For decades, sanctions compliance was largely a paperwork problem: screen names against lists, flag anomalies, file reports. The arrival of generative AI has turned that model inside out. Rogue states and their proxies are now deploying artificial intelligence not just to evade individual checks, but to industrialize evasion at scale, manufacturing legitimacy across entire chains of enterprise workflows. The compliance stack built for yesterday's threat is running out of time.
The Algorithmic Arms Race
A landmark report from the Royal United Services Institute (RUSI), titled Algorithms of Evasion: The Rise of AI-Enabled Proliferation Financing, has given the problem a name and a body count. North Korea and Iran, the report finds, are actively developing and deploying AI models purpose-built for circumventing international sanctions regimes. The tools they are using are not exotic: they are the same generative AI systems available to any enterprise developer.
What makes this alarming is the scale of automation now possible. AI can mass-produce fraudulent documents -- fake passports, vessel registrations, invoices, corporate filings, bank statements -- with enough contextual accuracy to defeat compliance checks that still depend on manual review. Autonomous AI agents can manage shell company networks, move cryptocurrency through mixers, and generate deepfake personas without constant human direction. AI can also analyze customs codes, tariff schedules, and regulatory frameworks across multiple jurisdictions to identify the most effective paths for misclassifying sanctioned or dual-use goods.
"What prompted the paper was an uptick over the last year in North Korea's use of AI to facilitate cyber operations and phishing schemes," said Aaron Arnold, senior associate fellow with the Centre for Finance and Security at RUSI and the report's author. The concern is no longer hypothetical: RUSI describes a newer class of threat involving autonomous agents capable of handling discrete parts of a sanctions-evasion operation -- from entity creation to payment routing -- without a human in the loop.
North Korea's IT Worker Playbook
Nowhere is the collision of AI and sanctions evasion more documented than in North Korea's IT worker schemes. According to a March 2026 OFAC designation action, operatives posing as remote developers infiltrated more than 300 U.S. companies, using stolen or fabricated identities, shell entities, and laptop farms to obtain employment and channel at least $6.8 million back to Pyongyang. Two U.S. nationals were subsequently sentenced for facilitating a scheme that used the stolen identities of at least 80 U.S. persons across more than 100 companies and generated over $5 million in illicit revenue for the DPRK government.
OFAC designated six individuals and two entities on March 12, 2026, targeting a multinational network of facilitators operating across North Korea, Vietnam, Laos, and Spain. European firms have also been targeted: research from the Bloomsbury Intelligence and Security Institute found that North Korean threat actors are using AI-generated worker profiles to infiltrate companies on the continent, creating synthetic identities with sufficient depth to survive recruiter scrutiny and pass video interview screening.
The AI dimension is not incidental. North Korean threat groups are using AI tools to create fake identities, alter documents, and disguise voices -- enabling operatives to clear video interviews, pass background checks, and maintain cover for months or years. What was once a labour-intensive intelligence operation is now a scalable, repeatable product.
What Holland & Knight Is Telling Clients
Law firm Holland & Knight warned in an April 2026 client advisory that the convergence of AI and cyber-enabled tools is fundamentally reshaping sanctions compliance risk -- and that enterprises may be the last to know. The advisory highlights two distinct threat vectors: AI used against companies, as rogue actors infiltrate vendor and hiring pipelines, and AI used by companies without adequate governance, through automated workflows that inadvertently process sanctioned parties or jurisdictions.
The firm urges organizations to treat AI-generated onboarding documents with elevated suspicion, noting that offensive AI learns broadly while defensive AI often learns from fragments. Compliance teams, the advisory argues, are operating with structural disadvantages: bad actors can scrape public information, study enforcement patterns, probe onboarding forms, and refine their behavior against known thresholds. Defenders are responding to the last attack; attackers are preparing for the next one.
The CIO's New Problem
For technology executives, the RUSI report and the Holland & Knight advisory converge on an uncomfortable conclusion: sanctions evasion is now partly an IT governance problem. CIOs, CISOs, compliance officers, and boards need a working governance model that includes privacy-preserving analytics, controlled data environments, comprehensive audit trails, legal safeguards, and clear model-risk accountability.
The Register reported in May 2026 on RUSI's call for three structural reforms: clearer rules allowing banks to deploy AI-powered counter-proliferation tools, updated know-your-customer (KYC) systems capable of detecting deepfakes and synthetic identities, and new "compute-KYC" obligations that would force cloud providers to scrutinize who is renting computing resources and for what purpose.
The compute-KYC proposal is particularly significant for enterprise IT. If regulators move in this direction, cloud procurement and vendor management functions will carry new compliance obligations they were not designed to handle. Shadow AI deployments -- models spun up outside formal procurement channels -- become an additional exposure surface that most organizations have not mapped.
Industry analysts at Governance Intelligence note that by 2026, regulators are expected to demand not just the use of advanced analytics in sanctions programs, but demonstrated transparency, explainability, and governance around those systems. Documentation and audit trails are no longer optional: they are central to demonstrating compliance in the event of an enforcement inquiry. Immutable records showing which AI model flagged what, who reviewed the output, and what action was taken will become baseline expectations.
The Asymmetry Problem
The deepest challenge is structural. Sanctions compliance tools are typically trained on known evasion patterns -- historical data, past enforcement cases, flagged entities. AI-enabled adversaries, by contrast, can optimize continuously against public information: court filings, regulatory guidance, enforcement announcements, and even the structure of compliance screening systems themselves.
This creates an asymmetry that traditional governance frameworks were not built to address. An AI agent running a shell company network does not get tired, does not make the same slip twice, and can iterate its behavior faster than a compliance team can update its controls. The defenders are always, by definition, playing catch-up.
The RUSI report is explicit that the window for building adequate defenses is narrowing. Autonomous AI agents capable of end-to-end sanctions evasion -- from entity creation to transaction execution -- are not a future risk. They are a present one. Enterprises that treat this as a problem for regulators to solve first will find themselves on the wrong side of enforcement actions that hold the unwitting just as accountable as the knowing.
For CIOs and compliance teams, the message is unambiguous: the governance model must catch up to the threat model, and it must do so now.
"What prompted the paper was an uptick over the last year in North Korea use of AI to facilitate cyber operations and phishing schemes."— Aaron Arnold, Senior Associate Fellow, RUSI