惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
T
Threat Research - Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
A
Arctic Wolf
Security Latest
Security Latest
Simon Willison's Weblog
Simon Willison's Weblog
I
Intezer
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Troy Hunt's Blog
Latest news
Latest news
Help Net Security
Help Net Security
S
Security Affairs
Webroot Blog
Webroot Blog
The Hacker News
The Hacker News
AI
AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Tor Project blog
Forbes - Security
Forbes - Security
Google DeepMind News
Google DeepMind News
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
P
Proofpoint News Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
H
Help Net Security
L
Lohrmann on Cybersecurity
S
SegmentFault 最新的问题
Google Online Security Blog
Google Online Security Blog
MongoDB | Blog
MongoDB | Blog
Cyberwarzone
Cyberwarzone
The Last Watchdog
The Last Watchdog
S
Securelist
N
News and Events Feed by Topic
S
Secure Thoughts
F
Fortinet All Blogs
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
量子位
M
MIT News - Artificial intelligence
F
Full Disclosure
T
The Blog of Author Tim Ferriss
T
Tailwind CSS Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Microsoft Security Blog
Microsoft Security Blog
I
InfoQ
P
Privacy International News Feed
L
LangChain Blog
Know Your Adversary
Know Your Adversary
C
CERT Recently Published Vulnerability Notes

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Modern KYC: Serverless, AI and Audit Trails in Financial Services
Fernando Azevedo · 2026-06-24 · via DEV Community

For years, KYC was treated as a workflow problem — forms, manual review queues and batch jobs running at 2 a.m. Regulators tolerated day-long latencies because everyone operated at the same pace. That tacit contract is unraveling: open finance, instant payments and regulatory pressure for real-time auditable decisions are forcing an architectural rupture. The signal I analyze here is not about replacing analysts with AI — it is about redesigning the KYC pipeline as a first-class system: event-driven, serverless where it makes sense, with AI as a co-pilot and auditability as a first-class architectural citizen, not a compliance afterthought.

The Cost of Legacy KYC — and What Changes

  • ~$50 — Average cost per manual KYC onboarding in traditional banks. Source: Thomson Reuters 2023 market estimates; includes analysts, rework and tooling
  • <2 min — Target onboarding latency in fintechs with serverless + AI pipelines. Includes document extraction, identity verification and risk scoring — no human intervention for low-risk cases
  • 60-80% — Reduction in cases escalated to manual review with well-calibrated AI triage. Critically depends on training data quality and confidence thresholds configured per product

The Signal: Why Serverless KYC Is Emerging Now

The movement toward serverless KYC pipelines is not a technological novelty — it is a convergence of pressures that have finally made the architecture both viable and necessary at the same time.

First, tooling maturity. AWS Step Functions Express Workflows has reached a point where orchestrating a 15-step pipeline with conditional branching, exponential retries and compensations is operationally sustainable. The 5-minute per-execution limit of Express Workflows is irrelevant for real-time KYC — if your verification flow takes longer than that, the problem is not the orchestrator, it is the design.

Second, Amazon Textract and Bedrock changed the document extraction equation. Previously, you needed a custom ML pipeline to extract data from driver's licenses, passports or income statements with acceptable accuracy. Today, a combination of Textract with AnalyzeDocument (FORMS + QUERIES mode) and a Bedrock model for semantic validation delivers accuracy comparable to a human analyst on clean documents — with 3-8 second latency per document and cost in the order of fractions of a cent per page.

Third, and perhaps most important for regulated financial environments: AWS's shared responsibility model has evolved with sector-specific certifications (PCI DSS Level 1, SOC 2 Type II, ISO 27001, BACEN Resolution 4.893 alignment). This does not eliminate compliance work, but drastically reduces audit scope when you use managed services with documented controls.

Modern KYC Pipeline — Event-Driven Decision Flow

Complete KYC onboarding flow: from customer submission to auditable decision, with AI as co-pilot and immutable trail in S3.

