It’s not unusual for tensions to arise between company risk and compliance (R&C) functions and the more strategic side of the business. For instance, a product development team’s focus is often on getting a new item launched quickly; likewise, a marketing team may be in a hurry to ride the tide of some popular trend. R&C staffers, of course, support the ultimate objective of business growth. But they may also have to be killjoys, tempering features and timelines to ensure that new initiatives meet regulatory, privacy, information security, consumer protection, and environmental rules and mandates.

GenAI is about to ratchet up this natural tension. Already being adopted in a decentralized fashion by many companies to perform critical tasks, the technology is raising new privacy, legal, and regulatory concerns for R&C teams—who often feel hamstrung in addressing them.

The recently enacted EU AI Act attempts to provide incremental guardrails for the technology based on its specific level of risk. But its stringent requirements will likely add to the anxiety felt by companies attempting to balance innovation with compliance. Too often, R&C teams may try to dodge this worry by discouraging adoption of GenAI.

However, organizational discomfort is not an inevitable outcome. Rather than thwarting the use of GenAI, R&C teams should be proactive about embracing the technology themselves, using it to enhance their ability to more efficiently and capably manage risks across their companies. By gaining a firsthand understanding of the technology, including its limitations and risks, they would improve their own performance while reinforcing technological innovation and their ability to manage it throughout the organization.

Broadly speaking, GenAI (often in combination with traditional AI) can improve R&C effectiveness by reducing manual work and enhancing risk identification, monitoring, and mitigation. This in turn could elevate risk professionals into the realm of strategic partners, instead of merely players in a cost center.

Complementary Benefits

GenAI has the unique ability to rapidly produce new, often creative content based on existing text, images, videos, data, programming code, and simulations. This output dovetails perfectly with the types of improvements that companies seek. Across virtually any industry sector and function, GenAI can handle less-engaging, repetitive tasks, freeing up teams to tackle more value-adding activities. In fact, a BCG global survey of about 13,000 workers in a range of industries found that 58% of those using GenAI tools are saving at least five hours a week. This often leads to cost savings and new approaches to thinking about products, internal and external communications and services, customer relations, and even decision making.

In our analysis of where GenAI can bring the most shared value between R&C and the other layers of the business, three key areas emerge:

• Operational Efficiency and Cost Savings. Just as GenAI can lessen complexity, manual labor, and costs in operations, it can generate synthetic data on demand by extracting and harmonizing input from multiple internal and external systems and platforms. For example, GenAI can instantly review reams of contracts and transactions for discrepancies or deviations from regulations and internal policies. In our experience, GenAI can enhance productivity in administrative tasks by as much as 30% and reduce costs by more than 10% (see Exhibit 1), while significantly curtailing risk.
• Real-Time Risk Mitigation. GenAI’s ability to provide deeper insights through the simultaneous synthesis of huge volumes of disparate data can be used to monitor job sites in real time for compliance with safety, environmental, and other regulatory standards. For example, it can examine camera feeds, operational benchmarks, and sensor data to detect potential hazards, allowing immediate intervention to address risks and violations before they escalate. In the process, the technology can also streamline regulatory reporting by summarizing findings and generating draft compliance documentation for human review.
• Alignment with Strategic Business Objectives. The use of GenAI lets organizations scale capabilities across various functions simultaneously. A company debuting a new product can set up a tool to analyze risks, quality, and actual performance from R&D and engineering to marketing, launch, and customer use. In this way, GenAI helps ensure that compliance requirements related to product safety, labeling, and data privacy are addressed early in the development process and that customer feedback continuously drives quality improvements post-launch. Importantly, these capabilities tie R&C initiatives directly to the company’s growth and innovation goals.

Rapid Adoption of GenAI

GenAI builds on traditional AI, driven by advancements in deep learning and data proliferation. This evolution is not merely a technological upgrade but a strategic tool that’s reshaping organizational landscapes. Moreover, the emergence of GenAI is perfectly timed, riding a surge of interest in AI in all its forms. According to a recent BCG survey of 1,400 C-suite executives, 85% of respondents plan to increase their AI/GenAI investments in 2024. Moreover, 67% of companies investing $50 million or more anticipate cost savings of more than 10%, and 80% of them expect the technology to expand market access.

