UK firms have deployed agentic AI at scale without the governance framework regulators now expect. That gap will close painfully for firms that treated AI as a technical purchase instead of a compliance decision.
AI Governance  Trovix SiftLegal · Insurance · Financial Services · Accountancy

The Red Hat survey landed like a grenade in April and nobody seemed to notice. 87% of UK IT leaders have deployed agentic AI systems into production. Only 25% have strong governance in place. For regulated firms — law practices, insurers, asset managers, accountancies — this is not a trend to monitor. It is a compliance cliff. The FCA Consumer Duty PS22/9 requires you to understand the tools you use. The SRA Code demands you protect client data. The PRA SS1/23 framework for operational resilience asks where your AI vendor really lives. If you cannot answer these questions about the agentic AI you deployed six months ago, you have a problem that will not stay theoretical for long.

This story reveals something deeper than poor planning. It shows the industry has chosen speed over structure. Generic LLM products from Microsoft, OpenAI, and Anthropic got bolted onto law firm workflows, insurance claims processes, and audit trails without anyone asking who owned the model, where the data went, or what happened when the vendor changed their terms. Some firms bought Harvey or Luminance because those products came with their own governance story. Most did not. Most copied what the tech team suggested or what came bundled with Microsoft 365. Now regulators are moving from permissive to prescriptive. The EU AI Act is live. The ICO's AI auditing guidelines are published. The Lloyd's Market Association Blueprint Two explicitly covers generative AI. The window for 'we did not know' is closing.

Here is what this gap actually means: most UK regulated firms have given control of critical data to vendors whose terms of service they have never read, using models they cannot inspect, with no way to explain their decisions to clients or regulators if something breaks. Trovix's approach is different because it starts with ownership and transparency, not convenience. Trovix Audit was built to answer the questions regulators will ask: what is your AI actually doing, where is your data, who can access it, and can you turn it off in 48 hours? That is not paranoia. That is PRA SS1/23 and FRC ISA UK. Trovix Sift runs on your infrastructure or ours under contract you control. Trovix Aria uses your own knowledge base, not a black-box model trained on your competitors' documents. This is not faster than Copilot. It is auditable. It is yours.

What should a mid-market law firm, insurance broker, or accountancy practice do right now? First, audit what you deployed. Where is the data? Who has access? Second, do not upgrade or expand any agentic AI until you can answer: what is the vendor's liability if this breaks? What happens to my data if they go down? Third, start building governance infrastructure around the AI you already have. You cannot rip it all out in 90 days, but you can add visibility and control. Trovix Audit does this. Fourth, for new AI work — knowledge assistants, document review, client-facing automation — pick tools that keep your data in your hands and your logic auditable. Open source principles, as 89% of UK respondents want, is a good signal: if you cannot see it, you do not own it. Fifth, budget for governance as a line item. It is not a penalty. It is the price of being a regulated firm in 2026.

Source: Computer Weekly

Related Trovix product:

Trovix Sift →Book a demo →