Compliance as Architecture: Designing Resilient and Adaptive Governance in Digital Financial Systems

Abstract

Contemporary regulatory environments are characterised by polycentric oversight, systemic interdependence, and accelerating digital transformation. European frameworks such as the Digital Operational Resilience Act (DORA), the EBA Guidelines on Outsourcing Arrangements, and national supervisory regimes (e.g., MaRisk) shift compliance from procedural conformity toward operational resilience, ICT concentration risk oversight, lifecycle third-party governance, and algorithmic accountability. Simultaneously, enterprise IT landscapes have transitioned from vertically integrated systems to modular, cloud-based ecosystems embedded with AI-enabled monitoring and distributed data architectures.

This paper argues that compliance effectiveness under such conditions is not primarily a function of procedural control maturity but an emergent property of architectural design. Drawing on modular systems theory, digital platform governance, resilience engineering, adaptive regulation, and AI lifecycle scholarship, it develops a theoretically grounded framework for hybrid compliance architecture. The model integrates modular best-of-breed tooling, tiered vendor governance, digital third-party risk management (TPRM) platforms, federated Data Mesh infrastructures, and lifecycle-oriented AI oversight under strong central governance anchoring.

The analysis demonstrates that monolithic Governance, Risk, and Compliance (GRC) systems generate structural rigidity, vendor concentration risk, and adaptation lag under regulatory volatility. In contrast, hybrid architectures preserve modular substitutability, enable domain-level regulatory responsiveness, enhance data lineage traceability, and support controlled AI experimentation within sandboxed and human-in-the-loop governance frameworks. Supplier vetting and exit engineering emerge as architectural risk controls, while continuous governance institutionalises adaptive feedback loops across tools, vendors, data, and AI systems.

By reframing compliance as infrastructural governance embedded within digital ecosystems, the paper positions architecture—not documentation—as the primary determinant of regulatory defensibility and institutional resilience. Hybrid, modular, and federated compliance ecosystems are thus not operational optimisations but structurally aligned responses to systemic regulatory regimes.

1. Introduction

1.1 The Structural Transformation of Compliance Governance

Compliance governance in regulated industries is undergoing a profound structural transformation. Historically, compliance was largely procedural, centred on internal policy frameworks, control documentation, and periodic audit-based assurance of regulatory adherence (Power, 2021; Bierwolf et al., 2023). In this model, regulatory oversight was primarily ex post, focusing on verifying conformity with predefined rules, and compliance infrastructures functioned mainly as repositories for documentation and workflow coordination (Hood et al., 2022).

Contemporary regulatory regimes increasingly extend beyond procedural rule-following towards broader governance objectives such as operational resilience, systemic risk mitigation, and technology lifecycle accountability. In financial services, for instance, regulatory initiatives emphasise continuous risk monitoring, ICT dependency mapping, and third-party resilience testing. The Digital Operational Resilience Act (DORA) exemplifies this shift by embedding continuous digital risk oversight and supply-chain resilience into supervisory expectations (European Commission, 2022; Basel Committee on Banking Supervision, 2021; Schreiber and Brender, 2023).

This evolution reflects a broader transformation in regulatory governance: regulators increasingly target not only organisational behaviour but also the digital infrastructures through which such behaviour is enacted (Tilson et al., 2021; Henfridsson and Yoo, 2023). Compliance obligations are therefore becoming embedded within data architectures, cloud infrastructures, and algorithmic decision systems, shifting compliance from a peripheral administrative function to an infrastructural capability integral to organisational operation and risk management (Constantiou and Kallinikos, 2022).

This transformation is tightly coupled with enterprise digitalisation. Organisations increasingly operate within modular digital ecosystems composed of cloud platforms, distributed microservices, and third-party service providers (Jacobides et al., 2022; Eaton et al., 2023). In such environments, compliance capabilities are inseparable from digital architecture: regulatory reporting depends on interoperable data pipelines, monitoring relies on distributed telemetry systems, and compliance analytics increasingly leverage embedded machine learning models (De Reuver et al., 2022).

1.2 Regulatory Polycentricity and Institutional Complexity

A second structural shift shaping compliance governance is the emergence of polycentric regulatory environments. Contemporary governance systems involve overlapping national, supranational, and sectoral authorities, each issuing partially coordinated but often heterogeneous regulatory requirements (Ostrom, 2010; Black, 2021; Abbott et al., 2022).

Rather than forming hierarchical regimes, these systems operate as multi-layered governance networks in which organisations must simultaneously comply with diverse and sometimes fragmented supervisory expectations (Black and Baldwin, 2019). Regulatory domains such as cybersecurity, AI governance, operational resilience, and third-party risk frequently evolve independently, resulting in heterogeneous compliance obligations across organisational units (Coglianese and Ben Dor, 2023).

This results in increasing regulatory heterogeneity rather than merely regulatory volume growth. Compliance systems must integrate multiple oversight regimes—including incident reporting, vendor lifecycle monitoring, algorithmic transparency, and resilience testing—into coherent organisational processes (Ranchordás, 2023).

Such environments require adaptive governance capabilities characterised by continuous monitoring, rapid regulatory interpretation, and distributed coordination of technological and organisational resources (Levi-Faur, 2022).

1.3 Digital Transformation and the Infrastructural Nature of Compliance

Digital transformation further intensifies these governance challenges. Enterprise IT architectures have shifted from monolithic systems to modular, API-driven ecosystems supported by cloud infrastructure and platform-based service provision (Jacobides et al., 2022; Yoo et al., 2021).

Despite this architectural evolution, many organisations continue to rely on traditional governance, risk, and compliance (GRC) systems designed for earlier technological paradigms. These systems centralise compliance workflows and data structures within tightly coupled platforms (Alles, 2023).

While such systems can enhance standardisation and auditability, research in socio-technical systems highlights that excessive coupling may reduce organisational adaptability in volatile regulatory environments (Tilson et al., 2021). In particular, tight integration across compliance functions may constrain responsiveness to regulatory change, while vendor lock-in introduces systemic dependency risks within increasingly interconnected digital ecosystems (Eaton et al., 2023).

This reflects a broader architectural tension: regulatory regimes increasingly demand distributed, adaptive governance, while legacy compliance architectures emphasise centralisation and standardisation. Resolving this tension requires reconceptualising compliance not as a discrete system but as a distributed infrastructural capability embedded in digital ecosystems (Henfridsson and Yoo, 2023).

1.4 Research Gap

Although research has examined RegTech, algorithmic governance, and operational resilience, the architectural foundations of compliance systems remain underexplored (Arner et al., 2021; Zetzsche et al., 2022).

Information systems research has extensively analysed platform governance and modular architectures (Tiwana, 2021; Yoo et al., 2021), while regulatory scholarship has focused on adaptive governance and polycentric oversight (Black, 2021; Levi-Faur, 2022). Infrastructure studies have further highlighted how digital ecosystems shape coordination and organisational innovation (Tilson et al., 2021).

However, these literatures remain fragmented. IS research rarely conceptualises compliance as an infrastructural governance system, while regulatory scholarship often treats compliance as a procedural or institutional artefact rather than a socio-technical architecture embedded in digital systems (Coglianese and Ben Dor, 2023).

As a result, limited conceptual guidance exists on how compliance architectures should be designed under conditions of distributed digital infrastructures, multi-vendor dependency, and rapidly evolving regulatory expectations.

1.5 Research Problem and Objective

This paper addresses the structural misalignment between traditional monolithic compliance architectures and contemporary regulatory-technological environments characterised by regulatory polycentricity, ecosystem-based digital infrastructures, increasing reliance on third-party providers, algorithmic governance, and continuous resilience requirements (Zetzsche et al., 2022; Schreiber and Brender, 2023).

The central research question is:

How should organisational compliance infrastructures be architected to support effective governance in digitally mediated, polycentric regulatory environments?

This requires reconceptualising compliance systems as socio-technical infrastructures embedded within digital ecosystems rather than isolated governance tools.

1.6 Conceptual Contributions

This paper develops a conceptual framework for hybrid compliance architecture and contributes four theoretical advances.

First, it introduces hybrid compliance architecture as a socio-technical construct combining modular technological components, federated data governance, and multi-vendor coordination under central oversight, consistent with modular system theory (Jacobides et al., 2022; Eaton et al., 2023).

Second, it integrates modular systems theory, digital platform governance, and adaptive regulatory theory into a unified analytical framework (Tiwana, 2021; Black, 2021).

Third, it reconceptualises compliance effectiveness as an emergent architectural property shaped by structural features such as modularity, transparency of data governance, and lifecycle oversight of algorithmic systems (Constantiou and Kallinikos, 2022).

Fourth, it explains why monolithic GRC systems may underperform under conditions of regulatory polycentricity and ecosystem interdependence, while hybrid architectures provide superior adaptability and resilience (Alles, 2023; Schreiber and Brender, 2023).

1.7 Research Approach

The study adopts a conceptual theory-building methodology grounded in systematic literature synthesis, consistent with established approaches in information systems research (MacInnes et al., 2022).

Drawing on interdisciplinary literatures in IS architecture, regulatory governance, and digital infrastructure theory, the paper develops a conceptual model of hybrid compliance architecture and identifies its structural mechanisms and governance implications.

Rather than presenting empirical findings, the study develops a theoretically grounded framework illustrated through a design-oriented application in the context of operational resilience regulation.

1.8 Structure of the Paper

The remainder of the paper proceeds as follows. The next section synthesises interdisciplinary literature on digital compliance systems, regulatory governance, modular architecture, platform ecosystems, and AI lifecycle governance (Arner et al., 2021; Yoo et al., 2021).

Subsequent sections develop the theoretical framework of hybrid compliance architecture and analyse its implications for vendor governance, AI oversight, and federated data architectures under operational resilience regimes (Schreiber and Brender, 2023; Zetzsche et al., 2022).

The conclusion discusses implications for reconceptualising compliance as an infrastructural capability embedded within digital governance ecosystems.

2. Literature Review

2.1 Introduction: From Procedural Compliance to Infrastructural Governance

Contemporary governance is shaped by the convergence of digital transformation, regulatory intensification, and systemic interdependence. Compliance can no longer be conceptualised as an isolated organisational function reacting to external rulemaking; instead, regulatory expectations are embedded in digital infrastructures, third-party ecosystems, algorithmic processes, and AI-driven systems.

This chapter synthesises scholarship across regulatory theory, information systems architecture, platform governance, operational resilience research, data governance, and AI lifecycle management. The aim is integrative: to identify theoretical foundations that justify hybrid compliance architecture as an adaptive governance model.

Six streams of literature underpin this analysis:

1. Digital embedding of compliance and audit systems

2. Regulatory intensification and operational resilience

3. Modularity and platform ecosystems

4. Limitations of integrated GRC systems

5. Data architecture and distributed governance

6. AI lifecycle governance and technical fragility

Across these domains, compliance emerges not as a documentation-centric function but as an infrastructural and architectural property.

2.2 Digital Transformation of Compliance and Audit

Digital transformation has fundamentally altered the operational logic of compliance and audit functions. Historically, compliance systems were document-centric, periodic, and retrospective. Controls were evaluated through scheduled audits, and regulatory adherence was demonstrated through ex post documentation.

Contemporary digital infrastructures enable continuous monitoring, automated control enforcement, and predictive risk detection. This shift represents not merely technological enhancement but structural reconfiguration.

Bamberger (2009) introduced the concept of “technologies of compliance,” arguing that regulatory norms increasingly become embedded within organisational systems rather than externally imposed through episodic oversight. Yeung (2018) extends this argument through the notion of algorithmic regulation, where governance objectives are operationalised via automated, anticipatory, and data-driven processes.

Machine learning and advanced analytics further intensify this transformation. Predictive models improve fraud detection, anomaly identification, and sanctions screening (Baesens et al., 2021), yet they introduce probabilistic reasoning into compliance systems traditionally grounded in rule-based logic. This creates epistemic tension between statistical optimisation and regulatory defensibility.

Moreover, digital compliance systems are deeply integrated into cloud infrastructures, API ecosystems, and third-party service architectures. Compliance functionality is no longer organisationally self-contained; it is embedded within distributed technological networks.

This digital embedding alters three structural properties of compliance:

1. Temporality – Compliance becomes continuous rather than periodic.

2. Interdependence – Compliance capability depends on external ICT providers.

3. Epistemology – Compliance decisions increasingly rely on probabilistic inference rather than deterministic rule application.

These transformations imply that compliance effectiveness cannot be evaluated solely through procedural maturity models. Instead, it depends on architectural characteristics such as coupling structure, data lineage traceability, vendor substitutability, and AI lifecycle controls.

Digital transformation thus reframes compliance from a control function to an infrastructural governance capability. The remainder of the paper develops the architectural implications of this shift.

2.3 Regulatory Intensification and Operational Resilience

Regulatory frameworks increasingly prioritise systemic resilience over transactional rule enforcement. The Basel Committee (2021) defines operational resilience as the capacity to prevent, adapt to, respond to, and recover from disruption, shifting compliance from static conformity to dynamic capability.

