Sunday, November 23, 2025

Leverage AI in risk assessment for Sapin II teams

Thomas Auguste
Technology & Innovation in Compliance
Leverage AI in risk assessment for Sapin II teams

Juliette, the sole compliance officer of a 1 200-employee industrial company near Lyon, had ten weeks to refresh the Sapin II corruption risk map before an unannounced visit from the French Anti-Corruption Agency (AFA). Her spreadsheet already contained 5 000 lines of vendors, 48 countries of operation, and hundreds of controls. Every additional data request from finance or procurement cost her a day. Two nights before the internal deadline, her laptop froze under the weight of pivot tables. Juliette is not alone. Mid-market teams often face Sapin II obligations with limited resources and mountains of fragmented data.

What Sapin II expects from risk assessment

Article 17 of the Sapin II law requires French companies with more than 500 employees and €100 million in consolidated revenue to maintain a corruption prevention program that includes:

  • A code of conduct that defines and illustrates prohibited behaviour that may amount to corruption or influence peddling, integrated into the company’s internal regulations and adopted after consultation with employee representatives.
  • An internal whistleblowing system that allows employees to report conduct or situations that breach the company’s code of conduct.
  • A regularly updated risk map identifying, analysing and ranking the company’s exposure to corruption risks, taking into account its activities and geographic areas.
  • Risk-based assessment procedures for customers, first-tier suppliers and intermediaries, aligned with the risk map.
  • Internal or external accounting controls to ensure that books, records and accounts are not used to conceal corruption or influence peddling, including through statutory audits where applicable.
  • A training programme for managers and staff most exposed to corruption and influence-peddling risks.
  • A disciplinary regime allowing sanctions against employees who violate the company’s code of conduct.
  • Internal systems to monitor and evaluate the effectiveness of these measures.

The AFA guidelines (2021) stress that risk mapping must be documented, evidence-based, and revisited annually. For many organisations, the bottleneck is not methodology, it is data collection and continuous monitoring.

Why manual approaches no longer scale

  1. High data volume: Even a medium-sized enterprise handle different activities, operate in different countries and contexts and applies a large number of controls.
  2. Static snapshots: Traditional risk maps capture a single point in time, while bribery scenarios evolve with market entries, M&A, or staffing changes and residual risks evolves depending on whether mitigations actions and controls are effectively implemented over time.
  3. Subjective scoring: Some companies rely on intuition to score risks. This introduces bias and incoherence accross business units.
  4. Limited bandwidth: Compliance professionals spend most of their time gathering data rather than analysing it.

How AI augments Sapin II risk assessment

Artificial intelligence is not here to replace professional judgment. It frees capacity so experts like Juliette can focus on edge cases that truly need human discernment. Below are the main levers.

1 Automated analysis of data

Natural Language processing (NPL) engines read unstructured data and identifies the presence of variables such as sector where the company is active, countries where it operates or weight of public contracts related to annual revenue.

Result: teams start the project with a near-complete dataset and insights instead of chasing spreadsheets throughout the company.

2 AI-driven inherent risk scoring

AI agents can analise the insights from date against variables relevant to corruption: high-risk jurisdictions, unusual commission structures, politically exposed persons, cash intensity, and rapid revenue growth. Scores are recalibrated continuously as new data flows in.

This preliminary quantification surfaces hotspots (e.g., “agents in West Africa with success fees above seven percent of contract value”) so the compliance team can allocate resources where likelihood and impact is highest.

3 Assessing control effectiveness at scale

Large language models (LLMs) can read policies, internal audit reports, and training logs, classifying each control against ISO 37001 maturity levels. Weak spots—missing approval workflows or outdated training content—appear on a dashboard within hours instead of weeks of manual review.

A compliance officer looks at a dark-theme dashboard where an AI highlights suppliers and regions in red, amber, and green risk categories for corruption under Sapin II. The screen shows metrics such as inherent risk score, control maturity, and remediation status.

4 Continuous monitoring and red-flag alerts

Rather than waiting a year for the next mapping exercise, an AI engine can run daily or weekly checks, sending alerts when it detects new activities or missing evidence regarding accounting controls.

These signals feed a living risk map, a key expectation of the AFA.

5 Directing human expertise to edge cases

AI triages routine low-risk items, allowing experts to concentrate on:

  • high-risk negotiations that need in-person due diligence,
  • interviews with senior management in newly acquired subsidiaries,
  • qualitative cultural assessments that no algorithm can replace.

Manual versus AI-augmented assessment: a quick comparison

Dimension

Traditional approach

AI-augmented with Naltilia

Data collection

Emailing templates, Excel consolidation

API connectors, NLP extraction

Time to first risk map

6-12 weeks

3-5 days

Update frequency

Annual

Continuous

Coverage

Sample-based

100 percent of transactions

Human focus

Data wrangling

Judgment on red flags, interviews

Frequently asked questions

Is AI-generated scoring acceptable to the AFA? The agency requires documented methodology and human oversight. AI tools like Naltilia provide both: transparent algorithms and a validation layer where compliance officers approve the final risk classification.

Do we need data science skills to deploy Naltilia? No. Naltilia offers pre-trained models for corruption scenarios and a low-code interface. Most clients rely on standard connectors and compliance-driven configuration, not custom coding.

How often should we refresh the AI model? Models retrain automatically when new enforcement data or internal transactions reach a defined volume. You can also trigger retraining manually after major organisational changes.

Can the same framework cover AML or antitrust risks? Yes, the underlying platform supports multi-risk taxonomies, including antitrust UNE 19603, Spanish UNE 19601 on criminal liability for legal entities and other to be deployed soon, allowing an integrated risk map.

Focus your expertise where it matters

Manual spreadsheets cannot keep pace with today’s corruption risks. Naltilia’s AI in risk and compliance platform automates the heavy lifting, giving compliance officers time to exercise the judgment only humans possess.

Ready to see how living risk maps can transform your Sapin II program? Book a 30-minute demo and discover how Naltilia accelerates compliance while keeping you fully in control.

Back to blog