Compliance Is Where AI Co-Pilots Go To Die

Every fund I talk to has tried Claude or Codex. Very few of them have actually rolled it out across the firm.

The gap between a curious associate running prompts on a personal account and a firm where AI is wired into deal flow is not a technology gap. It is a compliance gap.

Our new Landscape data (will be published in few weeks) makes the shape of the problem clear. Roughly half the industry is experimenting, while only a low single-digit percentage has rolled AI out at full scale.

The tools are ready. The firms are not.

So the interesting question is not "which model." It is "how do you get any of this past your own organization” - even before we talk about cultural change and adoption.

Let me deal with the framing first. Sneaking tools past legal is a fast route to a confidential memo sitting in a consumer chatbot and a very bad week.

The work is to bring compliance onto the project early and remove the friction by answering the concerns that produce it.

Start with the thing most firms have not named: shadow AI. People are already pasting deal decks, LP correspondence and diligence notes into whatever app is open on their phone, with no logging and no data controls.

The biggest AI risk in most firms today is those ungoverned tools the team already uses several times a day on personal accounts.

Once compliance sees that, the conversation moves from whether to allow AI to how quickly you can replace the ungoverned version with a governed one.

Unnamed worry is what stalls these projects. Write the concerns down and each one turns out to have a clean answer.

The rollout works when you answer them in order.

Phase 0. Settle the data question before the tool question.

This is the one decision that resolves most legal objections, and most firms skip it.

Deploy through an enterprise or API tier with zero data retention and a contractual guarantee that your inputs are not used to train the model.

The consumer app is fine for personal curiosity. Regulated workflows belong on the governed tier.

Add single sign-on, role-based access and admin-level logging on day one. When legal asks where your data goes and who can see it, you want a one-line answer ready.

Phase 1. Start where the data is yours and boring.

Public filings. Your own research notes. Portfolio reporting you already hold and control.

No MNPI. No LP personal data.

The point of phase one is the paper trail. You are building organizational muscle and a record of safe usage that earns the right to move to phase two.

Phase 2. Connect systems with MCP, scoped and read-only.

This is where most of the value lives, and where compliance usually relaxes.

MCP is the open standard that lets a model reach into your CRM, your data room or your drive without anyone copy-pasting anything.

You decide which connectors are live, which permissions they carry, and you start read-only. Only later add write-access.

Compliance tends to like this, because access becomes explicit and scoped. Compare it with the alternative, an associate emailing a deck into a chatbot, where you control nothing and log nothing.

MCP gives your legal team more control over data access, and that is the honest pitch.

Phase 3. Encode your playbooks as skills.

Skills package your firm's repeatable workflows, your diligence checklists, your memo formats, your scoring rubrics, into reusable, version-controlled instructions.

This is the part compliance can actually inspect. A skill is a document. It can be read, redlined, approved and audited like any other internal policy.

A reviewed skill means the AI is following a procedure your compliance team signed off on, one they can produce on demand. For a regulated firm, that is the whole game, and it’s even better than in the previous all-manual world, where workflows were unknowns.

If your firm is building internal tooling, screening models, data pipelines, automated reporting, then coding agents like Codex or Claude Code enter the picture, and they bring their own questions.

Which repositories can the agent touch. How are secrets and API keys handled. Who reviews the code before it ships.

The principle holds. Scope the access, keep a human reviewer on anything that merges, and log every action.

A coding agent with read access to one sandboxed repo and a mandatory review gate carries a very different risk profile from one holding the keys to production.

These four things run across every phase, and the rollout quietly dies without them.

One named owner with a real mandate. Deployments that belong to a committee tend to go nowhere.

A one-page AI use policy with a single job: telling people which class of data is allowed in which tool. Most people want to do the right thing and just need to know what it is.

Human-in-the-loop on anything that touches money or an external party. The model drafts, a person sends.

Compliance in the room from week one, writing the guardrails alongside the people using the tools. The fastest rollouts I have seen had legal at the table from the start.

Strip away the noise and the conclusion is uncomfortable for most firms. The constraint is organizational, and organizational constraints compound.

The funds that solve the compliance unlock now get to put AI next to their most valuable data: proprietary deal flow, portfolio signal, internal knowledge. That is exactly where the edge is.

Done well, compliance is the permission slip that lets you point these tools at the data that matters.

Solve it once, deliberately, and you graduate from running pilots to actually running on AI.

Stay driven,
Andre

PS: Check out Vessel to automate your fund operations