European regulations exemplify this shift. The EBA Guidelines on Outsourcing (2019) extend oversight beyond contractual adequacy to lifecycle monitoring, risk classification, and exit planning. DORA (European Parliament, 2022) institutionalises ICT resilience through scenario testing, centralised third-party registers, and mandatory incident reporting.

Black (2012) argues that complex regulatory environments require adaptive governance capable of addressing emergent risks, while Li et al. (2026) empirically show how BigTech and FinTech interdependencies create new systemic risk vectors. Wagner and Bode (2008) earlier demonstrated that risk propagates non-linearly across interconnected networks.

Teichmann and Sergi (2025) characterise the EU Cyber Resilience Act as a hybrid regulatory framework, combining traditional command-and-control, risk-based, and co-regulatory elements. This underscores that modern regulation itself is structurally hybrid, integrating prescriptive requirements with ecosystem-level oversight.

Collectively, these findings demonstrate that compliance must operate at the network level: controls within isolated firms are insufficient if systemic dependencies remain opaque. Architectural transparency, interdependency mapping, and continuous stress-testing become regulatory imperatives.

2.4 Modularity, Platforms, and Hybrid Architectures

Modular systems theory provides a structural foundation for adaptive compliance. Baldwin and Clark (2000) show that decomposing systems into loosely coupled components reduces complexity, preserves option value, and allows substitution without destabilising the whole system.

Platform research extends this reasoning. Baldwin and Woodard (2009), Gawer (2014), and Gawer and Cusumano (2014) illustrate that layered, modular ecosystems allow peripheral innovation while maintaining core coherence. Jacobides, Cennamo, and Gawer (2018) demonstrate that value creation in ecosystems depends on distributed complementarities, implying that multi-vendor GRC ecosystems may outperform monolithic systems by combining specialised capabilities while preserving interoperability.

Tiwana (2014) emphasises that modular ecosystems require defined decision rights and integration protocols. Empirical studies by Svahn et al. (2017) and Sambamurthy et al. (2021) show that modular architectures enhance organisational adaptability under turbulence.

In compliance contexts, these insights imply that hybrid architectures—combining central governance with modular, best-of-breed components—can mitigate vendor concentration risk, reduce switching costs, and preserve regulatory responsiveness. Adeyinka (2025), Davuluri (2026), and Gaurav et al. (2025) provide concrete architectural frameworks demonstrating modularity, real-time monitoring, and adaptive governance capabilities embedded within hybrid cloud and AI ecosystems.

2.5 Integrated GRC and Its Limitations

Integrated GRC systems harmonise audit, risk, and compliance processes (Racz, Weippl, & Seufert, 2010). While they offer centralised visibility, empirical evidence highlights persistent limitations:

1. Functional heterogeneity across domains creates trade-offs. Probabilistic analytics (Baesens et al., 2021), role-based access (Hu et al., 2015), and immutable audit trails (Alles, 2015) require divergent technical logics that monolithic systems struggle to accommodate.

2. Architectural coupling increases rigidity (Baldwin & Clark, 2000), delaying adaptation under regulatory volatility.

3. Vendor lock-in amplifies concentration risk, now explicitly addressed under DORA (European Parliament, 2022).

Hybrid architectures address these limitations, preserving modular substitutability, enhancing resilience, and supporting adaptive, domain-level governance.

2.6 Data Architecture and Distributed Governance

Data architecture underpins scalability and traceability in compliance systems. Kleppmann (2020) emphasises consistency, replication, and lineage tracking. Centralised data lakes facilitate aggregation but introduce bottlenecks and dilute accountability.

Dehghani (2022) proposes Data Mesh, a federated architecture with domain-oriented ownership, data-as-product principles, self-serve infrastructure, and federated governance. Klievink et al. (2017) show that distributed governance enhances organisational readiness and transparency.

In compliance-intensive contexts, Data Mesh supports:

• Domain-level regulatory interpretation

• Traceable data lineage

• Reduced central bottlenecks

• Scalable analytics

These mechanisms redistribute epistemic authority while preserving coordinated governance standards, aligning with hybrid compliance principles outlined by Adeyinka (2025) and Davuluri (2026).

2.7 AI Governance, Drift, and Technical Debt

AI introduces temporal instability. Concept drift (Gama et al., 2014) and hidden technical debt (Sculley et al., 2015) degrade performance over time. Ethical AI principles (Floridi et al., 2018) and algorithmic regulation concerns (Yeung, 2018) emphasise transparency and accountability.

Hybrid compliance architectures must therefore integrate AI lifecycle governance:

• Continuous validation

• Drift detection

• Human-in-the-loop oversight

• Periodic recalibration

• Sandboxed experimentation

Gaurav et al. (2025) demonstrates AI-powered adaptive compliance frameworks, embedding feedback loops into multi-sector regulatory architectures. Lifecycle governance ensures regulatory defensibility under dynamic digital conditions.

2.8 Digital Compliance Infrastructures and the Emergence of RegTech

Recent scholarship highlights how digital technologies are transforming the institutional and operational foundations of regulatory compliance. Traditional compliance frameworks historically relied on manual monitoring, rule-based control processes, and document-centric governance models. However, the increasing complexity of financial regulation, coupled with the digitisation of financial infrastructures, has accelerated the adoption of regulatory technology (RegTech) solutions designed to automate monitoring, reporting, and risk detection (Arner, Barberis and Buckley, 2017; Anagnostopoulos, 2018).

RegTech refers broadly to the application of digital technologies—including data analytics, machine learning, and distributed information systems—to support regulatory compliance and supervisory oversight (Arner, Buckley and Zetzsche, 2023). Unlike traditional governance, risk, and compliance (GRC) systems, RegTech platforms frequently operate as integrated digital infrastructures embedded within organisational IT ecosystems. These infrastructures facilitate continuous regulatory monitoring, automated reporting, and real-time compliance analytics, thereby shifting compliance from a reactive auditing process toward continuous digital governance (Butler and O’Brien, 2019).

Empirical studies suggest that RegTech adoption is driven by three structural pressures affecting regulated organisations. First, regulatory regimes have expanded significantly in both scope and complexity following the global financial crisis, increasing the operational burden of compliance functions (Arner, Buckley and Zetzsche, 2023). Second, financial institutions increasingly rely on complex digital infrastructures and third-party technology providers, creating new forms of operational and systemic risk (Avgouleas and Goodhart, 2023). Third, regulatory authorities themselves are adopting supervisory technology (“SupTech”) tools to enhance data-driven oversight, further encouraging organisations to digitise their compliance architectures (Arner, Barberis and Buckley, 2017).

These developments have prompted scholars to conceptualise compliance not merely as an organisational control function but as a technology-enabled governance infrastructure embedded within digital ecosystems (Butler and O’Brien, 2019). In this perspective, compliance capabilities depend not only on regulatory expertise but also on the architectural design of organisational information systems. Consequently, compliance architectures must accommodate increasing data flows, multi-vendor technology environments, and evolving regulatory reporting requirements.

2.9 Algorithmic Governance and AI-Enabled Compliance

A related strand of literature examines the implications of algorithmic decision systems and artificial intelligence for regulatory governance. As organisations increasingly deploy machine learning systems in operational processes such as credit scoring, fraud detection, and transaction monitoring, regulators and scholars have raised concerns regarding transparency, accountability, and explainability in automated decision-making (Kroll et al., 2017).

Research on algorithmic governance emphasises that AI-driven systems must be subject to mechanisms ensuring auditability, accountability, and regulatory oversight. Kroll et al. (2017) argue that algorithmic systems operating within regulated environments must incorporate mechanisms enabling external review and verification of decision logic. Similarly, Raji et al. (2020) propose the use of algorithmic auditing frameworks, which systematically evaluate AI systems for potential biases, performance failures, or regulatory non-compliance.

From a compliance perspective, these developments imply that governance frameworks must extend beyond traditional process controls to include AI lifecycle governance mechanisms. Such mechanisms encompass model documentation, performance monitoring, data lineage tracking, and independent validation processes. These practices are increasingly reflected in emerging regulatory frameworks, including the proposed EU Artificial Intelligence Act, which emphasises risk classification, documentation obligations, and continuous monitoring of high-risk AI systems (Veale and Borgesius, 2021).

The integration of AI governance requirements into compliance infrastructures further reinforces the need for modular and adaptable compliance architectures capable of integrating specialised monitoring tools and governance processes across distributed technological environments.

2.10 Operational Resilience and Digital Regulatory Infrastructure

In parallel with developments in RegTech and algorithmic governance, regulators have increasingly emphasised operational resilience as a central objective of financial supervision. Operational resilience refers to the capacity of organisations to anticipate, absorb, and recover from operational disruptions affecting critical services (Armour, Awrey and Davies, 2024).

The growing importance of operational resilience reflects structural transformations in financial systems, particularly the increasing reliance on cloud infrastructure, digital platforms, and third-party technology providers. These developments have created new forms of systemic interdependence and concentration risk within financial infrastructures (Avgouleas and Goodhart, 2023). As a result, regulators have begun to emphasise the need for institutions to manage operational risk across complex digital supply chains.

The European Union’s Digital Operational Resilience Act (DORA) represents one of the most comprehensive regulatory responses to these challenges. DORA establishes harmonised requirements for ICT risk management, incident reporting, digital resilience testing, and oversight of critical third-party technology providers. Importantly, these regulatory requirements extend beyond traditional compliance reporting to encompass the design and governance of organisational digital infrastructures.

Recent research suggests that effective compliance with operational resilience regulation requires organisations to develop integrated governance architectures capable of coordinating risk management across distributed technology ecosystems (Avgouleas and Goodhart, 2023; Armour, Awrey and Davies, 2024). This includes mechanisms for vendor risk management, ICT dependency mapping, and resilience testing across interconnected systems.

2.11 Implications for Compliance Architecture

Taken together, the literature on RegTech, algorithmic governance, and operational resilience indicates a broader transformation in the nature of regulatory compliance. Compliance systems are evolving from procedural governance frameworks toward digitally embedded infrastructures that integrate data governance, technological oversight, and organisational risk management.

This shift has important implications for the design of compliance architectures. Traditional monolithic governance systems may struggle to accommodate the increasing complexity of digital regulatory environments characterised by:

• distributed data ecosystems,

• multi-vendor technology stacks,

• AI-enabled decision systems, and

• continuous regulatory monitoring requirements.

Consequently, scholars increasingly emphasise the importance of modular and interoperable compliance architectures capable of integrating specialised technological components while maintaining coherent governance structures (Butler and O’Brien, 2019). Building on these insights, the present study develops the concept of hybrid compliance architecture, which conceptualises compliance systems as modular digital infrastructures governed through coordinated architectural and organisational mechanisms

2.12 Synthesis: Emergence of Hybrid Compliance Architecture

Across disciplines, the literature converges on five propositions:

1. Compliance is infrastructural. Objectives are embedded within socio-technical systems (Bamberger, 2009; Yeung, 2018).

2. Resilience is systemic. Interdependencies propagate risk across ecosystems (Wagner & Bode, 2008; Li et al., 2026).

3. Modularity preserves adaptability. Loosely coupled architectures maintain option value under volatility (Baldwin & Clark, 2000; Tiwana, 2014; Adeyinka, 2025).

4. Governance anchors hybrid architectures. Distributed systems require defined decision rights and oversight (Weill & Ross, 2004; De Haes & Van Grembergen, 2009; Teichmann & Sergi, 2025).

5. AI requires lifecycle governance. Drift and technical debt necessitate continuous monitoring (Gama et al., 2014; Sculley et al., 2015; Gaurav et al., 2025).

Existing literature examines these dimensions individually. The present paper synthesises these insights into a coherent framework for hybrid compliance architecture, integrating:

• Modular best-of-breed tools

• Tiered vendor governance

• Digital third-party risk management platforms

• Federated data architectures

• Lifecycle-oriented AI oversight anchored by strong central governance

Compliance effectiveness under contemporary regulatory regimes is thus an emergent architectural property, not reducible to procedural documentation. Hybrid, modular, and federated compliance ecosystems are structurally aligned responses to systemic regulation, polycentric supervision, and digital interdependence.

2.13 Theoretical Spine and Conceptual Scope

The paper draws upon multiple streams of literature, including modular systems theory, platform governance, operational resilience, AI governance, and digital regulation. To avoid conceptual over-extension and to ensure theoretical precision, this section clarifies the hierarchy and functional role of each theoretical component.

2.13.1 Primary Theoretical Spine

The explanatory foundation of the paper rests on two interlocking theoretical traditions:

(1) Modular Systems Theory

Modular systems theory (Baldwin and Clark, 2000; Sanchez and Mahoney, 1996; Simon, 1962) provides the architectural logic underpinning the argument. It explains how systems composed of loosely coupled components exhibit superior evolvability under environmental change compared to tightly integrated systems. The theory highlights:

• The role of architectural decomposition

• The trade-off between coupling and adaptability

• The importance of interface standardisation

• The relationship between modularity and substitutability

In this paper, compliance architecture is conceptualised as a socio-technical system whose degree of modularity conditions its capacity for regulatory adaptation.

