Product roadmap
What this is. A demand-driven roadmap of the capabilities TrustRelay Atlas is prioritising next. It is derived from the verified competitive landscape (25 incumbents + 32 funded challengers) and a code-level capability audit of Atlas, then scored for build difficulty and phased Now / Next / Later. Where a capability already exists elsewhere in the TrustRelay product group, it is marked integrate rather than build — a deliberate capital-efficiency strategy that turns multi-quarter builds into integrations.
The 20 items below are the highest-demand capabilities adjacent to Atlas's KYB/AML thesis. Difficulty (1–5) is grounded in Atlas's actual architecture, not a guess:
- 1–2 — fits an existing extension point (a data-source plugin, an OSINT module, an ontology entity, a risk matrix, a Studio config surface, or wiring two existing subsystems together).
- 3 — a bounded new service that composes existing seams (the workflow engine, the EventStore, the claims/ownership model, Temporal Schedules).
- 4 — a substantial new surface or subsystem that rides an existing foundation.
- 5 — a new subsystem or data-model paradigm with no Atlas analog (best delivered as a vendor integration where the capability is commoditised).
Integrate vs build: several items already exist as production modules in the broader TrustRelay group's compliance-workflow module and are designed for integration into Atlas — these are marked integrate and carry a much lower effective cost.
The six roadmap themes
Atlas's core today is the resolved, provenance-tracked ownership graph + reproducible risk + durable OSINT investigations. The roadmap wraps that core with the lifecycle (onboarding → monitoring → case management → regulatory output) that turns an investigation engine into an end-to-end compliance product.
Phasing at a glance
Effort vs demand
Numbers in parentheses are the build-difficulty score (1 = fits an extension point … 5 = new subsystem).
| Lower effort (difficulty 1–3) | Higher effort (difficulty 4–5) | |
|---|---|---|
| Higher demand ↑ | 🟢 Quick wins — Event-driven re-scoring (2) · Case management (3) · Maker-checker (3) · Doc-requirement engine (3) · Ownership-change detection (3) · Decision audit trail (3) · PII/GDPR DSR (3) · Journey builder (3) | 🔵 Big bets — Customer portal (4) · pKYC re-screening (4) · AI copilot (4) · goAML STR filing (4) · Watchlist engine (4) |
| Lower demand ↓ | ⚪ Fill-ins — Escalation routing (2) · Periodic review (3) · NL graph query (3) | 🟠 Heavy lifts — Trust Capsule (4) · IDV (5) · Bitemporal graph (5) · Biometrics (5) |
The Quick wins cell (high-demand, low-difficulty) is the credible near-term story: most are extensions of seams Atlas already ships, not greenfield builds.
1 · Close the loop — case management
Atlas already has the spine (a declarative workflow engine with phases/gates, decision options that
require a rationale, a tiered escalation policy with roles + SLAs, and a workflow_tasks inbox). The
gap is a first-class Case object with queues, disposition, and case-action audit.
| Feature | Difficulty | Phase | Priority | Integrate? | Why it's in demand |
|---|---|---|---|---|---|
| Case management — inbox, queues, triage, disposition with audit & FP-suppression | 3 | Now | High | ✅ group | Monitoring without managed cases just creates an unworkable alert backlog; regulated buyers need defensible, auditable disposition (Quantexa auto-closes ~1M FPs, 83% reduction). |
| Maker-checker / four-eyes approval (segregation of duties) | 3 | Now | High | ✅ group | Independent second-line sign-off on CDD/risk decisions is a hard FI requirement supervisors test; without it a platform can't make the approval decision. |
| Escalation routing to EDD / MLRO / second line | 2 | Now | Medium | ✅ group | Guarantees PEP/sanctions/anomalous cases reach the right authority and aren't auto-cleared — the link from monitoring to the STR decision. |
| Immutable, replayable decision audit trail (case-action level) | 3 | Next | High | ✅ group | The most-cited regulated-buyer requirement: time-stamped, role-attributable, replayable evidence of who did what, when, and what they saw. Atlas is strong on data provenance but weaker on case-action audit. |
Offered by: Fenergo (explicit four-eyes), Encompass (keystroke-level lineage), Quantexa, Sumsub. Regulatory: AMLR/AMLD6 record-keeping & accountability; three-lines-of-defence; FATF Rec.20; EU AI Act Art.12 logging.