Many of today’s implementations involve small-scale pilots within a single business unit or improving productivity by tackling rote tasks such as knowledge management, code development, and producing meeting summaries. We expect that within the next year, GenAI deployment will broaden significantly, reshaping crucial functions such as IT, customer service, sales and marketing, product design, and engineering.

In the face of this fast-paced expansion, 70% of company legal, compliance, and privacy leaders surveyed by Gartner Group said that rapid GenAI adoption tops the list of issues that they must deal with over the next two years. This response is driven in part by the fact that many of the initial GenAI applications have been in heavily regulated sectors such as financial services. Other segments with significant risk profiles or compliance requirements—including health care, consumer products, energy, and the public sector—are among the most enthusiastic about GenAI’s promise and will likely see the next wave of implementations.

Below, we analyze GenAI prospects and applications in a series of critical sectors and explore how R&C teams can use GenAI to better manage regulatory, legal, and other compliance risks, including those that could affect the new GenAI applications themselves.

Financial Services: Optimizing Fraud Detection

Many large financial services firms have already adopted GenAI applications. Perhaps that explains why R&C teams at FinTech firms have embraced this technology to a greater degree than their counterparts in any other sector, according to research conducted by Moody analysts. The most promising applications are ways that risk and business units can collaboratively use GenAI for fraud detection.

One of the more valuable examples involves implementing GenAI to train and expand the capabilities of machine learning (ML) fraud detection models. GenAI can create diverse and comprehensive fictional transaction datasets that simulate real-world financial activities, including rare fraudulent patterns. These datasets can be fed into ML systems to enhance their knowledge pool and improve their ability to isolate subtle and complex fraud schemes. These enriched ML models can then be tested against historical data to ensure that they are accurately identifying fraud while minimizing false positives. This risk application improves detection of fraud and reduces financial losses associated with it. It also enables financial institutions to scale their detection capabilities in a more automated environment and without the need for extensive real data collection.

Importantly for the compliance staff, such programs facilitate and streamline suspicious activity report (SAR) writing and the investigation of fraud claims. A GenAI system can automatically gather, collate, and analyze data relevant to the claim from internal and external sources, highlighting anomalies, patterns, and correlations that best illustrate illicit behaviors. This drastically reduces the time required to investigate fraud claims, enabling quicker resolutions, minimizing manual effort, and freeing up resources for other critical tasks.

Health Care: Enabling Faster and Safer R&D for Vaccine and Drug Development

Identifying potential vaccine targets is a complicated process, during which precious time can be lost going down blind alleys. GenAI can significantly shorten the R&D phases by first analyzing vast volumes of medical data to identify potential vaccine candidates based on pathogen genetics and patient immune responses. Further, it can simulate testing scenarios based on synthesized data insights and predict the efficacy of vaccine candidates, allowing developers to refine vaccine formulations.

Programs like this can shrink the timeline for bringing new vaccines to market, lowering R&D and labor costs while improving predictability of clinical trials and vaccine outcomes. In addition, they facilitate regulatory documentation writing by storing and collating voluminous data pertaining to every phase of the R&D process and then drafting the initial reports.

For R&C units, R&D efforts in health care are extremely sensitive because assembling historical patient data and analyzing the efficacy and dangers of a potential drug or treatment can unintentionally breach privacy. Traditional methods of data masking, which typically involve stripping out identifiable information, run the risk of mistakenly revealing personal records. A GenAI program can mitigate these concerns by creating synthetic versions of Electronic Health Records (EHRs) designed to closely mirror the statistical properties of the actual patient data without including any sensitive information. Because these datasets are as robust and useful as real EHRs, they can be used for drug and vaccine development, disease prediction, treatment efficacy analysis, and the development of personalized medicine strategies.