(2) Adaptive and Polycentric Governance

Adaptive governance and polycentric regulation literature (Ostrom, 2010; Baldwin et al., 2012; Abbott and Snidal, 2009) provides the environmental and institutional context. Contemporary financial regulation is increasingly polycentric, involving overlapping national, supranational, and sectoral authorities. Regulatory requirements evolve rapidly in response to technological and systemic risk developments.

This regulatory volatility creates structural pressure on compliance systems. The combination of modular systems theory and adaptive governance theory allows the paper to link environmental volatility to architectural design choices.

These two theoretical streams constitute the analytical core of the paper.

2.13.2 Secondary Extensions

Several additional literatures are incorporated as applied extensions rather than foundational theories:

• AI Lifecycle Governance operationalises epistemic risk within probabilistic compliance systems.

• Third-Party Risk Management (TPRM) provides a concrete instantiation of vendor substitutability under ecosystem interdependence.

• Federated Data Governance / Data Mesh concepts illustrate how modularity can be implemented in digital data infrastructures.

These extensions instantiate modularity logic within specific compliance domains. They enrich the framework but do not redefine its theoretical spine.

2.13.3 Regulatory Frameworks as Contextual Anchors

Regulatory instruments such as DORA, EBA ICT Guidelines, and MaRisk serve as empirical context rather than theoretical foundations. They provide institutional motivation for architectural transformation but do not constitute explanatory mechanisms within the model.

This hierarchical clarification ensures theoretical parsimony. The manuscript advances a modularity-based theory of compliance resilience applied within polycentric regulatory environments, rather than an encyclopedic synthesis of unrelated domains.

2.14 Conclusion

Despite their relevance, these literature streams rest on incompatible assumptions. Information systems research emphasises modularity and decentralised control, while regulatory governance literature presumes centralised accountability and institutional coherence. This creates a fundamental tension: architectures that maximise adaptability may undermine supervisory clarity, while architectures that maximise control may reduce adaptability.

Existing research does not resolve this trade-off. This paper addresses this gap by theorising hybrid compliance architecture as a mechanism for reconciling modular adaptability with centralised governance accountability.

3. Theoretical Foundations of Hybrid Compliance Architecture

3.1 Analytical Scope and Theoretical Anchors

Digital compliance environments are shaped by multiple technological, organisational, and regulatory dynamics. Prior research addressing these dynamics spans several theoretical traditions, including modular systems theory, platform ecosystem governance, adaptive regulatory frameworks, data architecture models, AI governance mechanisms, and organisational resilience research. While these perspectives offer valuable insights, combining them without a clear analytical structure risks producing an overly broad theoretical narrative in which the underlying causal mechanisms remain unclear.

Conceptual theory development in management and information systems research typically benefits from a limited number of well-defined theoretical anchors that provide explanatory coherence across the proposed framework (Cornelissen, 2017; Jaakkola, 2020). Following this principle, the present study focuses on three primary theoretical pillars that collectively explain the structural and governance characteristics of hybrid compliance architectures:

1. Modular systems theory, which explains how complex technological systems achieve flexibility and adaptability through decomposable architectures.

2. Digital platform governance, which explains how organisations coordinate distributed technological ecosystems through architectural control and governance mechanisms.

3. Adaptive regulatory governance, which explains how regulatory institutions and regulated organisations respond to technological change and systemic risk.

These three theoretical perspectives provide complementary explanations for the structural design, governance mechanisms, and institutional drivers shaping modern compliance architectures.

Other conceptual perspectives discussed in the literature—including data mesh architectures, AI lifecycle governance, and vendor risk management—are therefore treated in this study as applied architectural or governance mechanisms operating within these broader theoretical foundations, rather than as independent theoretical frameworks.

3.2 Modular Systems Theory and Architectural Flexibility

The first theoretical pillar underlying hybrid compliance architecture is modular systems theory, which explains how complex systems can achieve flexibility, scalability, and adaptability through decomposition into semi-independent components. Early work by Simon (1962) introduced the concept of near-decomposability, arguing that complex systems evolve more effectively when organised into loosely coupled subsystems that interact through defined interfaces.

Subsequent research in information systems and organisational design has demonstrated how modular architectures enable organisations to adapt technological infrastructures without requiring complete system redesign (Baldwin and Clark, 2000). Modularisation allows individual system components to evolve independently while maintaining overall system coherence through shared architectural standards and governance mechanisms.

Within compliance environments characterised by rapidly evolving regulatory requirements and technological infrastructures, modular design principles can therefore enhance organisational adaptability. Rather than relying on monolithic governance, risk, and compliance (GRC) platforms, organisations may deploy specialised compliance modules—such as transaction monitoring tools, regulatory reporting systems, or model validation platforms—that interact through shared data and governance interfaces.

From this perspective, hybrid compliance architecture can be understood as an application of modular systems theory to regulatory governance infrastructures, enabling organisations to respond more effectively to regulatory change and technological innovation.

3.3 Digital Platform Governance and Ecosystem Coordination

While modular architectures enable technological flexibility, they also create governance challenges when systems become distributed across multiple organisational units and external technology providers. The second theoretical pillar of the framework therefore draws on digital platform governance and ecosystem theory, which examines how organisations coordinate distributed technological ecosystems.

Research on digital platforms highlights how organisations increasingly operate within multi-actor ecosystems consisting of internal systems, third-party service providers, and external data infrastructures (Tiwana, 2014; Jacobides, Cennamo and Gawer, 2018). Within such ecosystems, platform owners must establish governance mechanisms that coordinate participation, ensure interoperability, and manage risks arising from technological interdependencies.

These insights are particularly relevant for compliance architectures, which increasingly depend on external technology providers such as cloud service platforms, regulatory reporting vendors, analytics providers, and specialised RegTech firms. The governance of such ecosystems requires architectural control mechanisms, including interface standards, data governance frameworks, and vendor oversight processes.

Digital platform governance therefore provides an analytical lens for understanding how organisations coordinate multi-vendor compliance ecosystems while maintaining regulatory accountability and operational control.

3.4 Adaptive Regulatory Governance

The third theoretical pillar informing the framework is adaptive regulatory governance, which emphasises the dynamic relationship between technological change and regulatory institutions. Traditional regulatory models often assume relatively stable technological environments. However, rapid digital transformation has increasingly challenged these assumptions, requiring regulators and regulated organisations to adapt governance structures to evolving technological risks (Arner, Barberis and Buckley, 2017).

Research in financial regulation highlights how regulatory frameworks have increasingly shifted toward risk-based and resilience-oriented approaches, particularly following the global financial crisis and the digitisation of financial infrastructures (Armour, Awrey and Davies, 2024). Rather than prescribing detailed technical rules, contemporary regulatory regimes often establish broader governance objectives that require organisations to demonstrate effective risk management capabilities.

Examples include emerging regulatory frameworks addressing operational resilience, ICT risk management, and algorithmic accountability. These frameworks require organisations to develop governance architectures capable of responding to technological disruptions, managing complex vendor ecosystems, and ensuring the reliability of digital infrastructures.

Within this context, compliance architectures must support continuous monitoring, rapid adaptation, and organisational learning, reflecting the broader shift toward adaptive regulatory governance.

3.5 Applied Architectural Mechanisms within the Framework

While the three theoretical pillars described above provide the analytical foundation of the framework, several additional concepts frequently discussed in the literature represent specific architectural or governance mechanisms operating within these broader theoretical structures.

For example:

• Data mesh architectures represent a distributed data governance approach that operationalises modular information infrastructures within complex organisations (Dehghani, 2022).

• AI lifecycle governance frameworks provide mechanisms for ensuring accountability and transparency in algorithmic decision systems (Kroll et al., 2017; Raji et al., 2020).

• Vendor risk management frameworks address the governance of external technology providers within digital ecosystems, particularly in environments characterised by ICT concentration risks (Avgouleas and Goodhart, 2023).

Rather than constituting independent theoretical perspectives, these approaches can be understood as practical implementations of modular system design, platform governance, and adaptive regulatory principles within compliance infrastructures.

By situating these mechanisms within a smaller set of theoretical foundations, the framework aims to provide greater conceptual clarity regarding the structural drivers shaping hybrid compliance architectures.

3.6 Conclusion

While the preceding literature highlights the architectural and governance challenges associated with digital compliance environments, the key constructs underpinning the proposed framework require further clarification. Conceptual research requires clearly specified constructs with explicit boundaries to ensure theoretical coherence and analytical rigor (Suddaby, 2010). The following section therefore defines the two central constructs of this study—hybrid compliance architecture and compliance effectiveness—and specifies their underlying dimensions.

4. Introducing hybrid compliance architecture and compliance effectiveness

4.1 Hybrid Compliance Architecture

4.1.1 Definition

In this study, hybrid compliance architecture refers to:

An organisational governance and technological infrastructure that integrates multiple specialised compliance systems, distributed data governance mechanisms, and multi-vendor technology ecosystems within a centrally coordinated regulatory governance framework.

This definition emphasises that hybrid compliance architecture is not simply a technological configuration but rather an integrated socio-technical governance system combining architectural design, organisational coordination, and regulatory oversight mechanisms.

Hybrid compliance architectures emerge in environments where compliance functions must coordinate across:

• heterogeneous digital systems,

• distributed organisational units,

• external technology providers, and

• evolving regulatory requirements.

The concept therefore reflects the growing complexity of compliance infrastructures in digitally mediated regulatory environments.

4.1.2 Distinction from Modular Architecture

Although hybrid compliance architecture builds upon principles of modular system design, the two concepts are analytically distinct.

Modular architectures describe the structural decomposition of complex systems into semi-independent components connected through defined interfaces (Baldwin and Clark, 2000). Hybrid compliance architecture extends this concept by incorporating organisational governance and ecosystem coordination mechanisms required when modular systems operate across multiple organisational and technological boundaries.

In other words:

• Modularity describes the technical structure of systems, whereas

• Hybrid architecture describes the combined technological and governance configuration required to manage compliance across distributed ecosystems.

Hybrid architectures therefore combine:

• modular technological components,

• federated data governance structures, and

• coordinated ecosystem governance mechanisms.

4.1.3 Dimensions of Hybrid Compliance Architecture

To enhance conceptual clarity, hybrid compliance architecture is operationalised along three structural dimensions.

1 Architectural Modularity

This dimension captures the extent to which compliance capabilities are implemented through specialised, interoperable system components rather than monolithic platforms.

Typical components may include:

• regulatory reporting systems

• transaction monitoring platforms

• AI model governance tools

• vendor risk management systems

Modular architectures enable organisations to adapt compliance capabilities without redesigning entire governance infrastructures (Baldwin and Clark, 2000; Hanseth and Lyytinen, 2010).

2 Federated Data Governance

The second dimension concerns the distribution of compliance-relevant data ownership and governance across organisational units.

In large organisations, compliance functions depend on data generated across multiple operational domains, such as risk management, trading systems, customer onboarding processes, and third-party service providers. Emerging governance approaches such as data mesh architectures propose federated models in which domain teams maintain responsibility for data quality while adhering to common governance standards (Dehghani, 2022).

Within hybrid compliance architectures, federated data governance mechanisms enable organisations to integrate compliance monitoring across distributed data ecosystems while maintaining organisational accountability.

3 Ecosystem Governance and Vendor Coordination

The third dimension addresses the governance of external technology providers and distributed digital infrastructures.

Compliance capabilities increasingly rely on external platforms including:

• cloud infrastructure providers,

• regulatory reporting platforms,

• AI analytics tools, and

• specialised RegTech services.

These dependencies create governance challenges related to vendor risk management, operational resilience, and regulatory accountability. Digital platform governance research emphasises the importance of architectural control and coordination mechanisms in managing such ecosystems (Tiwana, 2014; Jacobides, Cennamo and Gawer, 2018).

Hybrid compliance architectures therefore incorporate governance mechanisms that coordinate multi-vendor compliance ecosystems while ensuring regulatory oversight.

4.2 Compliance Effectiveness

4.2.1 Construct Definition

The second core construct in the framework is compliance effectiveness, defined as:

The capability of an organisation’s compliance system to ensure sustained regulatory adherence while adapting to evolving technological, operational, and regulatory conditions.

This definition emphasises that compliance effectiveness extends beyond static rule adherence and includes the organisation’s ability to respond dynamically to regulatory complexity and technological change.

Research in regulatory governance increasingly emphasises that compliance systems must demonstrate not only formal adherence to rules but also operational resilience, transparency, and supervisory accountability (Armour, Awrey and Davies, 2024).

