The Red Hat survey reveals a catastrophic governance gap: most UK regulated firms cannot account for where their AI systems store and process client data. This is not a technology problem. It is a regulatory crisis waiting to happen.
AI Governance  Trovix WatchLegal · Insurance · Financial Services · Accountancy

The Red Hat survey published in April 2026 landed a hard fact: fewer than half of UK IT leaders have complete visibility of where their AI data is stored and processed. For mid-market legal, insurance, financial services and accountancy firms, this is not an abstract problem. It is a direct breach risk. The SRA Code of Conduct for Solicitors, FCA Consumer Duty PS22/9, PRA SS1/23 and the ICO's UK GDPR guidance all require regulated firms to know where client data lives, who processes it, and how it is audited. A law firm using Microsoft Copilot or Harvey without knowing whether training data is being retained on US-hosted infrastructure has already failed its regulatory duty. An insurance firm deploying Luminance for claims assessment without a documented audit trail of algorithmic decisions is exposed to the FCA's conduct risk framework. This is not a nice-to-have governance question. It is the difference between operating legally and operating recklessly.

The broader pattern is clear: the industry is deploying AI first and asking permission later. Eighty-nine per cent of UK IT leaders want public policy to enforce open source AI principles—the highest in Western Europe—yet 75 per cent lack strong governance plans. This is the voice of the guilty conscience. Firms know they should be more careful. They know the EU AI Act signals where regulation is heading. They know Lloyd's Blueprint Two expects systematic AI risk management. Yet they have not connected the dots between the technology they are buying and the governance frameworks they must operate within. The gap between intention and practice is closing only because regulators are closing it for them. The FRC's ISA UK auditing standards now explicitly require firms to assess algorithmic control. The ICO is publishing AI auditing guidance. Compliance is hardening into obligation.

Here is what Trovix believes: AI governance failure is not a procurement problem. It is an implementation problem. Generic enterprise AI—Copilot, Claude, ChatGPT—was not built for regulated firms. It was built for general productivity. When you bolt it onto your operations without a documented knowledge base, without audit trails, without data residency control, you are not using AI responsibly. You are using AI recklessly and hoping no one audits you. The alternative is domain-specific AI architecture. Trovix Aria was built from the ground up for regulated firms because it runs on your own infrastructure, sources answers from your own knowledge base, leaves an immutable audit trail for every answer it gives, and never trains on your data. When a solicitor asks Aria about the SRA's latest guidance, the system logs who asked, what question was asked, what answer was given, and where that answer came from. That is auditable AI. Luminance and Harvey offer similar rigour in their domains, but they are point solutions. Aria works across your whole practice because it plugs into your actual knowledge and your actual workflow. The difference is not theoretical. It is the difference between passing a regulatory audit and explaining why you cannot.

What should a mid-market regulated firm do right now? First: stop assuming your cloud AI vendor has thought about your compliance obligations. They have not. Second: map where your AI systems are running, what data they touch, and whether you can prove a complete audit trail. If you cannot, you have a problem today, not next year. Third: implement Trovix Watch to track the regulatory changes coming at you—the FCA's AI roadmap, the ICO's upcoming AI auditing standards, the PRA's algorithmic accountability expectations. Regulation is accelerating. Fourth: if you are processing documents or extracting data at scale, insist on tools like Trovix Sift that run locally, leave audit logs, and give you complete visibility of what the system is doing. Finally: begin the conversation now with your regulator about your AI governance framework. Do not wait for a breach investigation or a thematic review to discover you were unprepared. The firms that will survive the next wave of AI regulation are the ones that decided governance was non-negotiable before it became enforcement.

Source: Computer Weekly

Related Trovix product:

Trovix Watch →Book a demo →