Last week, James da Costa and Angela Strange at a16z published Everything, Everywhere is Compliance, arguing that compliance is the biggest and most boring enterprise AI opportunity. They named three wedges: turn regulation into code, rip and replace legacy systems, and deploy computer-use agents to augment people.
They’re right. We’ve been building in this space at Callvu for years, and every conversation with a CCO, COO, or Head of Servicing in banking, insurance, healthcare, and telco maps to one of those three.
But none of the three solves the harder problem on its own: enforcement at runtime.
The fourth layer
Whether you codify regulation, replace your system of record, or unleash a computer-use agent, the moment AI meets the system of record something has to guarantee that execution is compliant. Not “mostly compliant.” Not “compliant in the happy path.” Compliant by construction, every time, with a defensible record of how and why.
That layer is what we call the Completion & Compliance Runtime. The operating principle in ten words: AI evaluates. Deterministic systems execute. Humans govern.
Why Each of A16z's Three Wedges Needs The Runtime
Regulation as code.
Codifying policy is the upstream half. Executing against it under real-world friction is the downstream half. A rules engine can say “this account needs supplemental KYC.” It cannot, by itself, ensure the agent on the phone actually completes that step in the right order with the right disclosures and the right write-back to the system of record. Without an enforcement runtime, codified regulation degrades into a sophisticated alert.
Rip and replace.
Most regulated enterprises will not rip-replace their core in the next 5 to 10 years. Greenfield is a sliver of the TAM. The remaining 95% are sitting on Pega, Guidewire, ICE, Duck Creek, Oracle CC&B, and Jack Henry. They need AI running safely on top of those systems today. The runtime is what lets you put a voice or chat agent in front of a 1990s core without becoming the next TD Bank.
Computer-use agents.
This is where the risk surface is widest. Computer-use agents are non-deterministic by design. They click, type, retry, and sometimes invent. In a chargeback workflow that’s a customer experience problem. In a SAR narrative, a KYC refresh, or a claims adjustment, it’s a fine. The runtime is what converts probabilistic agent intent into deterministic, audited execution.
The Decision Trace
The article’s top-rated comment went further than the article itself. It said the new risk surface, autonomous agents as counterparties, requires “mechanical enforcement at the protocol layer, not review workflows bolted on after the fact.” That is exactly the thesis we’ve been operating on.
When an agent acts on a customer’s behalf, or executes a regulated workflow, you need a deterministic artifact that proves what was authorized, by whom, against which policy, at what time, with what inputs and what outputs. We call this the Decision Trace. Without it, your AI strategy is a liability your CRO will eventually shut down.
Three signals, one pattern
a16z opens with TD Bank’s $3B fine for missing 92% of transaction monitoring, with 70,000 alerts unworked. The standard read is alert-queue problem, solve it with more agents. The right read is completion problem: intent capture (alerts firing) was disconnected from compliant execution (someone acting on them inside a system of record with an audit trail).
In 2024, an Air Canada chatbot invented a bereavement refund policy that didn’t exist. A tribunal held the airline liable for what the AI said. AI generated intent, the system of record had no opposing rule, and the courts enforced the chatbot’s hallucination against the company.
In March 2026, Amazon lost an estimated 6.3 million orders in a single six-hour outage on its retail site. Internal documents linked the incident to “Gen-AI assisted changes” and “novel GenAI usage for which best practices and safeguards are not yet fully established.” Amazon responded with a 90-day code safety reset across 335 Tier-1 systems and mandatory senior engineer sign-off on AI-assisted code.
Three industries, three AI compliance failure modes, one architectural gap.
AI generated intent, no enforcement runtime, the system of record absorbed the damage. The gap existed before AI. AI makes it 100x bigger, because intent is now generated by machines at machine speed, while completion still has to satisfy regulators, courts, and customers.
Why the three approaches converge on a runtime
a16z’s final line is that winners will eventually do all three. We agree. But the convergence point isn’t a feature set, it’s an architectural primitive: a runtime where AI evaluates, deterministic systems execute, and humans govern.
That sentence is our entire product thesis. Every choice we’ve made (the Decision Trace artifact, the deterministic state machine, enforcement by construction, the contrast against GenAI agents that generate, BPM tools that model, and CCaaS platforms that log) flows from that one architectural commitment.
What this looks like in production
At one bank we work with, a customer call into the contact center triggers an AI agent. The AI agent captures intent. Callvu’s runtime then takes over completion: which disclosures fire, which fields are written, which approvals are required, which compliance checks run inline, which Decision Trace is generated.
The AI never executes against the system of record directly. The runtime does, deterministically, every time. The CCO doesn’t need to trust the AI. She trusts the runtime, and the runtime tells her exactly what the AI was allowed to do, and what it actually did.
The category opening
a16z’s piece names Sardine, Valon, Vesta, Tako, and Factor Labs. Great companies, each owning a slice. Sardine owns transaction monitoring. Valon owns mortgage servicing. Vesta owns origination. Factor Labs is the chargeback agent.
None of them own the runtime between intent and the system of record. We do.
If you’re building in compliance AI, the question isn’t whether you need a runtime. It’s whether you build it yourself or buy it. We’ve spent years building it.
If you’re an investor or a regulated enterprise thinking about this category, we’d welcome the conversation.
