The Next Ten Years of the Compliance Function: What the Role Is Becoming and How to Prepare for It

The compliance function of 2035 will not look like the compliance function of 2015. The question is whether the people who lead it today are building it, or waiting for someone else to.

The compliance function has, over the past two decades, undergone a significant expansion in scope. What began, in most organisations, as a narrowly defined legal and regulatory function — ensuring adherence to specific regulatory requirements, managing defined categories of risk — has broadened substantially. Anti-bribery. Third-party risk. Data privacy. Human rights due diligence. Sustainability reporting integrity. AI governance. Speak-up culture. The boundary of what the compliance function owns, or shares ownership of, has expanded in almost every direction simultaneously.

That expansion is not complete. The regulatory landscape that will be in place by the mid-2030s — shaped by CSDDD, the EU AI Act, continued development of global ESG reporting standards, and the ongoing convergence of anti-corruption frameworks across jurisdictions — will make the current scope of the compliance function look modest by comparison. The organisations that are building compliance functions capable of operating in that landscape are ahead. The ones that are managing the current scope without investing in the capacity to manage the next iteration are accumulating a gap that will eventually be visible.

At the same time, the tools available to the compliance function are changing in ways that create both opportunity and obligation. AI-assisted monitoring, natural language processing applied to speak-up channel data, automated adverse media scanning, digital training platforms that generate integrity risk intelligence — these tools exist, are becoming more capable, and are already being deployed by the compliance functions that will define what good looks like in the next decade.

Technical depth, data literacy, and the courage to lead without full authority.

The regulatory complexity of the next decade will require compliance officers with deeper technical knowledge across a broader range of frameworks than the current generation of the role has typically needed. The compliance officer who understands FCPA and ISO 37001 but has no working knowledge of CSDDD, the EU AI Act, or the ISSB sustainability disclosure standards will find that their advisory scope shrinks relative to the organisation's risk exposure. Technical breadth is becoming a baseline requirement, not a differentiator.

Data literacy — the ability to work with the data that digital compliance tools generate, to identify patterns that reveal risk concentrations, to distinguish signal from noise in monitoring outputs, and to present data-driven findings to governance in ways that support decision-making — is the skill that most current compliance functions have built least. The compliance function that cannot answer questions about its programme's effectiveness with data is a compliance function that will struggle to make the case for investment in a world where every function is competing for resources on the basis of demonstrated impact.

The capacity to lead without full authority — to influence decisions, shape culture, and drive change in organisations where the compliance function does not sit at the top of the authority structure — is not new to the role. But it is becoming more important as the scope of what compliance is expected to influence expands. The compliance officer who can navigate the tension between the ambition of the programme and the limits of their formal authority — who builds the relationships, earns the credibility, and develops the strategic judgment to drive change through influence rather than mandate — is the compliance officer who will be effective in the next decade.

The core of the role is human — and it will remain so.

Amid all the change in tools, scope, and regulatory complexity, the irreducible core of the compliance officer's role is a human one: the willingness to stand in the space between what the organisation wants to do and what it should do, and to say clearly what the difference is. No AI tool will do this. No regulatory framework will make it unnecessary. No expansion of the function's technical scope will replace the human judgment that the most important moments in the role require.

The compliance function of 2035 will be more sophisticated in its use of technology, more expansive in its regulatory scope, more data-driven in its measurement and reporting. But the compliance officer who is in a room with a senior executive who wants to proceed with something that compliance cannot endorse, and who must find the words to say so clearly and constructively and at personal cost — that person is doing the same thing that compliance officers have always done. The tools change. The obligation does not.

What the best compliance officers have always understood — and what the next generation will need to understand with equal depth — is that the role is ultimately about character. Not the character of the compliance framework, not the character of the policies and procedures, but the character of the person who holds the function. The willingness to be honest when honesty is inconvenient. The willingness to be consistent when consistency is challenged. The willingness to stand for something that the organisation has not yet fully understood it needs.