🌐 AWS — Edge & Ingestion

  • API Gateway REST + WAF + mTLS (edge)
  • S3 — Raw Docs SSE-KMS, Object Lock (storage)

⚙️ AWS — Orchestration

  • Step Functions Express Workflow (compute)
  • Lambda — Extract Textract AnalyzeDoc (compute)
  • Lambda — Risk Score Bedrock Claude / Nova (ai)
  • Lambda — Sanctions Ofac + PEP API (compute)

🧠 AWS — AI & Decisão

  • Amazon Bedrock Claude 3 Sonnet / Nova (ai)
  • Lambda — Decision Rules Engine + AI (compute)

🗄️ AWS — State & Audit

  • DynamoDB KYC State Table (data)
  • DynamoDB Streams → Audit Fanout (messaging)
  • S3 — Audit Log Object Lock WORM (storage)
  • CloudWatch SLO Dashboards + Alarms (security)

Flows

  • client -> apigw: POST /kyc multipart
  • apigw -> s3raw: encrypted doc upload
  • apigw -> sfn: start execution
  • sfn -> lambda_extract: Step 1: extraction
  • lambda_extract -> bedrock: semantic validation
  • sfn -> lambda_sanction: Step 2: sanctions
  • sfn -> lambda_risk: Step 3: risk
  • lambda_risk -> bedrock: LLM scoring
  • sfn -> lambda_decision: Step 4: decision
  • lambda_decision -> dynamo: persist KYC state
  • dynamo -> dynamo_streams: change stream
  • dynamo_streams -> s3audit: WORM audit record
  • dynamo_streams -> cloudwatch: SLO metrics

Auditability as Architecture, Not as Logging

The most common mistake I see in KYC architectures — even in experienced teams — is treating the audit trail as a side effect: you save the decision result somewhere and call it an audit log. Regulators like BACEN, CVM and COAF do not accept this. They want to know why the decision was made, what data was available at the time of the decision and who or what executed each step.

The architecture I propose inverts this logic: the audit trail is a first-class output of the pipeline, not an application log. Each Step Functions execution generates a unique execution ARN that serves as the traceability primary key. Each Lambda participating in the flow persists its input, output and metadata (Bedrock model version, Lambda function version, millisecond-precision timestamp) in DynamoDB with a partition key kyc#customerId#executionId. DynamoDB Streams then propagates each mutation to an S3 bucket with Object Lock in COMPLIANCE mode — meaning not even the root account can delete the record before the configured retention period (minimum 5 years for KYC in Brazil).

A critical detail: when you use Bedrock as a decision co-pilot, the prompt sent to the model, the full response and the model used (including version) must be part of the audit record. This is not optional — it is what allows reconstructing the decision months later during a regulatory audit. Use explicit modelId in Bedrock calls (never latest) and persist usage.inputTokens + usage.outputTokens for cost traceability and reproducibility.

What Changes for Architects with Modern KYC

  • Orchestration replaces point-to-point integration: Step Functions Express Workflows with per-state retry configuration (maxAttempts: 3, backoffRate: 2.0, intervalSeconds: 1) eliminates retry logic scattered across multiple services and centralizes failure handling — including compensations (partial state rollback).
  • AI as co-pilot, not arbiter: Bedrock should augment human decision-making in medium-confidence cases, not replace it. Define explicit thresholds: score < 0.3 = auto-approve, 0.3-0.7 = human review queue, > 0.7 = auto-reject. These thresholds are business parameters, not code constants.
  • Idempotency is a requirement, not an optimization: Each Lambda in the pipeline must be idempotent using the Step Functions executionId as the idempotency key. DynamoDB with ConditionExpression: attribute_not_exists(pk) ensures retries do not create duplicate records or trigger repeated sanctions checks.
  • Separation of data and control planes: The control plane (Step Functions, Lambda, Bedrock) and the data plane (DynamoDB, S3) must have separate IAM roles with strict least-privilege. The extraction Lambda role must not have write access to the audit bucket — only the Streams fanout Lambda has that permission.
  • KYC SLOs are business SLOs: Define explicit SLOs: p99 decision latency < 90s for automatic cases, extraction error rate < 0.5%, sanctions false positive rate < 0.1%. These numbers must be in CloudWatch Dashboards with alarms linked to runbooks, not just in architecture presentations.
  • Contextual encryption, not universal: Use KMS with customer-managed keys (CMK) and key policies that restrict usage by aws:PrincipalTag/Environment and aws:RequestedRegion. PII data in DynamoDB should use attribute-level encryption with AWS Encryption SDK — not just table encryption — so a compromised key does not expose the entire table.

