Government is using US and Chinese AI models to write UK law, but regulated firms have no way to audit how or when. That is not innovation — it is compliance risk you cannot ignore.
AI Governance  Trovix WatchLegal · Financial Services · Insurance · Accountancy

The New Statesman's April report confirms what insiders already knew: large language models trained on US and Chinese data are now material inputs to UK government decision-making. AI text appears in Acts of Parliament. AI analysis shaped the June 2025 Spending Review. Over £476 million in AI consultancy contracts since 2022 suggests this is not a pilot — it is policy. For mid-market legal, insurance, financial services and accountancy firms, this matters acutely. The regulations you must comply with — whether FCA Consumer Duty PS22/9, SRA Code requirements, PRA SS1/23, or ICO UK GDPR enforcement — are increasingly written by machines trained on corpus data neither the government nor you can fully audit. That is a material gap in your due diligence.

This is not a story about technology being adopted too quickly. It is a story about public institutions adopting private black boxes without the governance infrastructure that ISO 42001 and the EU AI Act now demand for regulated sectors. Government can move faster than the ICO, the FCA or the SRA — and it is doing exactly that. The result: policy is being shaped by systems whose training data, fine-tuning choices and architectural biases are opaque even to the civil servants deploying them. Other sectors spotted this earlier. Legal tech vendors like Harvey and Luminance invested heavily in explainability and provenance tracking because they knew that law firms and in-house teams would demand it. Government, spending billions on offshore consultancy, did not build those guardrails. Now we are all living downstream of that choice.

Trovix's position is simple: if AI is writing the rules, you need to know how those rules were made and you need to monitor when they change. Trovix Watch exists precisely because regulatory interpretation is now fluid — the rules your compliance team read last month may have been drafted, analysed or refined by an LLM yesterday. You cannot trust a static reading of statute. You also cannot rely on vendor assurances from US or Chinese foundation model providers. What you can do is build internal monitoring of regulatory change the way you would monitor credit exposure or cybersecurity incidents — as a live risk, not a periodic audit. That means tooling that watches Parliament, tracks guidance, flags contradictions and surfaces policy drift. It means asking your AI consultants — the ones advising you on Copilot deployment or Harvey implementation — whether they have audited the chain of custody on the regulations you are relying on. Most have not. That is a problem.

Right now, your compliance and risk teams should do three things. First: commission an audit of which recent guidance, regulation or internal policy change may have involved AI analysis upstream. Your regulator (FCA, SRA, PRA, or ICO) will ask this question within 18 months under emerging AI governance frameworks. Do not wait. Second: review your AI vendor contracts — especially those covering governance, explainability and regulatory compliance — to confirm they do not rely on undisclosed government-sourced policy input. Third: resource Trovix Watch or an equivalent capability to monitor regulatory change in real time. The era of annual compliance cycles is over. Your rules are now written continuously, sometimes by code you cannot see.

Source: New Statesman

Related Trovix product:

Trovix Watch →Book a demo →