A Research Publication on Third-Party Compliance
The Confidence Layer
Compliance teams have more information than ever, yet often less confidence in the decisions they make. This is a body of research into why - and into the architecture that might change it.
The White Paper
When Confidence Is All You Need
The Confidence Layer: Reimagining the Architecture of Third-Party Compliance in an AI World
Drawing on structured interviews with more than thirty senior compliance leaders across the US and Europe, this paper argues the industry has spent two decades solving the wrong problem - and proposes a different architecture for how judgement is organised at scale.
Based on a structured market study conducted 2024–2025 across technology, manufacturing, life sciences, energy and professional services.
The Argument
Three ideas sit at the centre of this research.
Confidence is personal.
Risk may be global - the same supplier, the same findings, visible to everyone. But confidence is personal to the organisation. Two firms can assess the same residual risk and correctly reach opposite decisions, because each applies its own policy, risk appetite, and regulatory exposure. Compliance has spent two decades measuring risk. What organisations actually need is confidence.
The question is not what happened, but what changed.
Compliance decisions are inherently forward-looking. The question is not simply what a third party did in the past, but whether an organisation can have sufficient confidence in how it is likely to behave in the future. Inherent risk can indicate where risk may exist, but confidence to proceed depends on residual risk: what remains after governance, remediation, behaviour, and change over time are considered. Residual risk is not a snapshot, but a temporal narrative - and confidence depends on understanding that narrative.
Compliance still assesses from the outside in.
Third-party due diligence still largely assesses from the outside in. Questionnaires, attestations, and clarification processes allow organisations to engage directly with counterparties, but the information they produce is often fragmented, static, and difficult to evaluate consistently at scale. As a result, outside the highest-risk relationships that receive deeper follow-up, compliance teams still rely heavily on inference when assessing remediation, governance improvements, and changes in behaviour. The problem is not that third parties are never asked for information; it is that their evidence is rarely captured in a structured, testable, and decision-ready form.
The Confidence Layer
The Confidence Layer is an architectural correction - a reasoning layer positioned between automated screening and human assurance - built for the Missing Middle, the large population of relationships too numerous for deep investigation yet too important for screening alone, designed not to replace judgement, but to structure it. Its function is to transform fragmented, static information into a coherent, time-aware, and defensible understanding of a third party, at population scale. Screening reads the words. The Confidence Layer understands the narrative.
“Confidence is not a feature to be added to existing systems. It is the organising principle of the next one.”
Why this exists
Over the past two years I have spoken with more than thirty-five compliance leaders across Europe and North America. The same themes kept surfacing - in different words, different sectors, different regulatory contexts, but unmistakably the same. This site exists to set those themes down in public, and to keep working through them.
— Hugo Williamson
Continuing the work
New commentary and papers will appear here as the work develops.
New research and commentary will be published here as it develops. To follow the work, leave an email below.