From KYC to KYW: Governing humans and algorithms with stage-specific KRIs that operationalize risk
Financial institutions don’t just need to be compliant—they need to be legitimate. In an AI-accelerated operating environment, boards and supervisors expect proof that every action—human or algorithmic—serves a legitimate business purpose.
For a powerful and practical approach, consider the Legitimacy Lifecycle— a Know Your World framework that measures legitimacy across seven relationship domains and three stages–onboarding, ongoing maintenance, and offboarding. Institutions that operationalize the Legitimacy Lifecycle via Key Risk Indicators (KRIs) turn vigilance into workflows.
Traditional compliance frameworks were built to prevent and detect violations. But in an environment of algorithmic decisioning, third-party dependencies, and AI-enabled automation, those frameworks are no longer enough. What institutions need now is a system for managing legitimacy itself—a way to see and govern the total ecosystem of human and machine actors that drive business outcomes. That is the purpose of the Legitimacy Lifecycle.
From Know Your Customer to Know Your World
The Legitimacy Lifecycle begins with Know Your World (KYW)—an expanded form of due diligence that recognizes seven interrelated domains of enterprise risk:
1. Customers
2. Related parties of customers
3. Vendors
4. Employees
5. Managers
6. AI/ML applications
7. Inter-category relationships—the often-overlooked connections among all the above
Each domain produces events—transactions, data exchanges, authorizations, or behaviors—that can either reinforce or erode legitimacy. Know Your World due diligence requires consistent, risk-based monitoring across all seven domains, because legitimacy risk rarely arises in isolation. A “clean” customer file means little if a vendor’s compromised API exposes customer data, or if an internal AI model begins to drift undetected.
The goal of KYW is straightforward: To confirm that every event within your enterprise occurs for legitimate business purposes—by the right actor, at the right time, in the right way—consistent with internal policy and applicable law.
The three stages of the Legitimacy Lifecycle
Legitimacy, like risk, evolves through a lifecycle. Every relationship—whether human, institutional, or algorithmic—passes through three stages: Onboarding, Ongoing Maintenance, and Offboarding. Each stage carries distinctive risk exposures and therefore requires its own Key Risk Indicators (KRIs).
When configured in a GRC or orchestration platform, these KRIs become automated sentinels. They surface anomalies early, trigger workflow, and keep legitimacy management continuous rather than reactive.
Stage 1: Onboarding — Establishing initial legitimacy
At onboarding, the objective is to verify that the relationship itself is sound and transparent.
Sample KRIs by Know Your World Category:
•Customers: Percentage of new accounts with verified ultimate beneficial ownership; number of onboarding profiles missing geographic-risk scoring.
•Related Parties: Ratio of related entities with opaque ownership structures; number of cross-jurisdiction relationships pending enhanced due diligence.
•Vendors: Percentage of third parties lacking completed background checks or security attestations.
•Employees: Time to completion for pre-hire background checks and conflict-of-interest declarations.
•Managers: Number of new managers onboarded without governance-training completion.
•AI/ML Applications: Count of AI models deployed without pre-approval or ethics review.
•Inter-Category Relationships: Instances of shared identifiers (addresses, accounts) linking customers and vendors prior to onboarding approval.
Early-stage legitimacy risk often hides behind convenience—speeding through verification, skipping vendor vetting, or deploying an untested model. Stage-specific KRIs help ensure that trust is built on evidence–not assumption.
Stage 2: Ongoing maintenance — Monitoring behavioral drift
Once a relationship is active, legitimacy risk shifts from who they are to how they behave. Continuous monitoring proves essential because even legitimate actors can drift into illegitimacy through pressure, opportunity, or algorithmic evolution.
Sample KRIs by Know Your World Category:
•Customers: Percentage of accounts with transaction patterns deviating >20-30% from baseline.
•Related Parties: Frequency of payments to or from unregistered affiliates.
•Vendors: Number of vendors operating under expired certifications or insurance coverage.
•Employees: Count of employees accessing production systems outside authorized hours.
•Managers: Ratio of approvals exceeding delegated-authority thresholds.
•AI/ML Applications: Number of models with unvalidated performance metrics or missing audit logs.
•Inter-Category Relationships: Frequency of data exchanges between unlinked systems or unrelated departments.
These KRIs, when orchestrated properly, transform monitoring into foresight. They allow risk teams to detect behavioral anomalies before they metastasize into compliance breaches or reputational loss.
Stage 3: Offboarding — Closing the loop with integrity
Institutions sometimes neglect offboarding, yet it is the stage where legitimacy either culminates or collapses. Terminated vendors retain credentials; former employees keep VPN tokens; deprecated AI models remain live in shadow environments. Every unresolved closure is a potential legitimacy breach.
Sample KRIs by Know Your World Category:
•Customers: Percentage of closed accounts without final sanctions screening and adverse-media check.
•Related Parties: Number of residual data connections to offboarded entities.
•Vendors: Percentage of contracts closed without confirmation of data destruction.
•Employees: Percentage of separated employees retaining active credentials beyond 24 hours.
•Managers: Number of decommissioned roles without successor assignment or oversight transfer.
•AI/ML Applications: Number of retired models still callable via API.
•Inter-Category Relationships: Instances where closure in one domain fails to propagate across others.
Legitimacy is not complete until every access, dataset, and model tied to the relationship has been properly concluded and recorded. The Legitimacy Lifecycle framework helps ensure termination signals propagate to identity/access management (IAM), data-retention workflows, and model registries, with evidence captured for audit.
The Suppose Zone: Practicing imaginative risk
To build a culture of legitimacy, institutions can cultivate what I call imaginative risk awareness. This is the capacity to ask “What if?” before the crisis occurs.
•Suppose a new vendor’s declared data volume doesn’t align with public-utility consumption data—suggesting the operation may not exist as described. Or a new vendor’s declared operating scale conflicts with other permissible public or third-party signals (e.g., property, business registry, or other market data).
•Suppose an employee who never takes vacation suddenly receives a wage garnishment notice.
•Suppose a small AI application purchased for marketing analytics quietly expands permissions until it can query payment data.
Each of these scenarios is plausible, detectable, and preventable—if your Legitimacy Lifecycle is configured to listen. Imaginative risk isn’t paranoia; it’s disciplined curiosity backed by instrumentation.
Operationalizing legitimacy through orchestration
In practice, the Legitimacy Lifecycle comes alive through orchestrated intelligence on a RegTech platform—it’sthe integration of KRIs, data sources, and workflows in a unified environment. A modern RegTech platform should not only store rules but execute understanding through examples like these:
•Automatically detect events across all seven KYW domains
•Trigger workflows when KRIs cross thresholds
•Escalate exceptions to human review with full data lineage
•Learn from prior cases to refine thresholds and models
The new discipline of Legitimacy Management
The shift from compliance to legitimacy marks a profound evolution in risk thinking. Compliance is reactive: It proves that you followed the rules. Legitimacy is proactive: It proves that your institution acts with integrity, consistency, and purpose.
In the era of interconnected humans and intelligent machines, managing legitimacy is not optional. It is the foundation of trust, the precondition of innovation, and the metric by which regulators and markets alike will judge resilience.
The Legitimacy Lifecycle offers a blueprint for that management—continuous, data-driven, and human-centered. It enables every institution to Know Your World and to ensure, with confidence, that everything happening within it is happening as it should.