2 · Open the front door — customer-facing onboarding
Atlas owns the hard internal engine (portal phases, presigned-MinIO upload + SHA-256 confirm, draft conflict detection). The net-new work is the external, account-less surface and risk-adaptive journeys.
| Feature | Difficulty | Phase | Priority | Integrate? | Why it's in demand |
|---|---|---|---|---|---|
| Customer document-upload portal (white-label, token-auth, account-less) | 4 | Now | High | ✅ group | ~89% of applicants abandon over poor onboarding; CSPs/trust offices collect UBO/ID evidence over insecure email today. A branded, auditable channel is both a conversion lever and a CDD necessity. |
| Dynamic document-requirement engine (OSINT-first gap analysis) | 3 | Now | High | ✅ group | Requirements vary by entity/jurisdiction/risk/ownership; the defensible pattern is run OSINT first, then request only what OSINT can't supply (often just director ID). |
| Onboarding journey builder (no-code, risk-adaptive, automation tiers) | 3 | Next | High | ✅ group | The central 2025–26 buyer ask: assemble risk-adaptive flows (IDV, PoA, screening, KYB) without re-engineering — light touch for low-risk, step-up for high. Sumsub is a Gartner MQ Leader on this. |
| Identity verification (IDV) — ID-document capture + authenticity | 5 | Next | Medium | ⛔ vendor | Verifying the natural persons behind the entity is a hard CDD requirement; deepfake fraud roughly tripled in 2025. Best delivered by integrating a licensed IDV vendor, not built in-house. |
| Biometrics / liveness / deepfake detection | 5 | Later | Low | ⛔ vendor | Liveness + 1:1 face match stops synthetic-identity fraud at onboarding; certification-bound (ISO 30107-3). A certified-vendor integration, not an Atlas build. |
Offered by: Sumsub (14,000+ doc types), ComplyCube (ISO 30107-3 PAD L2), Fourthline, Trulioo, Ondato, Encompass (CoorpID outreach + vault). Regulatory: AMLR/AMLD6 CDD + recordkeeping; eIDAS 2 / EUDI Wallet (member-state wallets by Dec 2026); ETSI 119 461 v2 remote-ID; FATF Rec.10/22.
3 · Always-on monitoring — perpetual KYC (pKYC)
Atlas's deterministic, hashed, replayable risk engine is an ideal pKYC substrate; the gap is the standing-monitoring loop around it. AMLR ends the screen-once model.
| Feature | Difficulty | Phase | Priority | Integrate? | Why it's in demand |
|---|---|---|---|---|---|
| Event-driven risk re-scoring on change | 2 | Now | High | ◐ partial | The cheapest high-value win: subscribe the existing EventStore/mutation-queue change events to the existing deterministic risk engine with materiality thresholds. Scrutiny follows real-time risk. |
| Ownership / UBO change detection | 3 | Next | High | ◐ partial | Ownership is the highest-value KYB signal and changes silently; a change of control can introduce a sanctioned owner with no list event at all. Re-review only the ~2–3% of the book that changed. |
| Continuous sanctions/PEP/watchlist re-screening | 4 | Next | High | ◐ partial | Onboarding-only screening leaves customers unchecked against new designations for months. AMLR mandates ongoing risk-based monitoring; record AML fines (>$5B in 2024) make stale screening a board risk. |
| Periodic-review automation (1/3/5-yr refresh with STP) | 3 | Next | Medium | ◐ partial | Full-population refresh is the biggest pKYC cost; straight-through-processing unchanged low-risk cases cuts backlogs. AMLR sets cadence (≥5-yearly all clients, ≥annual high-risk). |
Offered by: ComplyAdvantage, Moody's pKYC, LexisNexis, LSEG World-Check, Napier (pCRA), Quantexa, Hawk. Regulatory: AMLR ongoing-monitoring duty; AMLD6/FATF Rec.10 keep-CDD-current; AMLA harmonised supervision from 2028.
4 · Regulatory output & cryptographic trust
Atlas investigates and scores but has no regulatory output — it cannot yet close the loop to the FIU. This theme adds the defining regulatory deliverable.
| Feature | Difficulty | Phase | Priority | Integrate? | Why it's in demand |
|---|---|---|---|---|---|
| goAML STR/SAR filing (per-FIU XML export) | 4 | Next | High | ✅ group | STR/SAR filing is the obliged entity's core legal duty; without it the platform stops short of the regulatory deliverable. A per-FIU export turns an investigation engine into an end-to-end product. |
| Trust Capsule — tamper-evident sealed evidence (Merkle + PAdES + RFC-3161 timestamp) | 4 | Later | Medium | ✅ group | An independently court/auditor-verifiable evidence package that proves integrity without platform access — converting the AI-governance story into a hard, eIDAS-upgradeable artifact. |
Offered by: Fenergo, Napier and AML suites with reporting modules (STR); the sealed-evidence capsule is largely unique to the TrustRelay group. Regulatory: FATF Rec.20 STR; national FIU goAML schemas; AMLR/AMLD6 reporting; EU AI Act Art.12/13; eIDAS 2 qualified timestamp/signature.
