Existing Spend → AI Price Collapse: compliance evidence packs

You don't pay to be compliant. You pay to keep proving it.

A 40-person fintech in Leeds passes a SOC 2 audit in March. In April a prospect's procurement team sends a 220-question security questionnaire. In May the ICO's accountability expectations come up in a board pack. In June a banking partner asks for the same incident-response evidence the auditor saw twelve weeks earlier. Four requests, one underlying truth about the business, and the team rebuilds the answer four times from the same scattered folders. Nobody became more compliant in those four months. They just kept paying to demonstrate a thing that was already true.

Here is the bet this briefing will lose on if it is wrong. Most compliance-AI pitches sell you a drafter, a model that writes your policies and frameworks. We think the first durable payback is the opposite end of the workflow: the dull, repeated act of re-evidencing controls you already have. If the market reprices policy-writing faster than it reprices evidence-retrieval, we are wrong. Watch where Vanta, Drata and Conveyor actually point their automation and you'll see the answer. They lead with evidence collection and questionnaire reuse, not prose [4][6][7].

“Nobody became more compliant in those four months. They just kept paying to demonstrate a thing that was already true.”

What is the Proof Tax, and why does it bite?

Give the cost a name and it stops being background noise. The Proof Tax is the recurring price of re-evidencing controls you have already implemented. Like any tax it has two parts: a base (the controls you must hold) and a rate (how often, and how laboriously, you re-prove them). The base is fixed by your sector and your size. The rate is set by how many auditors, regulators, insurers and customers ask, and by how badly your evidence is filed when they do. The rate is the part that bites, and the part finding, summarising and re-submitting evidence makes worse.

UK smaller firms spend an estimated £36 billion and 379 million hours a year on compliance [1][10]. That is the FSB's "Playing by the Rules" measure of the base. But the tax that bites a compliance-heavy SME is the rate: the same SOC 2 control evidenced for the audit, then again for three customer questionnaires, then again for an insurer. The 2025/26 cyber-security supplier ask makes this concrete. Due-diligence packs routinely demand evidence of MFA, patching, incident-response plans and certificates — the same controls, re-evidenced for every buyer who asks. Same controls. Wildly different rate.

Why is the proof rate collapsing now?

The thing AI is genuinely good at is the thing the Proof Tax is made of: retrieval, summarisation and reuse across a messy pile of documents. That is why the GRC platforms have converged on it. Vanta says its agentic workflow drafts roughly 80% of a security questionnaire automatically from your existing knowledge base of past answers and evidence [4]. Conveyor automates customer security reviews and serves answers through a self-service Trust Centre, so the buyer retrieves proof without a human re-typing it [7]. Drata's pitch is to collect evidence automatically, monitor controls continuously and stay audit-ready, the rate driven toward zero by never letting the evidence go stale [6]. And it shows up in a real UK SME. CrowdComms, a Dorset event-technology firm, reused the evidence base it had built for ISO 27001 to clear SOC 2 through Vanta and get through inbound supplier questionnaires faster. As its information security manager Donna Fielding put it: "I wasn't having to duplicate work" [9].

Read the demand signal underneath the tooling. UK SMEs' AI adoption more than doubled in three years and landed on tasks, not headcount. The British Chambers of Commerce put active use at 54% of firms in 2026, with more than nine in ten reporting no change in workforce size [8]. Firms are buying AI to clear repeated low-value work, and few jobs are more repeated or lower-judgement than answering question 147 of a questionnaire you've answered four times before. The rate is collapsing because the tooling finally fits the shape of the drag, and the market has quietly agreed to point it there first.

“Few jobs are more repeated or lower-judgement than answering question 147 of a questionnaire you've answered four times before.”

Where does AI stop saving you money?

Here is the line the cheerful demos skip. AI collapses the rate of the Proof Tax; it cannot touch the base. And the base is not the evidence, it is the accountability. The ICO's accountability principle is blunt: you must be able to demonstrate your compliance [2]. A faster way to retrieve that record does not make it less yours. Get the scope right, too. The ICO's stricter bar on human involvement applies specifically to decisions that are solely automated and carry a legal or similarly significant effect: a narrow gate, not a blanket ban on automation [5].

Financial services draws the same line by a different route. Under the FCA's Consumer Duty in PRIN 2A, firms must monitor and regularly review the outcomes their customers actually experience and evidence that they are delivering good outcomes [3]. This is about proving fair outcomes, not a universal rule that a human must sign every decision. The honest reading across both regulators: AI can fetch, summarise and pre-fill the proof, but as a matter of good governance a responsible, competent person should still review and own the control and the answer. The machine drafts question 147; a human who understands it presses send.

What happens when a faster wrong answer scales?

The danger in collapsing the rate is that you also collapse the friction that used to catch errors. When a human re-typed an answer for the fourth time, the boredom occasionally caught a control that had quietly lapsed. Auto-fill removes that accidental check. An AI that confidently retrieves last year's penetration-test result for this year's questionnaire has not saved you time. It has helped you misrepresent your security posture to a customer at machine speed, across every questionnaire at once. Vanta is explicit that its drafts are reviewed and approved before submission, and that design choice is the whole point [4].

So the rule that protects you is the same rule the regulators already wrote. Keep a competent human accountable for the answer, keep the evidence trail auditable, and treat AI as the thing that assembles the pack — never the thing that signs it. A compliance owner who lets the model retrieve and draft, then reviews and owns the sign-off, gets the rate collapse without the liability. A compliance owner who lets it auto-submit has simply bought a faster way to be confidently, repeatedly wrong.

“An AI that confidently retrieves last year's penetration-test result for this year's questionnaire has not saved you time — it has helped you misrepresent your security posture at machine speed.”

MikaHari's view: buy down the rate, never the responsibility

So here is the verdict, plainly. Do not buy AI to be your compliance officer; buy it to stop your compliance officer re-proving the same controls fifty times a year. The base of the Proof Tax (the controls you hold, the records you own, and a responsible person who reviews and owns the answer) is not for sale — it is the accountability the ICO and the FCA expect you to keep, not automate away [2][3]. The rate, the repeated act of re-evidencing, is collapsing fast, and the GRC tools are already pointed straight at it [4][6][7]. Start there: a single owned evidence store, AI to retrieve and pre-fill, a competent human on every sign-off. Let the machine sign instead and you ship a confidently wrong answer at scale, then discover the base was never yours to automate away — a customer and a regulator lost in the same quarter. Get it right and the win compounds quietly: the same evidence, found once and reused everywhere, with a human owning the call and an audit trail you can hand to anyone who asks. You were never paying to be compliant. You were paying the rate, and the rate is finally going down.