OpenAI's new Codex plugins for finance and legal work sound impressive until you ask the question that actually matters: who is liable when an AI agent makes a decision in a regulated firm? The answer is never the AI vendor. Yet most firms still buy AI tools as though it is.
Industry View  Trovix BriefLegal · Financial Services · Insurance · Accountancy

OpenAI announced Codex agent plugins for equity investment, banking and sales workflows this week, with plans to extend into legal and corporate finance. This is being framed as a race with Anthropic, and it is — but not the race that matters for mid-market UK firms. What matters is not whether ChatGPT or Claude can draft a better contract or run a compliance scan. What matters is whether your firm can explain to the FCA, the SRA, or the ICO why you deployed an AI system at all, who validated it, what went wrong when it inevitably did, and how you've logged the decision to use it. OpenAI's plugins solve none of this.

We are watching a familiar pattern repeat. Major AI vendors build general-purpose capabilities, bolt on industry labels ("legal mode", "finance mode"), and declare victory while regulated firms scramble to retrofit governance around them. It happened with GPT-4 and ChatGPT in 2023. It happened again when Harvey and Luminance launched with similar claims. Some of these tools are technically solid. But technical capability and regulated deployment are not the same thing. The EU AI Act (already binding on UK firms with EU operations) and the FCA Consumer Duty (PS22/9) now treat AI governance as non-optional. The SRA Code and PRA SS1/23 are tightening. Yet vendors keep selling capability instead of governance.

Trovix's view is simple: if your AI solution doesn't come with mandatory audit trails, role-based approval workflows, and a compliance dashboard built in from the start, it is not a solution for a regulated firm — it is a compliance problem wearing a tool's clothing. Compare this to how the better insurance and legal-focused vendors now operate. Luminance has pushed harder on explainability. Legora has embedded SRA compliance checks. But even these lag where they should be: built-in governance as the core feature, not an afterthought. Trovix Audit exists because we saw firms buying AI tools, deploying them, and discovering only after a regulatory request that they had no way to prove they had validated the model, monitored for bias, or tracked which decisions an AI actually made. OpenAI's Codex plugins will not change this. They will amplify it.

Here is what a mid-market firm should do right now. First: do not assume that because a vendor is famous and well-funded, it has solved the governance problem. It hasn't. Second: audit your current AI deployments using the PRA framework and the FRC ISA UK standard as your baseline. Third: before deploying any new AI system — whether Codex, Claude, or anything else — confirm it can log every decision, flag when it should escalate to a human reviewer, and produce a defensible audit trail in 48 hours. If a vendor cannot commit to this in writing, the tool is not ready. Fourth: use Trovix Watch or equivalent regulatory monitoring to track how the FCA, SRA, and ICO are actually defining AI compliance — not how vendors are marketing it. The race OpenAI thinks it is running will be won by compliance, not capability. The vendors who understand this will win the market. The ones building plugins will discover too late that regulated firms never wanted faster AI. They wanted defensible AI.

Source: Bloomberg News

Related Trovix product:

Trovix Brief →Book a demo →