This is a win-win for health care organizations. The synthetic data sets can be more freely shared within the company and even the health care community at large, fostering collaboration and innovation and speeding up R&D initiatives. And for the R&C side of the business, patient privacy regulations, such as HIPAA in the US, are satisfied without the need for extensive data scrubbing and legal reviews associated with using actual patient data.

Consumer Goods: Producing Personalized Marketing Content That Protects Privacy

For every company that makes or sells consumer products, the Holy Grail is being able to customize marketing content so that it matches shoppers’ interests, even as those preferences change over time. GenAI can be extremely valuable here, combining consumer data from hundreds of sources, analyzing shopping patterns based on precise consumer demographics, and producing personalized content and recommendations that can boost sales. In addition, with natural language processing, GenAI programs can read customer feedback, reviews, and social media conversations, extracting insights into consumer sentiment and product trends.

However, because these campaigns dig deeply into consumer data, privacy may be compromised. Risk teams can mitigate this possibility by using GenAI to pre-program their platforms with compliance filters. Such filters ensure that any content used or personalized marketing material produced and distributed to consumers meets local privacy standards, including stringent rules like the EU’s General Data Protection Regulation (GDPR). Indeed, GenAI-driven encryption and anonymization techniques could allow marketers to safely and lawfully share insights about consumer behavior across company departments and even with external partners. This can open the door for multilevel discussions that could improve the marketing campaign.

Once these privacy safeguards are implemented, GenAI technology can be used to develop training programs to teach employees how to build their own privacy-oriented customized marketing campaigns without using AI, allowing human creativity to continue to play a key role and avoid overreliance on robotic technology.

The primary benefits to a consumer goods company of combining marketing and risk management in a GenAI program are twofold. First, operational efficiency—primarily, sped-up go-to-market timelines—can vastly improve the automated creation of personalized sales and promotional content. Second, there are fewer regulatory challenges or infractions because these programs are pre-scrubbed and continuously monitored for compliance with data protection rules. Such privacy-focused personalization at scale can be a powerful sales tool, simultaneously improving consumer conversion rates and customer trust.

Energy: Maximizing Environmentally Friendly Projects and Field Safety

In the oil and gas sector, tapping into a new, promising reserve can often be slowed by environmental regulations that require multiple layers of approval before extraction can begin. GenAI offers a possible pathway for navigating the distance between growth strategies and regulations. The technology can be used to analyze satellite imagery to identify the most environmentally and regulatory compliant paths for new energy infrastructure projects. Moreover, it can continuously integrate and visualize both community and regulator feedback, as well as policymaker responses, so that they are considered throughout the project development process.

These collaborative programs can have a meaningful impact on an energy company’s bottom line, saving significant amounts of money and bringing reserves online more quickly. Expensive rework is eliminated as these projects are designed to “do it right and do it once” to meet environmental protection regulations. And compliance documentation can be rapidly drafted as needed, reducing time lost to producing extensive reports and waiting for regulators to approve project phases. Equally important, an energy company’s reputation can be bolstered by these GenAI initiatives because they demonstrate a commitment to working closely with regulators to achieve sustainable energy development.

Worker safety is another critical risk component in the energy sector, where field technicians often work with heavy equipment and other potentially dangerous elements. GenAI programs can serve as a virtual copilot for field staff, surfing through huge historical knowledge bases and current literature to produce step-by-step technical guidance and expertise in real time about executing even the most complex job procedures. Such programs would offer optimized and safer solutions, minimizing the risk of human error. Instantaneous access to crucial field operations advice can also drive efficiency gains. Average job duration for diagnostic and repair operations can be reduced by 15% to 20%, which increases asset uptime. And as troubleshooting is automated and minimized, the amount of time spent on reworking field and equipment activities also falls—by as much as 20%.