4.2.2 Dimensions of Compliance Effectiveness

Building on prior research in organisational resilience and regulatory governance, compliance effectiveness is conceptualised along three key dimensions.

1 Adaptation Speed

Adaptation speed refers to the ability of an organisation’s compliance infrastructure to implement regulatory changes and respond to emerging risks in a timely manner.

In digitally mediated regulatory environments, regulatory requirements may evolve rapidly due to technological innovation, systemic risk concerns, or supervisory policy changes. Organisations with modular and flexible compliance architectures can integrate new regulatory requirements more quickly than those relying on rigid monolithic systems.

Adaptation speed can be observed through indicators such as:

• time required to implement regulatory reporting changes,

• speed of integrating new compliance monitoring tools,

• responsiveness to supervisory guidance.

2 Operational Resilience

Operational resilience refers to the ability of compliance systems to maintain functional integrity during operational disruptions, technological failures, or cyber incidents.

Recent regulatory frameworks emphasise resilience as a central compliance objective, particularly in financial systems characterised by high technological interdependence (Avgouleas and Goodhart, 2023). Resilient compliance infrastructures are capable of maintaining monitoring, reporting, and governance capabilities even when parts of the technological ecosystem are disrupted.

Potential indicators include:

• continuity of compliance monitoring during system outages,

• recovery time for regulatory reporting capabilities,

• resilience testing outcomes.

3 Supervisory Defensibility

Supervisory defensibility captures the extent to which compliance systems produce transparent, auditable, and verifiable evidence of regulatory adherence.

Regulators increasingly expect organisations to demonstrate how compliance decisions are made, particularly in environments involving automated decision systems and complex data infrastructures. Algorithmic governance research highlights the importance of auditability and traceability in ensuring accountability in digital decision systems (Kroll et al., 2017; Raji et al., 2020).

Indicators of supervisory defensibility may include:

• availability of audit trails for compliance decisions,

• documentation of AI models and governance processes,

• transparency of data lineage supporting regulatory reporting.

4.3 Relationship Between the Constructs

The conceptual framework proposed in this study suggests that hybrid compliance architectures enhance compliance effectiveness by enabling organisations to coordinate distributed technological ecosystems while maintaining adaptable and resilient governance structures.

Specifically:

• architectural modularity improves adaptation speed,

• federated data governance enhances transparency and supervisory defensibility, and

• ecosystem governance mechanisms strengthen operational resilience in complex technological environments.

These relationships form the basis for the theoretical framework developed in the following section.

5. Limitations of Monolithic GRC Platforms

5.1 Introduction

This chapter establishes the theoretical and organisational foundations underpinning the analysis developed in subsequent chapters. Rather than re-deriving propositions later applied to vendor governance, DORA implementation, AI lifecycle oversight, or federated data infrastructures, this chapter consolidates the architectural logic of compliance systems into a coherent theoretical base.

Three interlocking arguments are developed.

First, compliance systems are best understood as socio-technical architectures whose adaptability depends on structural design choices, particularly modular decomposition and coupling structure (Baldwin and Clark, 2000; Simon, 1962).

Second, ecosystem interdependence and vendor concentration create structural fragility risks that reshape the governance demands placed on compliance infrastructures (Pfeffer and Salancik, 1978; Borio et al., 2021).

Third, architectural transformation is constrained by organisational inertia, path dependency, and power dynamics, such that compliance redesign cannot be analysed as a purely technical optimisation problem (Arthur, 1989; Besson and Rowe, 2012).

This chapter therefore provides the architectural, governance, and organisational lenses through which later domain-specific analyses should be interpreted.

5.2 Compliance Systems as Socio-Technical Architectures

Compliance infrastructures in contemporary financial institutions are not merely procedural control systems. They are digitally embedded socio-technical architectures integrating:

• Data pipelines

• Third-party platforms

• Cloud infrastructures

• AI-driven monitoring tools

• Reporting interfaces to supervisory authorities

Socio-technical systems theory emphasises that technical structures and organisational arrangements co-evolve and mutually constrain one another (Trist and Bamforth, 1951). Compliance systems must therefore be analysed as organisationally embedded digital infrastructures rather than as isolated IT tools.

The architecture of such systems determines how regulatory change propagates across components. Following Simon’s (1962) notion of near-decomposability, systems structured into loosely coupled modules exhibit superior evolvability relative to tightly integrated monoliths. Baldwin and Clark (2000) formalise this insight by demonstrating how modular architectures reduce change propagation costs and enable parallel innovation.

In compliance contexts, architectural decomposition influences:

• Speed of regulatory reporting updates

• Ease of vendor replacement

• Transparency of AI model governance

• Resilience to infrastructure disruption

The degree of coupling thus becomes a primary determinant of adaptive capacity.

5.3 Modularity and Adaptive Capacity

Modularity refers to the extent to which a system’s components can be separated and recombined through standardised interfaces (Sanchez and Mahoney, 1996). In digital infrastructures, modularity allows individual components to evolve without necessitating systemic redesign.

Under conditions of regulatory volatility—characterised by frequent amendments, overlapping jurisdictions, and technology-driven rule evolution (Baldwin et al., 2012; Ostrom, 2010)—modular compliance architectures provide structural flexibility.

The adaptive benefits of modularity derive from three mechanisms:

1. Localised Change Containment
   Updates to a regulatory reporting module do not require reconfiguration of AI monitoring systems.

2. Parallel Evolution
   Distinct compliance domains (e.g., TPRM, transaction monitoring, incident reporting) can evolve independently.

3. Substitutability
   Vendors can be replaced without reengineering the entire compliance ecosystem.

These mechanisms reduce systemic fragility and increase evolutionary capacity (Baldwin and Clark, 2000).

However, modularity is not costless. Increased decomposition raises coordination demands and interface management complexity, as discussed in Section 3.6.

5.4 Ecosystem Interdependence and Concentration Risk

Digital compliance systems are deeply embedded in platform ecosystems and cloud infrastructures. Resource dependence theory (Pfeffer and Salancik, 1978) suggests that reliance on external actors generates asymmetrical power relations and vulnerability.

In financial services, vendor concentration risk has attracted increasing regulatory scrutiny (Borio et al., 2021). When multiple institutions rely on the same ICT providers, systemic fragility increases. Disruption of a critical cloud service or compliance vendor can propagate across institutions simultaneously.

Concentration risk manifests at multiple layers:

• Infrastructure concentration (e.g., hyperscale cloud providers)

• Application concentration (dominant GRC vendors)

• Data analytics concentration (AI compliance platforms)

Supply chain resilience research demonstrates that diversified supplier networks improve robustness under disruption (Christopher and Peck, 2004). In compliance ecosystems, vendor diversification enhances substitutability and reduces single-point failure exposure.

Yet diversification introduces new coordination burdens, including contractual complexity and interoperability management (Williamson, 1985). Architectural design must therefore balance concentration mitigation with coordination efficiency.

5.5 Governance Anchoring and Coordination

While modular architectures enable flexibility, excessive decentralisation can generate fragmentation and accountability ambiguity. IT governance research demonstrates that clarity of decision rights and cross-domain oversight structures are critical for aligning technology investments with organisational objectives (Weill and Ross, 2004; Sambamurthy and Zmud, 2000).

In compliance ecosystems, governance anchoring performs three stabilising functions:

1. Architectural Coherence: Ensuring modular components adhere to shared standards.

2. Risk Oversight: Monitoring cross-vendor exposure and systemic concentration.

3. Accountability Clarity: Providing regulators with identifiable responsibility structures.

Polycentric regulatory environments (Ostrom, 2010) amplify the need for governance coordination, as institutions must respond to overlapping supervisory expectations. Governance centralisation therefore operates not as a contradiction to modularity but as its complement.

5.6 Potential Failure Modes of Hybrid Compliance Architecture

Hybrid compliance architectures—combining modular decomposition with governance anchoring—are theoretically adaptive under volatility. However, several failure modes warrant consideration.

5.6.1 Coordination Overhead

Transaction cost economics predicts that as inter-component exchanges increase, monitoring and coordination costs rise (Williamson, 1985). Poorly managed modularisation may produce excessive interface management burdens.

5.6.2 Integration Complexity and Technical Debt

Information infrastructure research highlights that modular expansion can generate “integration sprawl,” where accumulated interfaces increase opacity and maintenance difficulty (Hanseth and Lyytinen, 2010).

Without disciplined interface standards, hybrid architectures may reintroduce tight coupling through undocumented dependencies.

5.6.3 Multi-Vendor Coordination Risk

Platform governance literature shows that ecosystem stability depends on effective orchestration (Tiwana, 2014). Multi-vendor compliance environments may suffer from contractual conflicts, misaligned service levels, or data governance disputes.

5.6.4 Regulatory Skepticism Toward Fragmentation

Regulators may prefer visible central control over distributed modular architectures if accountability lines appear diffuse (Black, 2008). Excessive fragmentation could undermine supervisory confidence.

These failure modes establish boundary conditions for the later propositions. Hybrid architectures are contingent solutions requiring governance competence and architectural discipline.

5.7 Organisational Constraints on Architectural Transformation

Architectural redesign cannot be understood as a frictionless transition. Organisational inertia and institutional path dependence shape feasibility.

5.7.1 Path Dependency and Legacy Lock-In

Historical investments in monolithic GRC systems create lock-in effects (Arthur, 1989; David, 1985). Legacy architectures embed routines, reporting structures, and power hierarchies that resist disruption.

5.7.2 Cultural Resistance and Power Dynamics

Digital transformation research demonstrates that IT-enabled change often generates interdepartmental conflict (Besson and Rowe, 2012). Compliance functions may resist decentralisation of tools; IT departments may resist loss of architectural control.

5.7.3 Capability and Budget Constraints

Hybrid architectures require advanced vendor management and API integration skills. Institutions lacking these capabilities may experience partial or failed transformation (Kane et al., 2015; Markus, 2004).

Accordingly, modular transformation must be sequenced and embedded within broader organisational change programmes (Peppard and Ward, 2016).

5.7 When monolithic systems are optimal

Monolithic compliance architectures may remain advantageous under conditions of low regulatory volatility, limited ecosystem interdependence, and strong requirements for standardisation. In such environments, tight coupling reduces coordination overhead and enhances consistency of control execution. Hybrid architectures, by contrast, may introduce unnecessary complexity where adaptability requirements are limited.

5.8 Integrative Summary

This chapter establishes that compliance effectiveness depends on the interaction between:

• Architectural structure (modularity vs. coupling)

• Ecosystem interdependence (vendor concentration exposure)

• Governance anchoring (decision-right clarity)

• Organisational capacity (institutional readiness for transformation)

These foundational elements support the analytical model developed in Chapter 4. Subsequent chapters do not re-derive modularity logic but apply it to specific domains including vendor governance, AI lifecycle oversight, and data federation under DORA conditions.

Compliance resilience therefore emerges not from procedural control accumulation but from architectural configuration embedded within organisational and regulatory contexts.

6. Hybrid Compliance Architecture as Adaptive Strategy

6.1 Introduction

Chapter 3 established that compliance systems are socio-technical architectures whose adaptive capacity depends on modular structure, ecosystem interdependence, governance anchoring, and organisational capability. This chapter develops the central explanatory model of the paper by specifying how these structural elements interact under conditions of regulatory volatility.

The core claim advanced here is not that hybrid compliance architectures are universally superior, but that their effectiveness is contingent upon environmental conditions—particularly regulatory volatility and ecosystem interdependence.

Drawing on modular systems theory (Baldwin and Clark, 2000; Simon, 1962) and adaptive governance scholarship (Ostrom, 2010; Baldwin et al., 2012), this chapter formalises six propositions linking structural drivers, architectural mechanisms, governance moderators, and compliance outcomes.

6.2 Structural Drivers: Regulatory Volatility and Ecosystem Interdependence

6.2.1 Regulatory Volatility

Contemporary financial regulation is characterised by rapid technological adaptation, overlapping supervisory authorities, and iterative rule development. Polycentric governance environments generate dynamic and sometimes inconsistent regulatory signals (Ostrom, 2010; Abbott and Snidal, 2009).

Regulatory volatility increases the frequency with which compliance systems must adjust:

• Reporting templates

• ICT risk disclosures

• Third-party governance requirements

• AI transparency expectations

In tightly coupled systems, such adjustments propagate across components, increasing implementation time and cost. In modular systems, change remains localised (Baldwin and Clark, 2000).

This leads to the first contingency proposition:

P1 (Volatility Contingency): The higher the level of regulatory volatility, the greater the performance differential between modular and monolithic compliance architectures.

This proposition is conditional rather than universal: under stable regulatory conditions, modularity may not yield significant performance advantages.

6.2.2 Ecosystem Interdependence

Digital compliance systems are embedded within cloud infrastructures, third-party analytics platforms, and shared service providers. Resource dependence theory suggests that reliance on external actors generates vulnerability (Pfeffer and Salancik, 1978).

