2026 Risk and Compliance Trends on the Horizon

As compliance teams look ahead to 2026, the picture that emerges is not a single “new” risk, but a convergence of data, AI, trade, and enforcement dynamics that are reshaping what effective compliance looks like in practice. The common thread across all of these areas is the need for disciplined data management and strong cross‑functional collaboration so compliance can both keep up with new demands and guide the business safely toward its goals.​

We explored these topics in our recent webinar, 2026 Risk and Compliance Trends on the Horizon featuring Matt Kelly of Radical Compliance, Kristy Shires of Spectris, and GAN Integrity’s Miriam Konradsen Ayed. You can watch the full webinar at any time, on demand.

Data as the Foundation of Modern Compliance

Across the exciting discussion, data management emerged as the underlying foundation for almost every other compliance priority in 2026. The challenge is not scarcity of data but volume, fragmentation, and uneven quality across regions, systems, and functions.​

Speakers described a landscape where:

• Compliance has expanded from traditional anti‑bribery and corruption into human rights, sustainability, data protection, AI, and trade, with risks evolving faster than regulations.​

• Data is “easier and easier to come by,” but compliance must now assess both the data itself and the reliability of its sources, rather than simply collecting more.​

• The differentiator will not be who has the most data, but which teams build the discipline and systems to assess, interpret, and integrate it into daily business decision‑making.​

A recurring theme was that most compliance officers did not learn data management in law school or early legal careers, yet are now expected to become more data‑savvy. This is less about technical skills and more about knowing what data is needed, how to validate it, and how to work with IT, data, and audit functions to build sustainable practices such as:​

• Establishing good “data hygiene”

• Normalizing data across regions and formats

• Moving toward single repositories or at least tightly controlled environments for key compliance data

Speakers framed data work as a two‑phase journey: first, understanding what data exists and how it is managed today, and then designing forward‑looking processes to capture new data as the business expands into new regions, products, or third‑party relationships.​

AI Governance and the “Human in the Loop”

AI was described as both an enormous opportunity and a rapidly moving risk area where regulations lag behind technology. Compliance teams are being pushed to help their organizations adopt AI “wisely” rather than quickly, with an emphasis on culture, principles, and guardrails.​

One key point was that starting with the law, such as the EU AI Act, is necessary but not sufficient, especially as risk categories evolve from generative AI to agentic AI and other emerging capabilities. Instead, global organizations are focusing on a principle‑based AI framework that can flex with regulatory change, anchored in ideas like:​

• Legal and compliant use: clarity on what the organization can and cannot do with AI in different jurisdictions.​

• A “human in the loop”: ensuring humans review and intervene in AI‑driven processes, with decisions about where to place that human (upstream, downstream, or both) tailored to the use case.​

• Robustness, reliability, fairness, and non‑discrimination: including close attention to data quality, bias, and the risk of discriminatory outcomes.​

• Privacy, transparency, accountability, and governance structures: that define who owns AI risks and how decisions are escalated.​

Several concrete examples of “guardrails” were discussed:

• Risk assessments for AI‑enabled vendors

• Working with legal to define permissible outcomes for AI work product

• Designing hiring workflows where the placement of humans in the AI loop

The discussion also highlighted a specific concern: as AI improves, hallucinations will become harder to detect, especially when tools fabricate plausible‑sounding citations, sources, or journals. Even in closed, enterprise systems trained on validated internal data, compliance must monitor whether new data entering the environment meets the same standards of accuracy and reliability, or whether AI is becoming more confidently wrong.​

Trade Compliance as a Strategic, Data‑Intensive Risk

Trade compliance is shifting from a narrow, transactional function to a strategic risk area driven by geopolitics, tariff regimes, and export controls. This change is especially pronounced for global organizations navigating conflicting laws and rapidly changing rules across jurisdictions.​

On the operational side, several trends stood out:

• Trade rules and export controls are changing at a rapid cadence, sometimes monthly, requiring continuous regulatory change management across multiple regions.​

• Due diligence around counterparties, intermediaries, end‑use, and end‑users has become more complex; compliance teams must determine “how much is enough” when there is always one more data source to check.​