Real Trade-offs: Serverless KYC Is Not a Silver Bullet

Before recommending this architecture to any client, I need to be honest about where it fails or requires extra care.

Cold starts in critical flows: Lambda with Java or .NET runtime can have cold starts of 800ms-2s. For real-time KYC, this is unacceptable if it occurs in the critical path. The solution is not to blindly migrate to Go or Python — it is to use Provisioned Concurrency for functions in the critical path (extraction and decision), with Application Auto Scaling configured to scale based on ProvisionedConcurrencyUtilization. The additional cost is real (~$0.015/GB-hour for provisioned concurrency vs $0.0000166667/GB-second for on-demand) — you need to model the load profile before deciding.

Textract limitations on low-quality documents: Textract AnalyzeDocument has degraded accuracy on scanned documents with resolution < 150 DPI, uneven lighting (document photo taken with a phone in a dark environment) or laminated documents with glare. In production, you need image pre-processing (Lambda with OpenCV or Amazon Rekognition DetectText as fallback) and a minimum confidence threshold per extracted field — if Confidence < 85 on required fields like name or tax ID, the document must be rejected for resubmission, not processed with uncertain data.

Bedrock cost at scale: A Claude 3 Sonnet call for risk scoring with 2000-token context costs approximately $0.003-0.006 per call. At 100,000 onboardings/month, that is $300-600/month in inference alone — manageable. But if you use Bedrock for every validation step without criteria, cost scales quickly. The rule I apply: Bedrock enters only when deterministic rules cannot resolve — not as the first processing line.

Throttling of external sanctions APIs: OFAC, PEP and CSNU lists are queried via third-party APIs with aggressive rate limits (typically 10-50 req/s per account). During onboarding spikes, this creates a bottleneck. The solution is a 24h TTL cache in ElastiCache Redis for already-verified entities, with forced invalidation when lists are updated — reduces external calls by 70-80% in flows with periodic re-verification.

Architectural Positioning: How to Prepare Your Organization

The most critical gap I observe is not technological — it is organizational. Teams operating legacy KYC have compliance analysts who understand the rules but not the technical pipeline, and engineers who understand the pipeline but not the regulatory implications of each design decision. Serverless + AI architecture amplifies this gap if not managed.

The first change I recommend is creating a KYC Design Authority — a small group (3-5 people) with representation from engineering, compliance and product that reviews and approves changes to the decision pipeline. This is not bureaucracy: it is the mechanism that ensures a change in the Bedrock prompt does not inadvertently violate a credit policy or create unintentional discriminatory bias.

Second, invest in decision observability, not just infrastructure observability. CloudWatch Metrics for Lambda latency is necessary but insufficient. You need business metrics: approval rate by customer segment, risk score distribution over time, disagreement rate between AI and human analyst in review cases. These metrics are the signal that the model is drifting or that business rules changed without pipeline updates.

Third, treat Bedrock prompts as infrastructure code: versioned in Git, reviewed via PR, tested with a curated set of test cases (including regulatory edge cases) before any deployment. A prompt that changes credit approval criteria without going through compliance review is equivalent to a code deploy that changes pricing logic without approval — unacceptable in a regulated financial environment.

Finally, plan for multi-region from the start if you operate in markets with data residency requirements. In Brazil, KYC data with PII must reside in sa-east-1 (São Paulo). If you need active-active DR, DynamoDB Global Tables replication works, but you need KMS key policies that restrict decryption to the primary region — the replica can store but must not decrypt without explicit approval.

The Auditability Paradox with Generative AI: LLMs are inherently non-deterministic: the same prompt with temperature > 0 can produce different responses. This creates a regulatory paradox — how do you audit a decision that may not be reproducible? The architectural answer is: you do not audit reproducibility, you audit traceability. Persist the exact prompt, exact response, exact modelId and timestamp. If a regulator questions the decision, you show the reasoning that existed at that moment — not that the system would make the same decision today. For high-consequence cases (credit rejection, fraud suspicion), use temperature: 0 and top_p: 1 to maximize determinism, and document this as an AI governance policy.