As ecosystem interdependence increases, so too does exposure to concentration risk. Financial stability literature emphasises the systemic implications of ICT concentration (Borio et al., 2021). Disruption at a critical provider can cascade across institutions.

Therefore:

P2 (Interdependence Exposure): Greater ecosystem interdependence increases institutional vulnerability to ICT concentration risk, heightening the strategic value of vendor substitutability mechanisms.

This proposition establishes the environmental condition motivating diversification within hybrid architectures.

6.3 Architectural Mechanisms

6.3.1 Modularity as Adaptive Mechanism

Modularity reduces change propagation costs by enabling semi-autonomous component evolution (Sanchez and Mahoney, 1996). In compliance systems, modular decomposition may separate:

• Regulatory reporting modules

• AI monitoring engines

• Vendor risk management platforms

• Incident reporting workflows

The adaptive mechanism operates through near-decomposability (Simon, 1962). Component-level change does not require systemic reconfiguration.

Accordingly:

P3 (Modularity Effect): Higher architectural modularity increases compliance adaptability by enabling independent evolution of compliance system components.

This is a causal proposition linking architectural structure to adaptation capacity.

6.3.2 Vendor Diversification and Substitutability

Modularity facilitates substitutability by isolating vendor-dependent components. Diversified supplier portfolios reduce exposure to single-point failures (Christopher and Peck, 2004).

However, diversification is effective only when architectural interfaces permit vendor replacement without extensive reintegration costs. Thus modularity and diversification are mutually reinforcing mechanisms.

This yields:

P4 (Substitutability Effect): Vendor diversification reduces operational fragility and increases resilience under conditions of disruption.

This proposition connects architectural decomposition to systemic resilience outcomes.

6.4 Governance Moderators

Architectural mechanisms do not operate autonomously. Their effectiveness depends on governance conditions.

6.4.1 Governance Centralisation as Moderating Condition

Modular architectures increase coordination complexity. Without governance anchoring, decentralised compliance components may drift, duplicate functions, or produce inconsistent reporting outputs (Weill and Ross, 2004; Sambamurthy and Zmud, 2000).

Governance centralisation clarifies:

• Decision rights

• Architectural standards

• Cross-domain risk oversight

It therefore moderates the relationship between modularity and compliance effectiveness.

P5 (Governance Moderation): The positive effects of modularity and vendor diversification on compliance effectiveness are strengthened by clear governance centralisation and decision-right clarity.

This is a moderating proposition.

6.4.2 AI Lifecycle Governance and Epistemic Risk

As compliance systems increasingly incorporate machine learning tools, decision outputs become probabilistic rather than deterministic (Yeung, 2018). This introduces epistemic risk: uncertainty about model behaviour, bias, and drift (Binns et al., 2018).

Formalised AI lifecycle governance—including validation protocols, performance monitoring, and revision documentation—enhances transparency and regulatory defensibility (Raji et al., 2020).

Thus:

P6 (AI Transparency Effect): Formalised AI lifecycle governance increases supervisory defensibility and reduces epistemic risk in data-driven compliance systems.

This proposition links governance design to regulatory outcome quality.

6.5 Compliance Effectiveness as Emergent Outcome

Compliance effectiveness is conceptualised as a multidimensional construct comprising:

1. Adaptation Speed – Time required to implement regulatory change.

2. Operational Resilience – Capacity to maintain function under disruption.

3. Supervisory Defensibility – Ability to demonstrate control effectiveness and accountability to regulators.

Drawing on systems theory (Simon, 1962), these outcomes are emergent properties of architectural configuration and governance design rather than attributes of individual tools.

The model therefore proposes that:

• Regulatory volatility and ecosystem interdependence create environmental pressures.

• Modularity and vendor diversification operate as architectural mechanisms.

• Governance centralisation and AI lifecycle controls function as moderators.

• Compliance effectiveness emerges from their interaction.

6.6 Boundary Conditions and Scope

The model is subject to boundary conditions.

First, under low regulatory volatility, monolithic architectures may achieve efficiency advantages due to reduced coordination overhead (Williamson, 1985).

Second, institutions lacking governance capability may experience fragmentation costs exceeding modular benefits (Hanseth and Lyytinen, 2010).

Third, excessive vendor diversification may generate integration burdens outweighing concentration risk mitigation.

These conditions reinforce the contingent nature of the hybrid architecture claim.

6.7 Integrative Summary

This chapter has formalised a parsimonious explanatory model consisting of:

• Two structural drivers (volatility, interdependence)

• Two architectural mechanisms (modularity, diversification)

• Two governance moderators (centralisation, AI lifecycle control)

• One multidimensional outcome (compliance effectiveness)

The propositions are hierarchical and non-redundant. Subsequent chapters apply this model to specific institutional domains (vendor governance, DORA implementation, and data architecture) without re-deriving the theoretical logic.

Hybrid compliance architecture is therefore conceptualised not as a normative prescription but as a contingent adaptive configuration under regulatory volatility and ecosystem interdependence.

7. Vendor Governance and Concentration Risk in Hybrid Compliance Architecture

7.1 Introduction

Chapter 4 established ecosystem interdependence as a structural driver (P2) and vendor diversification as an architectural mechanism enhancing resilience (P4), moderated by governance centralisation (P5). This chapter operationalises these propositions in the domain of vendor governance and third-party risk management (TPRM).

Vendor governance is conceptualised here not as an isolated compliance function but as a structural manifestation of architectural substitutability under conditions of ICT concentration. The chapter demonstrates how vendor governance translates modular design principles into resilience-enhancing mechanisms within compliance ecosystems.

7.2 Ecosystem Interdependence and Systemic Concentration (P2)

Financial institutions increasingly rely on a small number of hyperscale cloud providers, analytics vendors, and regtech platforms. Empirical studies in financial stability warn that such ICT concentration may amplify systemic fragility (Borio et al., 2021). Resource dependence theory further suggests that high reliance on external actors reduces institutional autonomy and increases exposure to opportunistic behaviour or service disruption (Pfeffer and Salancik, 1978).

In compliance systems, ecosystem interdependence manifests in:

• Dependence on a single GRC platform for regulatory reporting.

• Exclusive reliance on a cloud-native AI monitoring vendor.

• Shared infrastructure for sanctions screening across institutions.

Operationalising P2 requires systematic dependency mapping. Institutions must identify:

1. Critical compliance functions.

2. Associated vendor dependencies.

3. Concentration ratios across service categories.

4. Substitutability constraints.

This process transforms vendor oversight from reactive due diligence into structural risk mapping aligned with architectural configuration.

7.3 Vendor Diversification as Resilience Mechanism (P4)

Diversification reduces single-point failure exposure, a principle supported by supply chain resilience research (Christopher and Peck, 2004). However, diversification is effective only when supported by modular architecture (Baldwin and Clark, 2000).

In hybrid compliance systems, vendor diversification can take multiple forms:

• Parallel deployment of alternative analytics providers for non-core monitoring tasks.

• Separation of data ingestion layers from analytics engines through API abstraction.

• Maintenance of secondary reporting environments capable of emergency activation.

These strategies increase substitutability, enabling rapid reconfiguration under disruption.

However, diversification introduces coordination costs. Transaction cost economics highlights that managing multiple contractual relationships increases monitoring complexity (Williamson, 1985). Accordingly, vendor diversification should be tiered according to risk criticality.

Tiered governance models—categorising vendors based on systemic importance—allow institutions to allocate oversight proportionately (Weill and Ross, 2004). This operationalises P4 within structured governance systems.

7.4 Governance Centralisation and Cross-Vendor Coordination (P5)

The moderating effect of governance centralisation (P5) is particularly salient in vendor ecosystems. Without central oversight, diversification may lead to:

• Inconsistent service-level standards.

• Redundant tooling.

• Fragmented incident reporting.

IT governance literature demonstrates that clear decision rights and centralised coordination mechanisms enhance performance in complex digital environments (Sambamurthy and Zmud, 2000).

Operationally, governance anchoring involves:

• A resilience oversight committee monitoring cross-vendor exposure.

• Standardised onboarding and exit procedures.

• Consolidated incident aggregation dashboards.

Through these mechanisms, vendor diversification translates into measurable compliance effectiveness outcomes:

• Improved adaptation speed during vendor disruption.

• Enhanced resilience to ICT outages.

• Strengthened supervisory defensibility through documented oversight.

7.5 Boundary Conditions

Vendor diversification may fail when:

• Architectural interfaces are poorly standardised (Hanseth and Lyytinen, 2010).

• Institutional capability for vendor orchestration is insufficient.

• Regulatory authorities favour centralised clarity over distributed complexity (Black, 2008).

These boundary conditions reinforce the contingent nature of P4 and P5.

8. Regulatory Volatility and DORA as Institutional Contingency

8.1 Introduction

This chapter operationalises regulatory volatility (P1) within the institutional context of contemporary ICT regulation, including DORA and related supervisory frameworks.

Regulatory volatility refers not merely to frequent rule changes but to structural characteristics of polycentric oversight systems, including overlapping jurisdictions and iterative guidance refinement (Ostrom, 2010; Baldwin et al., 2012).

8.2 Regulatory Volatility and Architectural Adaptation (P1)

Under high volatility, compliance systems must repeatedly adjust:

• Reporting formats.

• Third-party disclosure requirements.

• ICT risk taxonomies.

• AI transparency documentation.

Monolithic systems propagate change across tightly coupled components, increasing adaptation latency (Simon, 1962). Modular architectures localise change, enabling component-level updates without systemic redesign (Sanchez and Mahoney, 1996).

Thus, P1 predicts that under DORA-induced volatility:

• Modular systems exhibit shorter regulatory update cycles.

• Institutions with hybrid architectures demonstrate lower implementation cost per regulatory revision.

Regulatory volatility therefore amplifies the performance differential between architectural configurations.

8.3 Supervisory Accountability and Governance Anchoring (P5)

DORA emphasises management accountability for ICT resilience. Governance anchoring ensures that modular decomposition does not obscure responsibility allocation.

Regulatory scholarship highlights that supervisory trust depends on visible control hierarchies and traceable accountability (Black, 2008). Hybrid systems must therefore demonstrate:

• Centralised oversight of distributed modules.

• Documented decision rights.

• Transparent risk escalation pathways.

Governance anchoring thus moderates the volatility-modularity relationship.

8.4 Compliance Effectiveness Under Regulatory Volatility

Under P1 and P5:

• Adaptation speed improves through modular reporting tools.

• Operational resilience strengthens via vendor substitutability.

• Supervisory defensibility improves through central accountability mechanisms.

DORA functions as empirical context validating the model’s contingency logic.

9. AI Governance and the Limits of Modular Compliance Architectures

9.1 Introduction

The increasing integration of artificial intelligence (AI) into compliance processes fundamentally alters the structural assumptions underlying traditional compliance architectures. While prior sections of this study conceptualise compliance effectiveness as an emergent property of modular, hybrid architectures, AI systems introduce dynamic, probabilistic, and continuously evolving components that challenge the stability and separability required for effective modularisation.

This section extends the proposed framework by examining how AI-enabled compliance systems interact with architectural design and governance mechanisms. Specifically, it argues that while modular architectures enhance adaptability and resilience, they are insufficient on their own to ensure effective governance of AI-driven compliance processes. Instead, AI introduces a distinct set of governance requirements that operate across and beyond modular system boundaries.

The analysis develops the concept of AI lifecycle governance as a critical moderating mechanism that conditions the relationship between architectural structure and compliance effectiveness.

9.2 The Distinctive Characteristics of AI-Driven Compliance Systems

AI-enabled compliance systems differ from traditional rule-based systems along three key dimensions.

First, AI systems are probabilistic rather than deterministic. Compliance decisions—such as transaction monitoring alerts or fraud detection outcomes—are generated through statistical inference rather than fixed rule execution. This introduces inherent uncertainty and variability into compliance processes, complicating both validation and auditability.

Second, AI systems exhibit temporal instability. Model performance evolves over time due to data drift, concept drift, and changing behavioural patterns. As a result, compliance effectiveness cannot be ensured through one-time validation but requires continuous monitoring and recalibration.

Third, AI systems depend on data pipelines that span organisational and technical boundaries. Training data, feature engineering processes, and model outputs often involve multiple systems, vendors, and organisational units, creating complex interdependencies that are not easily encapsulated within discrete modules.

These characteristics fundamentally challenge the assumption—implicit in modular architecture design—that system components can be decomposed into stable, independently governable units.

9.3 Architectural Tensions: Modularity versus Epistemic Dependence

The introduction of AI into compliance systems creates a structural tension between modular decomposition and epistemic dependence.

Modular architectures aim to isolate components to enable independent evolution, substitution, and governance. However, AI systems generate dependencies that cut across these boundaries. For example:

• A transaction monitoring model depends on upstream data quality, feature engineering logic, and external data sources

• Model outputs influence downstream decision processes, including case management and regulatory reporting

• Changes in one domain (e.g., data preprocessing) may have non-linear and delayed effects on model performance

These dependencies are epistemic rather than purely technical: they relate to how knowledge is generated, validated, and interpreted within the system. As such, they cannot be fully addressed through interface standardisation or API-based integration alone.

