Three-quarters of UK IT leaders lack AI governance, and most cannot see where their data flows. This is not a leadership problem — it's a control architecture problem, and it's about to collide with regulation.
AI Governance  Trovix SiftLegal · Financial Services · Insurance · Accountancy

The Red Hat survey is damning but not surprising: 87% of UK IT leaders have deployed agentic AI systems while only 25% have strong governance in place. Worse, less than half know where their data is stored or processed. For mid-market law firms, insurers, financial services companies and accountants, this is not an abstract problem. The FCA's Consumer Duty PS22/9, the SRA's continuing focus on compliance, and the ICO's UK GDPR enforcement all converge on a simple fact: you own the risk of every AI system you use, even if you bought it from a vendor. Regulators don't care that your off-the-shelf tool came with a fancy interface. They care that you can explain, audit, and control what it does with client data.

This gap between deployment speed and governance maturity tells a story about how AI was actually adopted in UK professional services. Firms rushed to deploy Harvey, Luminance, Copilot, and dozens of bespoke solutions because they promised competitive advantage and efficiency gains. Some delivered. But the deployment was driven by business units and individual fee-earners, not by governance committees. The result: islands of AI use with no central visibility. A partner using one vendor's document AI, a team using another's case prediction tool, procurement teams experimenting with generative workflows — all operating without shared understanding of data lineage, output validation, or risk. This is the AI version of shadow IT, and it's endemic in the mid-market.

Our view at Trovix is straightforward: agentic AI systems without governance visibility are ticking compliance bombs, not competitive advantages. The problem is not that agentic AI is dangerous — it isn't, if you know what it's doing. The problem is that most firms don't. Generic compliance dashboards and risk matrices don't help because they were built for static systems. Agentic AI is dynamic. It learns, adapts, and makes decisions in real time. You need continuous visibility into what it's processing, how it's deciding, and where the data goes. Trovix Audit was built specifically to close this gap — not to slow down deployment, but to make control and audit trails real. Without it, you're running blind. Comparing this to how other vendors approach the problem: most offer post-deployment monitoring (too late to prevent breaches), contractual indemnities (useless in a breach), or generic explainability dashboards (divorced from actual firm data flows). None of that is governance. Governance is knowing, before the system acts, what it will do and why.

Here is what you need to do now, not in six months. First, map every AI system your firm actually uses — not just the sanctioned ones, the real ones, including free tools and side projects. Second, establish who owns the data going into each system and who is accountable for the outputs. Third, demand from your vendors (or build yourself) a real audit trail: what data went in, what decisions were made, what came out, and whether it was correct. Fourth, connect this audit capability to your existing compliance frameworks — the SRA Code, FRC ISA UK, PRA SS1/23 for insurance, whatever applies. This is not optional handwaving. The European Union's AI Act is already in force in EU member states, and the ICO has signaled that UK equivalents are coming. Firms that have governance in place will move through that transition smoothly. Firms that are still scrambling in 2027 will face investigation costs, remediation sprints, and reputational damage that no deployment speed ever justified.

Source: Computer Weekly

Related Trovix product:

Trovix Sift →Book a demo →