Critical Anti-Patterns in Serverless KYC

  • Monolithic KYC Lambda: A single Lambda function that does extraction, sanctions check, risk scoring and persists the result. Impossible to unit test, impossible to retry granularly, impossible to audit which step failed.
  • Using latest as Bedrock model version: Guarantees a model update changes production decision behavior without any review. Always pin to a specific version: anthropic.claude-3-sonnet-20240229-v1:0.
  • Audit log in CloudWatch Logs as primary source: CloudWatch Logs has configurable retention but lacks immutability guarantees equivalent to S3 Object Lock. For regulatory purposes, CloudWatch is operational observability — S3 with Object Lock COMPLIANCE is the official record.
  • Sharing KMS key across environments: Using the same CMK for dev, staging and production means a developer with dev access can potentially decrypt production data. Separate keys per environment with SCPs that block cross-account usage are mandatory.
  • Step Functions Standard Workflow for real-time KYC: Standard Workflows have ~1s state transition latency and cost per state transition ($0.025/1000 transitions). For a 15-state pipeline with 100k executions/day, cost is ~$37/day in transitions alone. Express Workflows are appropriate for KYC: execution < 5 min, duration-based cost, and support up to 100,000 executions/second.

Modern KYC Through the AWS Well-Architected Lens

  • security: Zero Trust in the pipeline: each Lambda assumes a role with least-privilege, no shared role across functions. KMS CMK with key policy restricted by aws:PrincipalTag. PII encrypted at attribute level in DynamoDB with AWS Encryption SDK. WAF with AWS managed rules + custom rules for rate limiting by tax ID at API Gateway.
  • reliability: Step Functions Express with per-state retry and catch to Dead Letter Queue (SQS FIFO with deduplication). DynamoDB with on-demand capacity to absorb onboarding spikes without throttling. S3 Object Lock for audit durability. Circuit breaker for external sanctions APIs via Lambda with Redis cache.
  • performance: Provisioned Concurrency for Lambdas in the critical path. Asynchronous Textract with SNS notification for documents > 1 page. Bedrock with streaming response for progressive user feedback. DynamoDB with partition key kyc#customerId + sort key timestamp#executionId for efficient per-customer queries.
  • cost: Express Workflows vs Standard: 60-80% savings in orchestration cost for short-duration pipelines. Bedrock only for medium-confidence cases (deterministic rules first). ElastiCache Redis for sanctions cache reduces external API cost by 70%. S3 Intelligent-Tiering for audit logs with decreasing access over time.

Curator's Note: What I Would Do Differently the First Time: In KYC projects I have been involved with, the most consistent regret is not having defined AI confidence thresholds as business parameters in Systems Manager Parameter Store from the start — they end up hardcoded in Lambda code and changing a threshold becomes a full CI/CD pipeline deploy, when it should be a compliance-approved configuration change in minutes. The second regret is not including the internal audit team in the design review before the first production deploy — they identify traceability requirements that engineers do not anticipate, such as the need to record which version of the OFAC list was in effect at the time of verification. I learned that in regulated financial environments, the audit architecture must be designed with auditors, not for auditors.

Verdict: Adopt, but with Explicit AI Governance

The serverless KYC architecture with AI assistance is mature enough for production in regulated financial environments — the pieces are available, the use cases are documented and the costs are justifiable. The risk is not in the technology; it is in governance. Teams that adopt Bedrock for KYC decisions without an explicit AI governance framework — documented thresholds, versioned prompts, drift metrics, mandatory human review for high-consequence cases — are creating regulatory liability that will surface in the next audit. My recommendation: start with a pilot in a low-risk product segment, measure the disagreement rate between AI and human analyst for 90 days, calibrate thresholds with real data and only then expand. The rush to automate KYC is understandable — the cost of getting it wrong in a regulated environment is far greater than the cost of doing it slowly and correctly.

References and Further Reading


Originally published at fernando.moretes.com. By Fernando F. Azevedo — Senior Solutions Architect.