This creates a paradox: while modular architectures improve system adaptability, they may obscure the cross-cutting dependencies that determine AI system behaviour, thereby undermining transparency and auditability.

9.4 AI Lifecycle Governance as a Moderating Mechanism

To resolve this tension, this study introduces AI lifecycle governance as a critical moderating mechanism within hybrid compliance architectures.

AI lifecycle governance refers to the set of processes, structures, and controls that oversee the development, deployment, monitoring, and retirement of AI models across their entire lifecycle. Unlike traditional governance mechanisms that operate at the level of individual systems or modules, AI lifecycle governance spans multiple architectural components and organisational domains.

It comprises four interrelated dimensions:

Model Development Governance

Controls governing data selection, feature engineering, model training, and validation. This includes documentation of model assumptions, training data provenance, and performance metrics.

Deployment and Integration Governance

Oversight of how models are embedded within operational systems, including interface design, decision thresholds, and fallback mechanisms.

Monitoring and Drift Management

Continuous tracking of model performance, detection of data and concept drift, and procedures for recalibration or retraining.

Auditability and Explainability

Mechanisms ensuring that model decisions can be explained, traced, and justified to internal stakeholders and external regulators.

Crucially, these governance processes operate orthogonally to modular system boundaries, creating a cross-cutting layer of oversight that reconnects otherwise decoupled components.

9.5 Interaction with Hybrid Compliance Architecture

Within the proposed framework, AI lifecycle governance moderates the relationship between architectural structure and compliance outcomes in two key ways.

First, it mitigates the opacity introduced by modular decomposition. While modular architectures may fragment data and processing across systems, lifecycle governance re-establishes traceability by linking model inputs, transformations, and outputs across domains. This enhances supervisory defensibility despite increased architectural complexity.

Second, it stabilises system behaviour under conditions of continuous change. By institutionalising monitoring and recalibration processes, lifecycle governance compensates for the temporal instability of AI systems, ensuring that compliance performance remains within acceptable bounds over time.

However, the effectiveness of this moderating mechanism depends on its integration with broader governance structures. Without clear decision rights, accountability frameworks, and coordination mechanisms, lifecycle governance may become fragmented, mirroring the very modularity it seeks to govern.

9.6 Risks and Failure Modes

While AI lifecycle governance enhances the viability of hybrid compliance architectures, it introduces new risks and potential failure modes.

First, governance fragmentation may occur if lifecycle responsibilities are distributed across multiple teams without clear coordination. This can lead to gaps in oversight, particularly at the interfaces between data engineering, model development, and operational deployment.

Second, over-reliance on technical controls may create a false sense of assurance. Model validation metrics and monitoring dashboards may not fully capture systemic risks, particularly in the presence of feedback loops or adversarial behaviour.

Third, regulatory misalignment may arise. Supervisory authorities may require clear accountability structures that are difficult to reconcile with distributed governance models. In such cases, organisations must demonstrate not only technical traceability but also organisational accountability.

These risks highlight that AI lifecycle governance is not a purely technical solution but an organisational capability requiring alignment between architecture, processes, and institutional structures.

9.7 Proposition Extension

Based on the above analysis, the study extends its theoretical framework with the following proposition:

P6 (AI Lifecycle Governance Moderation):
The positive relationship between modular hybrid compliance architectures and compliance effectiveness is contingent upon the presence of robust AI lifecycle governance mechanisms that ensure cross-module traceability, continuous validation, and organisational accountability.

This proposition refines the broader model by specifying a critical boundary condition: modularity alone is insufficient in AI-intensive environments.

9.8 Implications for Theory and Practice

The analysis contributes to theory by demonstrating that not all forms of modularity are equally compatible with compliance objectives. In particular, systems characterised by epistemic dependence—such as AI models—require governance mechanisms that transcend architectural decomposition.

For practitioners, the findings imply that investments in modular compliance infrastructure must be complemented by equally sophisticated governance capabilities. Organisations that adopt AI-enabled compliance systems without establishing lifecycle governance risk undermining the very transparency and accountability that compliance architectures are intended to support.

9.9 Summary

AI-enabled compliance systems introduce dynamic, probabilistic, and interdependent components that challenge the assumptions of modular architecture design. While hybrid architectures enhance adaptability and resilience, they must be complemented by AI lifecycle governance mechanisms that operate across system boundaries.

Compliance effectiveness in AI-intensive environments therefore emerges not only from architectural design but from the interaction between modular structures and cross-cutting governance processes that ensure transparency, stability, and accountability over time.

10. Federated Data Governance and Architectural Decomposition

10.1 Introduction

Compliance effectiveness depends on underlying data architecture. This chapter operationalises modularity (P3) and governance centralisation (P5) within data infrastructure design.

10.2 Centralised Data Warehouses and Coupling Constraints

Traditional enterprise data warehouses centralise compliance data flows. While efficient under stable conditions, such centralisation increases adaptation latency under regulatory volatility (Hanseth and Lyytinen, 2010).

Change in reporting taxonomy may require systemic schema modification, propagating across dependent processes.

10.3 Federated Data Governance as Modular Instantiation (P3)

Federated governance models allocate domain ownership of datasets while enforcing shared semantic standards (Dehghani, 2020).

This structure:

• Enables parallel dataset evolution.

• Supports rapid regulatory taxonomy updates.

• Facilitates vendor substitution through API abstraction.

Federation thus operationalises modularity at the data layer.

10.4 Governance Anchoring and Standardisation (P5)

Federation without oversight risks semantic drift. Governance anchoring ensures:

• Standardised metadata definitions.

• Enterprise-level lineage tracking.

• Consolidated reporting harmonisation.

Weill and Ross (2004) demonstrate that governance clarity enhances digital performance outcomes. Applied to compliance data, central oversight preserves coherence across federated domains.

10.5 Emergent Compliance Effectiveness

Through modular data governance:

• Adaptation speed improves.

• Resilience increases via redundancy and domain autonomy.

• Supervisory defensibility strengthens through transparent lineage documentation.

Data architecture thus functions as structural substrate enabling all other mechanisms.

11. Governance and Continuous Improvement: Institutionalising Adaptive Compliance

11.1 Introduction: Governance as Dynamic System Coordination

Chapters 5–8 established that adaptive compliance depends on modular architecture, federated data governance, structured supplier oversight, and lifecycle AI management. However, architecture alone does not produce resilience. Without institutionalised governance processes, modular ecosystems drift toward fragmentation, technical debt accumulation, and regulatory opacity.

Governance must therefore operate as a dynamic coordination layer within hybrid compliance architecture.

Adaptive governance theory (Black, 2012) conceptualises regulatory oversight as iterative, learning-based, and responsive to emergent risk. In parallel, digital platform research demonstrates that ecosystem performance depends on governance structures that align distributed actors under shared rules (Tiwana, 2014; Jacobides, Cennamo & Gawer, 2018).

This chapter argues:

Continuous governance transforms hybrid compliance architecture from static design into adaptive institutional capability.

11.2 Central Oversight with Distributed Execution

Hybrid architectures distribute tools and data across domains (Chapters 4–8). Governance must reconcile autonomy with coherence.

Weill and Ross (2004) show empirically that organisations with clearly defined IT decision rights outperform those with ambiguous governance structures. De Haes and Van Grembergen (2009) demonstrate that governance maturity correlates with improved risk transparency and alignment.

Recent research on digital ecosystems confirms that distributed innovation requires central orchestration to prevent integration debt and compliance drift (Sambamurthy, Bharadwaj & Grover, 2021).

In compliance ecosystems, central oversight bodies typically include:

• Enterprise compliance steering committees

• Architectural review boards

• Third-party risk governance forums

• AI ethics and model oversight committees

These bodies perform meta-governance functions:

• Standard definition

• Risk taxonomy alignment

• Vendor admission control

• AI validation approval

• Regulatory impact coordination

Thus:

Proposition 1: The resilience benefits of hybrid compliance architecture are positively associated with governance clarity in decision-right allocation.

Governance centralisation ensures that distributed execution remains aligned with supervisory expectations.

11.3 Continuous Improvement as Risk-Based Evolution

Traditional compliance models emphasised static certification. However, regulatory regimes such as DORA require continuous resilience testing and incident reporting (European Parliament, 2022). Governance must therefore be cyclical rather than episodic.

Organisational learning theory (Argyris & Schön, 1978) suggests that adaptive institutions embed feedback loops enabling double-loop learning—questioning not only operational processes but underlying design assumptions.

In digital risk contexts, Boin and van Eeten (2013) argue that resilience requires continuous monitoring, scenario testing, and institutional learning mechanisms.

Applied to compliance ecosystems, continuous improvement entails:

• Periodic vendor performance reassessment

• Data quality audits across domains

• Regulatory change impact mapping

• AI drift detection reviews

• Tool retirement and replacement evaluation

Recent empirical research shows that organisations employing continuous digital risk assessment frameworks detect operational anomalies earlier and recover faster (Ivanov & Dolgui, 2020).

Thus:

Proposition 2: Lifecycle-oriented governance reduces systemic fragility by embedding feedback loops into compliance architecture.

Compliance becomes an evolving system rather than a certified state.

11.4 Governance Maturity and Supervisory Trust

Supervisory regimes increasingly evaluate not only compliance outputs but governance capability.

Black (2012) argues that regulators assess institutional “regulatory capacity” as a determinant of enforcement intensity. Firms demonstrating structured governance processes and adaptive monitoring frameworks receive greater supervisory trust.

Research on regulatory responsiveness (Ayres & Braithwaite, 1992) shows that cooperative supervision models depend on credible internal governance structures.

In DORA contexts, supervisory inspections focus on:

• Incident escalation pathways

• Board-level ICT risk oversight

• Documentation of testing cycles

• Evidence of third-party lifecycle monitoring

Thus:

Proposition 3: Governance maturity enhances supervisory defensibility by signalling adaptive risk management capability.

Governance therefore operates as both internal coordination mechanism and external legitimacy signal.

11.5 Integration Across Architecture, Data, and Vendors

Continuous governance must integrate:

• Modular compliance tooling (Chapter 4)

• Vendor ecosystems (Chapters 6–7)

• Data Mesh architecture (Chapter 8)

• AI lifecycle oversight (Chapter 5)

Henfridsson et al. (2018) argue that digital infrastructures enable new governance affordances through embedded coordination mechanisms. Rai and Tang (2022) describe governance-by-design as embedding policy enforcement directly into digital infrastructure layers.

In practice, this integration is achieved through:

• Central dashboards aggregating domain metrics

• Federated metadata repositories

• Automated risk scoring engines

• Cross-domain incident repositories

Thus:

Proposition 4: Governance effectiveness increases when compliance oversight mechanisms are embedded within digital infrastructure rather than layered externally.

Compliance governance becomes infrastructural.

12. Emerging Technologies, AI Governance, and Controlled Experimentation

12.1 Introduction: Innovation Under Regulatory Constraint

AI-enabled compliance technologies promise enhanced detection accuracy, automation, and predictive risk modelling (Baesens et al., 2021). Yet they introduce epistemic opacity, probabilistic reasoning, and dynamic drift—posing governance challenges in regulated environments.

Chapters 5 and 8 established that AI must be lifecycle governed and data-anchored. This chapter extends that argument:

Responsible AI adoption in compliance ecosystems requires institutionalised experimentation frameworks embedded within governance architecture.

Innovation without governance increases systemic fragility.

12.2 AI Risk Taxonomy in Compliance Contexts

Research identifies four core governance risks in deployed AI systems:

1. Concept Drift – Performance degradation under changing data distributions (Gama et al., 2014).

2. Hidden Technical Debt – Accumulated, undocumented dependencies (Sculley et al., 2015).

3. Opacity and Explainability Gaps – Reduced auditability of black-box systems (Burrell, 2016; Rudin, 2019).

4. Bias Amplification – Systematic distortions in training data (Mehrabi et al., 2021).

In compliance settings, these risks directly affect regulatory defensibility.

Thus:

Proposition 5: AI-enabled compliance systems introduce temporal and epistemic instability requiring governance structures beyond traditional IT controls.

12.3 Regulatory Sandboxes and Controlled Experimentation

Regulatory sandboxes allow supervised experimentation under defined risk boundaries (Arner, Barberis & Buckley, 2017). Empirical studies show that sandbox participation enhances regulatory learning and reduces innovation-regulation friction (Jenik & Lauer, 2017).

From an organisational perspective, sandboxes:

• Isolate experimental modules

• Limit systemic exposure

• Enable iterative feedback

• Generate documentation for supervisory dialogue

Riaz et al. (2024) argue that sandboxes institutionalise adaptive governance by aligning innovation incentives with supervisory oversight.