5 · AI copilot & agentic intelligence
Atlas has the resolved graph, a graph-query API, Cypher generation, MCP tooling and per-tenant model instantiation — a trustworthy data foundation a copilot can sit on.
| Feature | Difficulty | Phase | Priority | Integrate? | Why it's in demand |
|---|---|---|---|---|---|
| Conversational compliance copilot (agentic analyst UI) | 4 | Next | High | ✅ group | >78% of Tier-1 banks reported using AI for a material compliance function in 2025 (up from 44% in 2021); copilots collapse multi-screen investigation into one surface (vendors claim ~84% time reduction). The most demand-aligned 2026 item. |
| Natural-language graph query (text-to-Cypher) | 3 | Next | Medium | ◐ partial | Lets non-technical users interrogate the ownership/network graph in plain language ("every company this UBO controls above 25% across NL and RO") — widening adoption and speeding the EDD AMLR requires. |
Offered by: Quantexa (Q Assist), ComplyAdvantage (Mesh/Cassie), Dun & Bradstreet (via Claude MCP), Norm Ai, Greenlite/Bretton, Parcha. Regulatory: no hard mandate; EU AI Act Art.14 human-oversight framing (where Atlas's replayable, explainable risk substrate is a genuine advantage).
6 · Trust, privacy & temporal depth
| Feature | Difficulty | Phase | Priority | Integrate? | Why it's in demand |
|---|---|---|---|---|---|
| Managed watchlist engine — versioned lists + deterministic match + custom lists + FP-suppression | 4 | Next | High | ◐ partial | Today Atlas screens via OSINT/MCP inside an LLM crew; FI buyers expect a deterministic, versioned, managed list layer (regulatory + commercial + the customer's own internal lists) with provenance and auditable false-positive suppression. |
| Field-level PII encryption + GDPR DSR (access/erasure/rectification + Art.30 record) | 3 | Next | High | ✅ group | KYB/KYC platforms hold dense PII on directors/UBOs; EU FI buyers require field-level encryption, an Art.30 record-of-processing, and operational data-subject-rights endpoints — a procurement blocker today. |
| Native bitemporal graph (valid + system time, point-in-time queries) | 5 | Later | Medium | ✅ group | Answers "who controlled this entity on date X" and "what did we know when" — underpinning defensible historical CDD, change detection, and shell/phoenix-company detection. The deepest-reaching item. |
Offered by: LSEG World-Check, Dow Jones, ComplyAdvantage, Moody's, LexisNexis, Dilisense (lists); Quantexa (point-in-time). Regulatory: AMLR/AMLD6 sanctions-screening & UBO-accuracy; GDPR Art.15/16/17/30; DORA; EU AI Act Art.12.
Capital efficiency — build vs integrate
The roadmap's most investor-relevant property: a large share of the highest-demand items are not greenfield builds. They split three ways:
- Extend an Atlas seam — the workflow engine, EventStore, claims/ownership model and Temporal Schedules already exist; these items are wiring, not new subsystems.
- Integrate from the TrustRelay group — the group's compliance-workflow module already ships, in production, several of the highest-demand capabilities (case management with disposition & false-positive suppression, a token-auth white-label portal, a goAML pipeline whose mapper consumes the same canonical-entity model as Atlas, an AI copilot stack, and a PII package explicitly designed as an Atlas drop-in). For these, the cost is integration, not invention — a material de-risking of the roadmap.
- Vendor integration — IDV, biometrics/liveness and qualified e-signature are commoditised and certification-bound; the right move is a normalised adapter over a licensed vendor (Sumsub / ComplyCube / Trulioo; a QTSP for QES), keeping build budget on the differentiated graph/ownership core.
Deliberately out of scope (for now)
A credible roadmap is as much about focus as ambition:
- Real-time transaction monitoring — genuinely adjacent and off-thesis for Atlas's KYB / ownership core. The defensible wedge is to be the resolved-ownership system of record that feeds a monitoring product (Hawk, Napier, ComplyAdvantage), not to become a transaction-monitoring engine.
- Building IDV / biometrics in-house — commoditised and certification-bound; integrate, don't build.
Derived 2026-06-09 from the verified competitive landscape (25 incumbents + 32 funded challengers), a code-level capability audit of Atlas, and a cross-check against the broader TrustRelay group. Difficulty scores reflect Atlas's actual architecture; "integrate" markings reflect capabilities already in production within the group. Roadmap phasing is indicative and subject to commercial prioritisation.