• Many trade compliance teams have deep operational expertise but are now being asked to exercise broader discretion and strategic judgment in novel, high‑stakes scenarios.​

From a U.S. perspective, there is uncertainty about how much to invest in specific tariff compliance processes that may change.​

However, export controls and broader trade compliance obligations are expected to remain a durable feature of the landscape, regardless of how individual tariff disputes are resolved. This drives several practical needs:​

• Stronger third‑party due diligence, particularly for customs brokers and intermediaries, including understanding who selected them, how they were vetted, and whether there is centralized or decentralized control over sourcing decisions.​

• Process mapping and control design for tariff and export‑related processes so companies can extract and verify key data such as country of origin, materials, tariff classifications, and certifications.​

• Preparedness for scenarios where misconduct at the border (for example, a customs broker bribing officials to alter certifications) can create both tariff fraud and foreign bribery exposure under anti‑corruption laws.​

Speakers emphasized that trade compliance is becoming significantly more data‑intensive because many organizations are only now building robust processes to capture and document the information regulators expect. Early‑stage processes are often manual and vulnerable to manipulation, and will need to mature into more automated, reliable systems over time.​

Anti‑Corruption Enforcement and the Importance of Self‑Disclosure

The conversation also covered the evolving enforcement landscape for anti‑corruption, with a particular focus on the Foreign Corrupt Practices Act (FCPA). While the number of recent enforcement actions has been relatively limited and can fluctuate from year to year, signals from the U.S. Department of Justice (DOJ) point toward a pipeline of cases returning to a more traditional rhythm.​

In practice, that means companies with strong detection capabilities and a willingness to “confess and reform” can, in many cases, avoid prosecution entirely or secure significantly reduced penalties. However, the discussion also acknowledged a persistent tension: some organizations may be tempted to quietly fix issues without disclosure, hoping regulators never learn of the misconduct.​

Speakers characterized this as both unethical and shortsighted, especially given the ongoing role of whistleblowers who can bring issues directly to enforcement agencies. The long tail of anti‑bribery risk, where misconduct today might surface four, five, or eight years down the line, means that “hoping it goes away” could result in a much more painful resolution in the future.​

Taken together with the broader themes of data and AI, the enforcement discussion reinforced that scalable compliance depends on:

• The ability to detect and substantiate misconduct through reliable data and analytics.​

• Governance structures that support timely escalation and decision‑making about self‑disclosure.​

• A culture that understands the long‑term risks of concealment versus the benefits of cooperation and remediation.​

Building for Scale: Data, Versatility, and People

When asked how compliance teams can “build for scale” in the face of shifting regulations, new technologies, and evolving enforcement expectations, the discussion returned repeatedly to two themes: strong data management and human versatility.​

On the technical side, building for scale means:

• Investing in data management capabilities that answer basic but critical questions: Do we have the data? Do we know what it is? Are we confident in its accuracy?​

• Developing analytics that allow compliance to combine data points in meaningful ways to detect risk, whether in trade, third‑party relationships, AI‑driven processes, or anti‑corruption issues.​

• Accepting that new regulatory requirements will often start with manual processes (imperfect but necessary) before the organization can learn enough to automate responsibly.​

AI may be part of the solution, but only if compliance knows what questions it wants to answer and what patterns it wants to detect. As one speaker put it, AI will do whatever it is told; the real bottleneck is clarity about the task and confidence in the underlying data.​

Equally, if not more important, is the “people side” of scale. Compliance remains a people business that depends on versatile processes, strong relationships, and internal reputation.

Speakers emphasized the importance of understanding stakeholders’ objectives, anticipating their objections, and demonstrating that “doing things slightly differently” can help them move faster in a risk‑aware direction rather than stumble into a regulatory or reputational landmine several quarters down the line.​

Conclusion

Across AI, trade, and anti‑corruption, the path forward for 2026 is less about predicting every specific regulatory turn and more about building resilient capabilities. Those capabilities (data hygiene, analytics, principled AI guardrails, trade‑ready processes, and collaborative, business‑savvy compliance teams) position organizations to pivot as the landscape evolves while still meeting rising expectations from boards, regulators, and the public.

Interested in hearing from the experts themselves? Watch the full discussion on 2026 Compliance Trends.