Thus:

Proposition 6: Controlled experimentation environments reduce systemic risk by isolating AI innovation within bounded architectural domains.

Hybrid modular architectures facilitate this isolation.

12.4 Human-in-the-Loop (HITL) as Accountability Anchor

Automation bias literature (Rahwan, 2018) demonstrates that unchecked algorithmic outputs can displace human judgment. Raisch and Krakowski (2021) show that hybrid human–AI decision models outperform fully automated systems in high-risk environments.

In compliance ecosystems, HITL controls provide:

• Escalation review checkpoints

• Override authority

• Contextual judgement

• Ethical oversight

Recent evidence suggests that structured HITL models improve audit defensibility and reduce false-positive fatigue in AML systems (Hinder et al., 2024).

Thus:

Proposition 7: Human-in-the-loop mechanisms stabilise AI-enabled compliance by anchoring probabilistic outputs within accountable decision structures.

AI governance is socio-technical.

12.5 Proof-of-Concept (PoC) Governance Frameworks

Effective PoC governance includes:

• Pre-deployment validation against adversarial scenarios

• Defined success metrics

• Risk tolerance thresholds

• Rollback criteria

• Documentation pipelines

Breck et al. (2017) show that structured ML validation significantly improves production reliability. Rai and Tang (2022) argue that governance-by-design requires embedding experimentation controls into infrastructural layers.

Thus:

Proposition 8: Structured PoC frameworks reduce AI deployment risk by formalising transition criteria from experimentation to operationalisation.

Experimentation becomes governed evolution.

12.6 AI Governance within Hybrid Compliance Architecture

Hybrid architecture enhances AI governance by:

• Isolating ML modules (modularity)

• Anchoring them in Data Mesh lineage (Chapter 8)

• Subjecting them to central oversight (Chapter 9)

• Integrating vendor AI solutions under TPRM controls (Chapter 7)

This layered approach aligns with resilience engineering principles (Boin & van Eeten, 2013).

Thus:

Proposition 9: Hybrid compliance architecture increases AI resilience by combining modular isolation, federated data governance, and central lifecycle oversight.

AI becomes governable rather than destabilising.

13. Demonstrating the Framework Through an Empirical Case Study

13.1 Research Objective and Case Selection

To illustrate and analytically ground the proposed framework of hybrid compliance architecture, this chapter presents an in-depth case study of a large European financial institution undergoing compliance transformation in response to increasing regulatory complexity and the introduction of the Digital Operational Resilience Act (DORA).

The case study adopts a theory-elaborating design. Rather than testing hypotheses statistically, it aims to demonstrate how the architectural mechanisms and governance moderators identified in the conceptual framework manifest in practice. The selected case is representative of systemically important financial institutions operating within polycentric regulatory environments, characterised by high levels of technological interdependence, extensive third-party dependencies, and increasing reliance on AI-enabled compliance systems.

The organisation (hereafter “the Bank”) is a Tier-1 European universal bank with operations across multiple jurisdictions. It manages assets exceeding €500 billion and relies on a complex IT landscape comprising legacy core systems, cloud-based analytics platforms, and more than 120 third-party technology providers supporting compliance, risk management, and operational processes.

13.2 Baseline Architecture: Monolithic Compliance Infrastructure

Prior to its transformation programme, the Bank operated a predominantly monolithic governance, risk, and compliance (GRC) architecture. Compliance processes—including regulatory reporting, incident management, third-party risk management (TPRM), and audit tracking—were centralised within a single enterprise GRC platform integrated with a centralised data warehouse.

This architecture exhibited several defining characteristics:

• Tight coupling of compliance functions, with shared data schemas and workflows across domains

• Centralised data ingestion and transformation, requiring upstream system harmonisation

• Limited interoperability, with external systems integrated through batch-based interfaces

• High vendor dependence, with critical compliance processes embedded within a single GRC provider

While this configuration provided standardisation and administrative efficiency under relatively stable regulatory conditions, it generated significant constraints under increasing regulatory volatility and ecosystem complexity.

Three structural limitations were observed:

First, regulatory change propagation was slow. Updates to reporting requirements required coordinated modifications across multiple tightly coupled modules, resulting in implementation cycles typically ranging from 8 to 12 weeks.

Second, vendor lock-in limited strategic flexibility. Replacing or augmenting functionality within the GRC platform required extensive reconfiguration and data migration, leading to estimated vendor substitution timelines exceeding 12 months for critical components.

Third, limited data lineage transparency constrained supervisory defensibility. The centralised data warehouse architecture aggregated data across domains but obscured domain-level ownership and transformation logic, complicating traceability during regulatory audits.

Operationally, these constraints manifested in delayed regulatory implementation, limited responsiveness to supervisory guidance, and increasing difficulty in managing third-party risk under emerging regulatory expectations.

13.3 Transformation Drivers and Architectural Redesign

The Bank initiated a compliance transformation programme driven by three interrelated structural pressures.

First, regulatory volatility increased significantly with the introduction of DORA and related ICT risk governance frameworks. These regulations required continuous monitoring, enhanced third-party oversight, and frequent updates to reporting and resilience testing processes.

Second, ecosystem interdependence intensified as the Bank expanded its reliance on cloud infrastructure providers, specialised RegTech vendors, and AI-driven monitoring tools. This increased exposure to ICT concentration risk and created dependencies that could not be effectively managed within the existing monolithic architecture.

Third, AI adoption in compliance processes introduced new governance challenges related to model transparency, drift management, and regulatory accountability.

In response, the Bank undertook a phased transition toward a hybrid compliance architecture. The redesign focused on three core principles aligned with the theoretical framework developed in this study:

• Modular decomposition of compliance capabilities

• Federated data governance across organisational domains

• Centralised governance anchoring for coordination and oversight

The transformation involved the gradual decoupling of compliance functions from the central GRC platform and the introduction of specialised, interoperable systems connected through API-based integration layers.

13.4 Post-Transformation Architecture: Hybrid Compliance Ecosystem

Following the transformation, the Bank’s compliance infrastructure evolved into a hybrid architecture comprising multiple specialised components coordinated through central governance mechanisms.

13.4.1 Modular Compliance Systems

Compliance capabilities were distributed across specialised tools, including:

• A dedicated TPRM platform for third-party lifecycle governance

• AI-enabled transaction monitoring systems with independent model governance modules

• A modular regulatory reporting engine capable of rapid template updates

• Incident management systems integrated with real-time monitoring tools

These components operated as semi-independent modules connected through standardised APIs, enabling localised updates without requiring system-wide reconfiguration.

13.4.2 Federated Data Governance

The Bank implemented a federated data governance model inspired by Data Mesh principles. Compliance-relevant data ownership was distributed across domain teams (e.g., risk, payments, trading), each responsible for data quality and regulatory interpretation within their domain.

Central governance defined shared standards for:

• Metadata and semantic definitions

• Data lineage tracking

• Reporting harmonisation

This structure enabled parallel evolution of data models while preserving enterprise-level consistency and auditability.

13.3. Ecosystem Governance and Vendor Diversification

The Bank reduced concentration risk by diversifying its vendor ecosystem. Critical compliance functions were no longer dependent on a single provider. Instead:

• Alternative vendors were introduced for non-core analytics functions

• Data ingestion and processing layers were decoupled from analytics engines

• Secondary reporting environments were established for resilience purposes

A central governance body—comprising compliance, IT, and risk leadership—was established to coordinate vendor selection, define interface standards, and oversee cross-vendor risk exposure.

13.4 Theoretical Implications and Proposition Mapping

The case provides empirical support for the propositions developed in Chapter 6.

• P1 (Regulatory Volatility Contingency): The reduction in regulatory implementation time demonstrates the advantage of modular architectures under conditions of high regulatory change.

• P3 (Modularity Effect): Decoupled compliance modules enabled independent evolution of reporting, monitoring, and vendor management systems.

• P4 (Substitutability Effect): Vendor diversification reduced dependency risk and improved resilience to potential disruptions.

• P5 (Governance Moderation): Central governance structures ensured coherence across distributed systems and maintained accountability under regulatory scrutiny.

• P6 (AI Lifecycle Governance): Independent AI governance modules improved transparency and auditability of model-driven compliance processes.

The findings support the central theoretical claim that compliance effectiveness emerges from the interaction between architectural design and governance mechanisms.

13.5 Boundary Conditions and Implementation Challenges

Despite these benefits, the transformation introduced new complexities and constraints.

First, integration complexity increased. The introduction of multiple modular systems required robust API management and interface standardisation. Without disciplined architectural governance, the risk of integration sprawl emerged.

Second, coordination overhead expanded. Managing multiple vendors and distributed data domains required enhanced governance capabilities, including dedicated oversight committees and cross-functional coordination mechanisms.

Third, capability requirements intensified. The Bank needed to develop new competencies in API architecture, vendor management, and data governance, which were not fully present in the initial organisational structure.

Finally, regulatory perception required active management. Supervisory authorities initially expressed concerns regarding fragmentation and accountability. These concerns were mitigated through clear governance structures and enhanced documentation of decision rights and oversight processes.

13.6 Summary

This case study demonstrates that hybrid compliance architecture can materially enhance compliance effectiveness in environments characterised by regulatory volatility and technological interdependence. By decomposing compliance systems into modular components, distributing data governance, and maintaining strong central oversight, organisations can improve adaptability, resilience, and supervisory defensibility.

At the same time, the case highlights that these benefits are contingent upon governance maturity and organisational capability. Hybrid architectures are not inherently superior but require disciplined implementation and sustained coordination to realise their potential.

14. Conclusion

This paper has argued that the transformation of regulatory oversight—particularly under DORA, EBA outsourcing guidance, and related supervisory regimes—necessitates a corresponding transformation in compliance architecture. Compliance can no longer be understood as a procedurally bounded function concerned primarily with documentation and periodic audit. Instead, it has become a systemic, infrastructural capability embedded within digital ecosystems, vendor networks, distributed data architectures, and AI-enabled monitoring systems.

The analysis demonstrates that monolithic GRC architectures are structurally misaligned with contemporary regulatory conditions characterised by polycentric oversight, ICT concentration risk scrutiny, and rapid technological evolution. Tight coupling, single-vendor dependency, and centralised data abstraction reduce modular substitutability, slow regulatory adaptation, and amplify systemic fragility.

In contrast, hybrid compliance architectures—anchored in modularity, federated data governance, tiered vendor ecosystems, and lifecycle AI oversight—align structurally with resilience-oriented regulatory regimes. Modularity preserves option value and reduces adaptation costs under regulatory volatility. Federated Data Mesh architectures enhance domain accountability and supervisory traceability through embedded lineage. Digital TPRM platforms operationalise ecosystem transparency and concentration risk management. AI governance frameworks institutionalise drift detection, human-in-the-loop oversight, sandbox experimentation, and proof-of-concept transition criteria, stabilising probabilistic systems within accountable decision structures.

Crucially, governance emerges as the integrative constraint across all architectural layers. Central oversight bodies, clearly defined decision rights, and continuous feedback loops transform modular ecosystems from fragmented tool collections into coherent adaptive institutions. Compliance maturity thus becomes a function of governance-by-design—embedding coordination, monitoring, and accountability into digital infrastructure itself.

The unifying insight of this study is that compliance effectiveness in digitally mediated regulatory environments is an emergent property of socio-technical architecture under volatility. Regulatory resilience depends less on static control catalogues and more on engineered substitutability, transparency of interdependencies, lifecycle oversight of evolving systems, and credible exit readiness.

Future research may empirically evaluate hybrid compliance architectures across regulated institutions, measuring resilience outcomes, supervisory reception, adaptation speed, and long-term cost efficiency. Practically, senior compliance and risk leaders must reconceptualise transformation initiatives not as software procurement exercises but as ecosystem design challenges—aligning architecture, vendor governance, data infrastructure, and AI oversight within an integrated resilience strategy.

In an era of systemic digital interdependence, compliance is no longer a reporting function. It is a continuously governed architectural capability shaping institutional robustness, supervisory trust, and financial system stability.

15. References

Abbott, K.W. and Snidal, D., 2009. The Governance Triangle: Regulatory Standards Institutions and the Shadow of the State.

Abraham, R., Schneider, J. & vom Brocke, J., 2019. Data governance: A conceptual framework. Journal of Strategic Information Systems, 28(4), 101–112.

Almada, Marco (2023), Regulation by Design and the Governance of Technological Futures, European Journal of Risk Regulation

Alles, M., 2015. Drivers of the use and facilitators and obstacles of the evolution of Big Data by the audit profession. Accounting Horizons, 29(2), pp.439–449.

Anagnostopoulos, I. (2018), Fintech and regtech: Impact on regulators and banks, Journal of Economics and Business, 100, pp. 7–25.

Argyris, C. & Schön, D., 1978. Organizational Learning. Addison-Wesley.

Armour, J., Awrey, D. and Davies, P. (2024) Principles of Financial Regulation. 2nd edn. Oxford: Oxford University Press.

