The Smarsh survey of 2,000 UK financial services professionals reveals a governance crisis hiding in plain sight. Generative AI is embedded in daily workflows across reporting, call notes, client communications and compliance documentation—yet most firms have not upgraded their communication surveillance infrastructure to detect, flag or audit AI-generated content. This is not a hypothetical risk. Under COBS 2.1R and ICOBS 2R, firms must ensure that communications with clients are fair and not misleading. When 61% of staff are using AI systems—ChatGPT, Copilot, Claude—to draft or refine those communications, the audit trail becomes opaque and the compliance check becomes ineffective. A call note annotated by AI, a client email drafted with assistance, a compliance report that blends human and machine authorship: none of these generate the kind of provenance record that JMLSG guidance or FCA supervisory expectations now demand.

The fact that only 32% of respondents believe their firm's surveillance systems can detect AI-content risks is the critical data point. It reveals a confidence gap that translates directly to regulatory risk. Firms relying on keyword filtering, speech-to-text transcription and rule-based content analysis are blind to AI-generated content because those tools were designed for human-authored content. They cannot detect hallucinations, prompt injection, or context collapse—the ways AI-generated content fails. Firms deploying Trovix Watch to track regulatory change are rightly focused on emerging FCA and PRA guidance, but they must simultaneously upgrade their internal surveillance to match the speed of AI adoption. The gap between AI usage (61%) and detection capability (32% confidence) is a ticking regulatory liability.

The compliance implications extend across multiple frameworks. Under SM&CR, senior managers are individually accountable for the adequacy of systems and controls—including surveillance infrastructure. Firms cannot discharge that obligation while 61% of staff deploy AI daily and most surveillance systems remain AI-blind. The FCA's Consumer Duty (PS22/9) requires firms to act in customers' best interests; using unauditable AI in client communications undermines that commitment and creates actionable FCA findings. ICOBS firms face similar pressures; the ICO and FCA have begun coordinating on data protection implications of AI use in financial services. Beyond regulatory risk, there is operational risk: if staff are using external AI services to draft communications, firms may lack ownership of the data, audit trails and decision provenance that auditors and legal teams need. Trovix Sift can extract and classify content from communications to identify where AI may have been used, but the underlying gap remains: firms must invest in detection infrastructure immediately.

The survey was conducted across 2,000 respondents, lending it statistical weight. The findings will not surprise regulators; the FCA has already signalled in multiple speeches that AI governance—including communication surveillance—is a priority for 2026 and 2027 supervision. What the survey provides is quantified evidence of the governance lag: 61% adoption, 32% detection confidence. That ratio will trigger supervisory questions. Firms in the FCA perimeter need to move now. Conduct risk, audit trail opacity, SM&CR accountability, Consumer Duty compliance—all converge on a single requirement: you cannot deploy AI in client-facing functions without simultaneously upgrading your surveillance, logging and audit infrastructure. The Smarsh data suggests the market has not yet made that connection. Boards and audit committees should treat this survey as a governance wake-up call. The regulatory response to the findings will likely arrive in the FCA's next supervision cycle.

Source: ResultSense