The moment you let AI send a text message or place a call on your behalf, you have entered one of the most heavily regulated areas of US commerce. The Telephone Consumer Protection Act governs every commercial voice call and text message sent in the United States, and the penalties for getting it wrong are measured per message. When AI is doing the sending — at volume, around the clock — the stakes only rise.
The mistake most organizations make is treating compliance as something to bolt on once the AI works. That gets the order backwards. Compliance is architecture, not a checkbox. By the time a compliant AI communication system ships, the rules are not a feature on top — they are the foundation underneath.
What TCPA Actually Requires
TCPA sets specific requirements for both voice and SMS, and an AI system has to honor all of them automatically — because at AI volume, manual review is not an option.
For voice calls: prior express written consent is required for auto-dialed or pre-recorded calls to mobile phones. The Do-Not-Call Registry must be scrubbed before every outbound batch. Recording requires disclosure to the party before it begins. And opt-outs must be honored immediately.
For SMS messages: prior express written consent is required for marketing SMS. Opt-out keywords — STOP, QUIT, CANCEL, UNSUBSCRIBE — must be honored within the required window. The sender must be identified on every message, and opt-out instructions must appear on the first message and periodically thereafter.
An AI communication system that cannot enforce these rules at the architecture level is not a time-saver. It is a liability generator.
10DLC: The Registration Layer
Beyond TCPA, the wireless carriers impose their own requirement. All Application-to-Person SMS — business SMS sent via software — must be registered through the 10DLC system managed by The Campaign Registry.
This is not optional in any practical sense. Unregistered A2P SMS gets filtered by carriers at increasing rates; unregistered messages have suffered substantial deliverability loss, and ongoing violations can result in number deactivation. In other words, skipping 10DLC doesn't just create legal risk — it quietly destroys the deliverability the whole system depends on.
Handling 10DLC correctly means registering the brand and campaign before the first SMS is sent, declaring the use cases, documenting the message flow, securing carrier approval, and monitoring throughput to stay within registered limits. InWork registers all SMS campaigns before sending the first message.
DNC Scrubbing Before Every Batch
Consent at opt-in is necessary but not sufficient. Phone numbers move onto do-not-call lists over time, and a compliant system has to check before every send, not once at signup.
That means querying the National DNC Registry before every outbound voice and SMS batch, honoring an internal opt-out list maintained per client, identifying wireless numbers so auto-dialed calls never reach cell phones without written consent, and respecting state DNC lists across all 50 states. In an AI system, this scrubbing is a mandatory step in the send pipeline — the batch cannot go out until it passes.
Building Compliance Into the System
The principle that ties this together is that the compliance rules live in the architecture, not in a policy binder. The same governance pattern that protects agentic AI generally applies here: confidence-gated human approval, full audit trails, and hard technical boundaries that a creative prompt cannot bypass.
In a compliant AI communication system, this looks like:
- 10DLC-registered campaigns through The Campaign Registry, configured before any outbound batch runs
- DNC pre-scrub as a non-skippable pipeline step against national, state, and internal opt-out lists
- TCPA disclosure built into the opt-in flow and consent language
- Audit logging of every message, consent record, and opt-out, for regulatory review
This is exactly how InWork's automotive BDC agent operates: it responds to inbound leads in under 60 seconds, but every follow-up sequence it sends is 10DLC registered, DNC-scrubbed, and TCPA-compliant by design. The speed and the compliance are not in tension, because the compliance is part of the architecture that makes the speed safe.
Why This Matters More in the Agentic Era
When a human sends a text, a person is in the loop to catch an obvious mistake. When an autonomous agent sends thousands of messages, there is no human reviewing each one. The governance has to be encoded into the agent's execution — spend guardrails, rate limiting, and compliance checks that the agent cannot route around.
This is why compliance-aware architecture is a precondition for agentic communication, not an enhancement to it. An agent without these controls is fast and dangerous. An agent with them is fast and safe.
The Bottom Line
TCPA, 10DLC, and DNC compliance are not paperwork to be completed after the AI is built. They are design constraints that shape the system from the first line of code. Built in from the start, they cost nothing in speed and eliminate an entire category of legal and deliverability risk. Bolted on at the end, they are a retrofit that never quite fits.
If your AI is going to communicate with customers at scale, the compliance architecture has to come first. Book a call and we will walk through what compliant AI communication looks like for your use case.