UK firms are deploying agentic AI at scale without the governance frameworks that regulators now demand. This is not a technology problem. It is a compliance crisis that will hit hardest those firms still pretending governance can wait.
AI Governance  Trovix AuditLegal · Insurance · Financial Services · Accountancy

The Red Hat survey published in April 2026 should have triggered emergency board meetings across every mid-market law firm, insurer, accountancy practice and financial services outfit in the UK. Eighty-seven per cent of UK IT decision-makers are actively using agentic AI systems. Only 25 per cent have strong governance in place. That is not a gap—that is regulatory negligence. For firms operating under SRA Code, FCA Consumer Duty PS22/9, PRA SS1/23 or ICO UK GDPR, this creates direct exposure. You cannot claim compliance with principles-based regulation when you have no visibility into what your AI systems are doing, no audit trail of decisions made, and no documented accountability for outcomes. The firms telling themselves they'll "sort governance later" are already breaching their regulatory obligations.

This story is part of a much larger pattern: the technology industry has sprinted ahead of governance, and regulated sectors are caught in between. The AI vendor ecosystem—from Microsoft Copilot to Harvey to Luminance—has optimised for speed and capability, not auditability and control. Open-source AI tooling has democratised deployment, which is genuinely good for innovation, but the 89 per cent of UK respondents calling for public policy to enforce open source principles reveals the real anxiety: nobody knows who is responsible when something goes wrong. The FCA, SRA, ICO and FRC are all circling the issue. The EU AI Act has already landed. The Blueprint Two consultation from Lloyd's is pushing insurers toward documented AI risk management. Yet a three-quarters majority of UK IT leaders still lack a coherent governance framework. This is the gap where regulatory enforcement action will land hardest.

Trovix's view is straightforward: governance without visibility is theatre. You cannot govern what you cannot see. Most firms deploying agentic AI today lack three critical things: a real-time inventory of which AI systems are in use, an audit trail of decisions made by those systems, and documented sign-off of accountability. Tools like Harvey and Luminance are excellent at what they do—document review, pattern recognition—but they do not solve the governance problem. They solve the capability problem. Firms then bolt governance onto the problem retrospectively, which is where most fail. The smarter approach is to build governance into deployment from day one: understand what systems you are running, log what they decide, and maintain an auditable record of who authorised what decision for which client matter or insurance claim. This is not theoretical. It is what the FCA expects under Consumer Duty PS22/9. It is what the SRA expects under its existing principles. Trovix Audit exists because every regulated firm we speak to has discovered they cannot answer basic questions about their AI systems without it.

If you are running a legal, insurance, financial services or accountancy practice right now, your immediate action is not to halt AI deployment—that ship has sailed and the market reward for AI productivity is too high. Your action is to conduct an honest inventory: what agentic AI systems are your teams actually using? Are they vendor products, customised integrations, or in-house builds? Who authorised them? What decisions are they making? Do you have an audit log? Can you show a regulator a complete record of a decision made by AI over the past six months? If the answer to any of these is 'we're not sure', you are exposed. The firms that move fastest on governance in the next six months—not the firms that move fastest on capability—will avoid the enforcement actions that are already being prepared across the FCA, SRA and ICO.

Source: Computer Weekly

Related Trovix product:

Trovix Audit →Book a demo →