Public Sector: Fostering Efficiency and Tracking Results

In the public sector, performance audits are critical to ensure that financial, administrative, and technical operations are efficient and meet regulatory standards and that spending on programs is carefully monitored for fraud and waste. GenAI applications can be a watchdog for these government activities, tracking day-to-day performance against goals and best practices as well winnowing relevant news sources and complex reports to piece together patterns that could indicate potential problem areas.

Using this information, GenAI can alert government agencies and R&C teams about newly identified and possibly emerging threats that could derail programs or services and that need to be monitored or mitigated. These risks can also be prioritized based on their threat level, which in turn would allow for more informed planning decisions and resource allocation designed to address hot spots. In addition, budgeting models could be more automated and adjusted more frequently.

Another area where GenAI could make a significant difference in the public sector would be in contract writing for procurement and other public-sector activities. Typically, creating a contract can take days and require hundreds of legal hours and multiple levels of approval. A GenAI bot could be fed generic and specific data about the project, and it will draft the initial contract for human review. It can also review the final output for compliance with procurement regulations and other legal requirements. Chatbots, the widely available GenAI programs that most people are already familiar with, have demonstrated the potential for using this technology to aid in writing complex documents and would be applicable for procurement contracts.

The Need for Responsible AI

Clearly, GenAI can play a transformational role in the future of R&C in virtually any sector, changing the function into a more dynamic, competitive asset that proactively manages risk identification and assessment, monitoring, and mitigation in ways that tie directly into supporting growth strategies. GenAI capabilities allow risk managers to focus on forward-looking objectives and higher-priority risk management and risk-based decisioning, moving away from time-consuming, lower-value-add activities.

However, because GenAI can serve as a tool for ensuring compliance with, among other things, privacy regulations and the way companies protect sensitive data, it must be adopted along with responsible AI (RAI) practices to prevent it from infringing ethical, legal, and regulatory standards. With its advanced capabilities to create new content and insights from vast pools of information, GenAI can potentially introduce biases by relying on the wrong “facts,” negatively influence decision making and outcomes. Furthermore, it can violate individual privacy by inadvertently leaking personal data that should have remained undisclosed or anonymized.

To ensure that ethical boundaries and privacy are respected, preemptive RAI approaches must be embedded into the application lifecycle. This entails five actions:

• Develop a risk framework to clearly and quickly identify high-risk GenAI applications that require careful review and risk mitigation controls.
• Establish RAI leadership and committees to continually advise product teams on risks and guardrails for GenAI applications and track implementation.
• Integrate RAI into existing product development and risk processes to standardize and simplify risk mitigation.
• Thoroughly test and evaluate GenAI systems to prevent unexpected and highly visible failures post-launch and set up a monitoring process through the life of the systems.
• Share your RAI code of conduct with customers and partners to differentiate the brand and improve competitive position.

Embracing RAI is not just a matter of ethical compliance but also a strategic imperative and a way to fully realize the benefits of the technology (see Exhibit 2). In a period when AI is increasingly under scrutiny by regulators for the potential harm it could inflict, RAI helps companies build reputations for being on the right side of the ethical divide and for taking their purpose and company values—including social responsibilities—seriously. Companies that embrace RAI attract customers, employees, and investors who prefer to be involved with organizations that are forward-thinking and trustworthy, perhaps believing that these organizations are also more likely to be innovative and ahead of the curve with other essential initiatives that affect growth directly.

Conclusion

While so much about the GenAI revolution is uncharted and unknown, it is already becoming clear that this technology cannot be ignored by organizations that hope to be leaders in their sectors. And since the widespread adoption of GenAI is inevitable, R&C teams must be the adults in the room—ensuring that RAI practices are implemented.

R&C units are making a mistake if they view GenAI solely as a threat, a technology that they must protect the organization from. Instead, they should embrace it as an tool that can improve their performance in unprecedented ways—even, perhaps ironically, improving their ability to ensure that it is used appropriately across the organization. After all, GenAI is not just a vessel for better and more insightful information, it also supports the capabilities—from regulatory compliance to operational efficiencies to innovation—that lead to sustained success.