Arner, D.W., Barberis, J.N. & Buckley, R.P., 2017. FinTech and regulatory sandboxes. Northwestern Journal of International Law & Business, 37(3), pp.371–413.

Arthur, W.B., 1989. Competing technologies, increasing returns, and lock-in by historical events. Economic Journal, 99(394), pp.116–131.

Baesens, B., Höppner, S., Verdonck, T. & Verbeke, W., 2021. Machine learning for financial risk management with Python. IEEE Security & Privacy, 19(4), pp.40–48.

Baldwin, C.Y. & Clark, K.B., 2000. Design Rules: The Power of Modularity. Cambridge, MA: MIT Press.

Baldwin, R., Cave, M. and Lodge, M., 2012. Understanding Regulation: Theory, Strategy, and Practice. 2nd ed. Oxford University Press.

Baldwin, C.Y. & Woodard, C.J., 2009. The architecture of platforms. Platforms, Markets and Innovation, pp.19–44.

Bamberger, K.A., 2010. Technologies of compliance: Risk and regulation in a digital age. Texas Law Review, 88(4), pp.669–739.

Basel Committee on Banking Supervision, 2021. Principles for operational resilience. Basel: BIS.

Besson, P. and Rowe, F., 2012. Strategizing information systems-enabled organizational transformation. Journal of Strategic Information Systems, 21(2), pp.103–124.

Bierwolf, R., Hsu, J. and Weber, R. (2023) ‘Auditability and compliance infrastructures in digital organisations’, MIS Quarterly Executive, 22(1), pp. 1–15.

Black, J. (2021) ‘Decentring regulation: understanding regulatory governance’, Public Law, 2021(3), pp. 495–521.

Black, J. and Baldwin, R. (2019) ‘When risk-based regulation aims low’, Modern Law Review, 82(3), pp. 489–514. Boin, A. & van Eeten, M.J.G., 2013. The resilient organization. Public Management Review, 15(3), pp.429–445.

Borio, C., Drehmann, M. and Tsatsaronis, K., 2021. The Financial Cycle and Macroeconomics: What Have We Learnt? Journal of Financial Stability, 51, 100790.

Breck, E., Cai, S., Nielsen, E., Salib, M. & Sculley, D., 2017. The ML test score: A rubric for ML production readiness. IEEE Big Data.

Brusoni, S., Prencipe, A. and Pavitt, K., 2001. Knowledge Specialisation, Organisational Coupling, and the Boundaries of the Firm: Why Do Firms Know More Than They Make? Administrative Science Quarterly, 46(4), pp.597–621.

Butler, T. and O’Brien, L. (2019) Understanding RegTech for digital regulatory compliance, Disruptive Innovation in Business and Finance in the Digital World. Bingley: Emerald Publishing.

Buttigieg Christopher & Brunelli Zimmermann Beatriz (2024), The digital operational resilience act: challenges and some reflections on the adequacy of Europe’s architecture for financial supervision, ERA Forum

Cennamo, C. & Santalo, J., 2013. P Zetzsche Coskun‑Setirek, A.  et al. (2023), Architecture and Governance of Digital Business Ecosystems: A Systematic Literature Review, Information Systems Management

Christopher, M. and Peck, H., 2004. Building the Resilient Supply Chain. The International Journal of Logistics Management, 15(2), pp.1–13.

Coglianese, C. and Ben Dor, L. (2023) ‘Algorithmic regulation and governance challenges’, Regulation & Governance, 17(4), pp. 789–808.

Cojocaru A., (2025), Aligning regulation and governance for cyber resilience, Computers & Security

Constantiou, I. and Kallinikos, J. (2022) ‘Digital infrastructures and organisational control’, Information and Organization, 32(2), 10040

Cornelissen, J. (2017), Developing propositions in qualitative research, Academy of Management Review, 42(1), pp. 1–16.

David, P.A., 1985. Clio and the economics of QWERTY. American Economic Review, 75(2), pp.332–337.

De Reuver, M., Sørensen, C. and Basole, R.C. (2022) ‘The digital platform: a research agenda’, Journal of Information Technology, 37(1), pp. 4–21.

De Haes, S. & Van Grembergen, W., 2009. An exploratory study into IT governance implementations and its impact on business/IT alignment. Information Systems Management, 26(2), pp.123–137.

Dehghani, Z., 2022. Data Mesh: Delivering Data-Driven Value at Scale. Sebastopol: O’Reilly.

EBA, 2019. Guidelines on Outsourcing Arrangements. European Banking Authority.

Eaton, B., Elaluf-Calderwood, S., Sørensen, C. and Yoo, Y. (2023) ‘Distributed infrastructures and platform ecosystems’, Information Systems Research, 34(2), pp. 612–631.

European Parliament, 2022. Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (DORA).

Floridi, L. et al., 2018. AI4People—An ethical framework for a good AI society. Minds and Machines, 28(4), pp.689–707.

Gama, J., Žliobaitė, I., Bifet, A., Pechenizkiy, M. & Bouchachia, A., 2014. A survey on concept drift adaptation. ACM Computing Surveys, 46(4), Article 44.

Gawer, A., 2014. Bridging differing perspectives on technological platforms. Research Policy, 43(7), pp.1239–1249.

Gawer, A. & Cusumano, M.A., 2014. Industry platforms and ecosystem innovation. Journal of Product Innovation Management, 31(3), pp.417–433

Ghadge, A., Dani, S., Chester, M. & Kalawsky, R., 2020. A systems approach for modelling supply chain risks. International Journal of Production Research, 58(6), pp.1–20.

Gaurav S., Heikkonen J., Chaudhary J., 2025, Governance-as-a-Service: A Multi-Agent Framework for AI System Compliance and Policy Enforcement

Hanseth, O. and Lyytinen, K., 2010. Design theory for dynamic complexity in information infrastructures. Journal of Information Technology, 25(1), pp.1–19.

Hassan, R., Adebayo, S. & Muenzel, A., 2022. Vendor insolvency and operational continuity risk in fintech supply chains. Journal of Risk and Financial Management, 15(8), 350.

Henfridsson, O., Mathiassen, L. & Svahn, F., 2018. Managing technological change in the digital age. MIS Quarterly, 42(3), pp.907–931.

Hevner, A., March, S., Park, J. and Ram, S. (2004) Design science in information systems research, MIS Quarterly, 28(1), pp. 75–105.

Hu, V.C., Ferraiolo, D., Kuhn, D.R. et al., 2015. Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800-162.

Ivanov, D. & Dolgui, A., 2020. A digital supply chain twin for managing disruption risks. International Journal of Production Research, 59(3), pp.1–18.

Jacobides, M.G., Cennamo, C. & Gawer, A., 2018. Towards a theory of ecosystems. Strategic Management Journal, 39(8), pp.2255–2276

Jaakkola, E. (2020), Designing conceptual articles: Four approaches, AMS Review, 10(1–2), pp. 18–26.

Jenik, I. & Lauer, K., 2017. Regulatory sandboxes and financial inclusion. CGAP Working Paper.

Kane, G.C., Palmer, D., Phillips, A.N., Kiron, D. and Buckley, N., 2015. Strategy, not technology, drives digital transformation. MIT Sloan Management Review.

Kleppmann, M., 2020. Designing Data-Intensive Applications. Sebastopol: O’Reilly.

Klievink, B., Romijn, B., Cunningham, S. & de Bruijn, H., 2017. Big data in the public sector: Uncertainties and readiness. Information Systems Frontiers, 19(2), pp.267–283.

Kroll, J. et al. (2017) Accountable algorithms, University of Pennsylvania Law Review, 165(3), pp. 633–706.

Li, J. et al. (2026) Decoding the digital finance revolution: how BigTechs, FinTechs and crypto-assets shape financial systemic risk in US and EU, Journal of International Money and Finance, 161:103493

Markus, M.L., 2004. Technochange management. Journal of Information Technology, 19(1), pp.4–20.

Mehrabi, N. et al., 2021. A survey on bias and fairness in machine learning. ACM Computing Surveys, 54(6).

Ostrom, E., 2010. Polycentric systems for coping with collective action and global environmental change. Global Environmental Change, 20(4), pp.550–557.

Park, B.-J., Ko, R. & Jensen, M., 2024. ‘Extended enterprise risk and supply chain cyber resilience’, International Journal of Information Management, 74:102735.

Pfeffer, J. and Salancik, G., 1978. The External Control of Organizations. Harper & Row.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. 3rd edn. Auerbach Publications

Peppard, J. and Ward, J., 2016. The Strategic Management of Information Systems. Wiley.

Peffers, K., Tuunanen, T., Rothenberger, M. and Chatterjee, S. (2007), A design science research methodology for information systems research, Journal of Management Information Systems, 24(3), pp. 45–77.

Puranam, P., Singh, H. and Zollo, M., 2012. Organizing for Innovation: Managing the Coordination–Autonomy Dilemma in Technology Acquisitions. Academy of Management Journal, 55(2), pp.239–260.

Racz, N., Weippl, E. & Seufert, A., 2010. A frame of reference for research of integrated GRC. Proceedings of the 2010 ACM Symposium on Applied Computing, pp.106–117.

Raisch, S. & Krakowski, S., 2021. Artificial intelligence and management. Academy of Management Review, 46(1), pp.192–210.

Raji, I.D., Smart, A., White, R.N., et al., 2020. Closing the AI Accountability Gap: Defining an End-to-End Framework for Internal Algorithmic Auditing. Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency.

Rahwan, I., 2018. Society-in-the-loop. Nature, 562, pp.26–28.

Reed, K., Reiners, T. and Currie, W., 2015. Conceptualising Legacy at the Interface Between Business and IT. European Journal of Information Systems, 24(3), pp.326–343.

Riaz B. & Younas Z. (2024), Investigating the impact of DORA Regulations on Third-Party Risk Management in the Swedish Financial Sector

Sambamurthy, V. and Zmud, R., 2000. Research commentary: The organizing logic for IT activities. Organization Science, 11(2), pp.105–114.

Sambamurthy, V. and Zmud, R.W., 2000. IT Leadership and Governance in the Digital Age. MIT Sloan Management Review, 41(2), pp.33–44.

Sambamurthy, V., Bharadwaj, A. & Grover, V., 2021. Shaping agility through digital options: Reconceptualizing the role of information technology in contemporary firms. MIS Quarterly, 45(1), pp.35–-68.

Sanchez, R., 1999. Modularity in Design and Systems Architecture. Proceedings of the IEEE International Engineering Management Conference.

Sanchez, R. and Mahoney, J.T., 1996. Modularity, Flexibility, and Knowledge Management in Product and Organization Design. Strategic Management Journal, 17(S2), pp.63–76.

Schreieck, M., Wiesche, M. and Krcmar, H., 2012. Designing the Minimal Specification of Business Platform Ecosystems – A Modularization Strategy Perspective. 45th Hawaii International Conference on System Sciences.

Sculley, D. et al., 2015. Hidden technical debt in machine learning systems. Advances in Neural Information Processing Systems, 28, pp.2503–2511

Shah (2025), Digital Operational Resilience Act and ICT risk exposure in the EU financial sector, SSRN (pre-print, peer-reviewed platform)

Simon, H.A., 1962. The Architecture of Complexity. Proceedings of the American Philosophical Society, 106(6), pp.467–482.

Suddaby, R. (2010), Construct clarity in theories of management and organization, Academy of Management Review, 35(3), pp. 346–357.

Svahn, F., Mathiassen, L. & Lindgren, R., 2017. Embracing digital innovation in incumbent firms. MIS Quarterly, 41(1), pp.239–264.

Tiwana, A., 2014. Platform Ecosystems: Aligning Architecture, Governance and Strategy. Boston: Morgan Kaufmann.

Trist, E. and Bamforth, K., 1951. Some social and psychological consequences of the longwall method. Human Relations, 4(1), pp.3–38.

Ulrich, K., 1995. The Role of Product Architecture in the Manufacturing Firm. Research Policy, 24(3), pp.419–440.

Veale, M. and Borgesius, F. (2021), Demystifying the draft EU Artificial Intelligence Act, Computer Law Review International, 22(4), pp. 97–112.

Wagner, S.M. & Bode, C., 2008. An empirical examination of supply chain performance along several dimensions of risk. Journal of Business Logistics, 29(1), pp.307–325.

Weill, P. and Broadbent, M., 1998. Leveraging the New Infrastructure: How Market Leaders Capitalize on Information Technology. Harvard Business School Press.

Weill, P. & Ross, J.W., 2004. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston: Harvard Business School Press.

Williamson, O.E., 1985. The Economic Institutions of Capitalism. Free Press.

Woods, D. (2015), Four concepts for resilience and the implications for the future of resilience engineering, Reliability Engineering & System Safety, 141, pp. 5–9.

Yeung, K., 2018. Algorithmic regulation: A critical interrogation. Regulation & Governance, 12(4), pp.505–523.