There is a specific kind of energy you only find in a room full of compliance leaders in New York. Last week, at our Cocktails & Compliance event, that energy was focused on a singular, high-stakes question: Is your AML program actually defensible?

For years, the industry’s North Star was “detection.” If you found the needle in the haystack, you won. But as I sat down to moderate a panel with Samrat Jain (Partner at PwC), Matias Lopez (SVP of AML Systems at IDB), and our own Brian Love (Sr. Solutions Consultant at ThetaRay), it became clear that the goalposts have shifted.

In 2026, regulators aren’t just looking at your detection rates. They are interrogating your decision-making process. They’re asking: How was this conclusion reached? Is it consistent? And can you defend the logic of your AI under pressure?

If you couldn’t join us for a drink in Manhattan, here are the three strategic pillars we moved through during our discussion.

1. The Death of the “Black Box” and the Rise of Explainability

The “Black Box” era of AI is officially over. Samrat Jain from PwC set the tone early: regulators are now testing the logic behind the machine. A defensible program isn’t one that works in a vacuum; it’s one that can be audited, understood, and explained to a human being.

This is where Explainability moves from a buzzword to a survival requirement. Brian Love highlighted how our AI agentic investigation suite, Ray, solves the “how” and the “why.” It isn’t enough to just flag a suspicious transaction; the system must provide a clear narrative of the counterparty risks, adverse media, and transaction histories that led to the alert.

As Samrat noted, “Explainability is key. No black box AI.” This aligns with recent global trends where financial authorities increasingly demand Model Risk Management (MRM) and third-party validation to ensure that AI isn’t just a “guess,” but a calculated, repeatable conclusion.

2. Fighting Burnout: Talent Retention Through Modernization

One of the most poignant points of the night came from Matias Lopez at IDB. We often talk about AI in terms of “efficiency,” but Matias reframed it as a talent strategy.

The reality is that financial crime fighters are passionate people. They didn’t get into this industry to copy-paste data from five different screens into a manual report. They got into it to catch bad guys. When we force them to do manual “swivel-chair” investigations, we lose them to burnout.

“Use AI to focus your investigators on the high-risk alerts and minimize their manual work,” Matias urged.

By automating the data-gathering phase (transaction histories, PEP checks, and sanctions screening), we allow investigators to actually investigate. A defensible infrastructure doesn’t just protect the bank; it protects the culture of the compliance department by keeping the best people engaged in high-value work.

3. The “Garbage In, Garbage Out” Reality

We’ve all heard the phrase, but Samrat brought it home: your AI is only as good as your data governance. To build a defensible program, you must start with a foundation of “Good Data.”

If you’re waiting for your data to be “perfect” before you start, you’re already behind. The consensus from the panel was clear: Start now. You are already late if you aren’t integrating AI-driven controls today. The trick is to start small, perhaps with sanctions or PEP data, and scale once your governance frameworks are proven.

The 18-Month Outlook: What Changes?

I asked the panel to fast-forward 18 months. What does the “modern” institution look like?

For Matias and Samrat, it’s about consistency. In a manual world, two different investigators might look at the same alert and reach different conclusions based on their individual experience or energy levels. In a modernized infrastructure, the AI provides a standardized baseline of evidence. Every decision is documented, every path is traceable, and every auditor gets the same clear story.

Brian pointed out that early adopters are already moving away from reactive monitoring to proactive risk orchestration. They aren’t just responding to alerts; they are using AI to anticipate where the next threat vector—like sophisticated mule account networks—might emerge.

Prove the “How”

As we wrapped up the evening, one thought stayed with me. Defensibility is no longer about proving what happened. It’s about proving how you reached your decision.

If you are a compliance leader looking at the year ahead, your priority shouldn’t just be “better detection.” It should be rethinking your investigation infrastructure. My advice?

• Don’t wait: The regulatory window is closing.
• Pick a partner, not a vendor: As Matias said, find someone who will be in the trenches with you.
• Audit your “Why”: If you can’t explain your AI’s decision in three minutes to a regulator, it’s time to upgrade.

New York reminded me that while the threats are evolving, our tools are finally catching up. Let’s make sure we’re using them.