job. And, and that's for a variety of reasons. And it depends on individuals. In many cases, it's do you have the maturity in your organization to operationalize an agent? And operationalize is a big word. Do you know where you're going to put the agents? Do you know how you're going to constrain them? Have you built the operating constraints? Do you have the instrumentation? Can you properly observe these agents and know at all times what they're doing? AKA can you control them properly? And like there's a lot of organizational maturity to make that happen. But the other part is, you know, it comes back to human in the loop. We're, we're talking about significant changes to the way work is performed and the way decisions are made. And so, are you ready? Those, I'll just say kind of hand over decision making to an autonomous agent. Some organizations, in some context are saying, Hey, for certain kinds of things, let's do it. Others are saying We don't trust the technology. It's not ready. It's too soon. We're not gonna allow any of this to happen. I wrote a research paper from what you know, a top 10 bank in the United States last year, and we were talking about the path to production for AI. And one of the things that I really called out as I said. The long pole in the tent for the path to production is not going to be the technology's ability. It's going to be all of the humans, all of the people who are in that chain along the path to production who are gonna have to say yes at every step of the way. And all of these people, they need to be educated and to understand in, in their own terms, what is this technology and how is it gonna be used in my business domain, what's my own personal feeling of trust? Am I conflicted about personal motivations or what's good for the bank? What's in this for me? Does it impact my job, my career? Does it help me advance my career or my own agenda? So all of these personal things come into play. So right now there's this kind of massive misalignment between AI technology that's actually ready to do many things and people's willingness to allow it to do those kinds of things. So pressure testing, right? Your, your question was how do you pressure test, test your organization? Are you ready to say yes to these innovations. And if no, why and don't let people, and this is like a business case in ROI hygiene. You can't allow people to say, no, I'm not comfortable. That's not good enough anymore. It's okay. You're uncomfortable. I hear you. I appreciate your feeling, why? And let's dissect that discomfort and break it down. And let's see if there's a way to make people comfortable. And at least create that roadmap. So it pressure testing is your people, your organization and and your readiness and essentially less about the technology, I think.

[00:26:21] KRISTINA: And so as we look at 2026, and let's say that you and I are talking nine or 10 months from now, do you anticipate that most folks will be ready to take on that exercise? Because I'm thinking about the number of organizations that I've been inside of, and I don't know that leaders are there and asking that very question about their people and their readiness.

[00:26:41] BRIAN: I think two things happen. And I'll refer back to what I'm calling a deregulatory moment where, people are looking for what I say. I say, you know, it is like a fishing exercise. You wanna make more money, you need faster boats and bigger nets, right? It's how can we make more money right now? You know, where there's, you know, some relax, relaxation around, you know, regulation. So you've got to do that. But when I think about, you know, 2000, you know, 26. And, and the reason I bring this up is that it really is a race, you know, to make, you know, for businesses to make as much money as possible like that, that's not necessarily a new thing, but when there's less regulatory scrutiny, the focus becomes, how do I make more money? How do I make more money faster than my competitors? How do I get to market sooner? And this is true with medications and pharma, it's true, you know, with financial services and consumer products. I need to get the, I want to get the market faster than anybody else with this product concept while remaining prudent. Not abandoning risk management, but you know, keeping well remaining prudent, but it becomes a race to revenue and so what's gonna end up happening? Is it's the speed of business is accelerating and we're getting to a point where new, new products should be coming to market faster because, you know, these approval flows are driven, you know, by AI kind of in the way that, you know, we're using reagent. And so if you wanna be competitive, you're not going to be able to say, I'm not using AI, because if you're not, you're not going to be able to compete and it's not gonna be okay to say we're risk averse. Prudence is the most important thing to us. Everyone says that everyone means that, but also you have to be able to compete at the speed of business. And I think, so that's, that's kind of the carrot everybody is running towards, you know, new sources of revenue, you know, growth and transformation. But what this thing that exists in the middle is what traverses over into the cost centers, which is going to be this increasing demand for profit margin. Profit margin being the difference between revenue and you know, your costs and there's gonna be a race to margin. And if you're not applying the same kind of AI driven technologies that you're using for revenue growth into your cost centers to reduce your cost of doing business, you're gonna be losing the race to margin, you know, to profit margin. And for any public company. This is public information and it's not gonna be okay to be like, say, you know, the bank out there with the most expensive, you know, processing costs, assuming a level playing field around, you know, risk management, you know, and compliance, you know, AKA prudence. So it's gonna come from both ends and that, that's kind of the stick. It's get your costs down at the same time. That you're making more money and it's AI enabled technologies like our product, you know, reagent that traverses the front, middle, and back office, you know, to tie all of that together.

[00:29:47] KRISTINA: I'm thinking to myself is for everybody who's listening, like, take this to your leadership, these are the terms and the context in which you need to be talking to your leaders about. It's about not less risk necessarily, but really the margins, the ROI, the competitive in the marketplace. It's the business strategy because at the end of the day comes down to business. Everything we do in digital, everything we do with ai, everything comes back down to what is the business trying to do? Are we supporting the business? And are we, as Brian, you've said, either reducing costs. or increasing revenues, right? Spending or making, what are you doing? And if you can demonstrate that case, you're going to be really cooking with fire and getting yourself to that next level. So this has been great, thanks again so much for joining us, Brian. The conversation has been rich as always, with nuance and practical insights. We appreciate it. Really quickly, where can listeners connect with you or learn more about your work at Rational Exponent? Because I think you're doing some really cool stuff and things we've been talking a lot about on this channel.

[00:30:45] BRIAN: Yeah, two sources, and at the corporate level we've got, our website, rational exponent.com. Personally, I'm on LinkedIn, happy to engage with anybody there, we'll connect and we continue the conversation that way.

[00:30:57] KRISTINA: Great. Thanks so much, Brian. And that wraps another episode of The Power of Digital Policy. If you found this conversation valuable, subscribe, leave us a review or share with your network. Get in touch if you have other ideas or questions. You know how to reach Brian now. Until next time, keep turning thoughtful policy into strategic advantage.

[00:31:13] OUTRO: Thank you for joining the Power of Digital Policy; get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.

‍