Most UK regulated firms have deployed agentic AI without knowing where their data goes or who approved it. Governance documents will not fix this—visibility will.
AI Governance  Trovix AuditLegal · Insurance · Financial Services · Accountancy

The Red Hat survey lands like a warning klaxon that most UK regulated firms should have heard months ago. Eighty-seven per cent of IT leaders are running agentic AI systems—Harvey, Luminance, Microsoft Copilot, custom Claude deployments—but only 25% have what researchers call 'strong governance'. Worse: fewer than half know where their data actually lives or gets processed. For law firms answering to the SRA Code, insurers managing PRA SS1/23 expectations, and financial services firms bound by FCA Consumer Duty PS22/9, this is not a technology problem. It is a compliance crisis. You cannot manage what you cannot see.

What this survey really shows is the gap between deployment speed and governance maturity. The industry spent 2024 and 2025 rushing agentic AI into production—automating due diligence, intake, claims triage—because competitors were doing it. Those firms got results on velocity and cost. But they created a blind spot. Generic governance frameworks borrowed from general IT—policy documents, audit trails, role-based access—do not map to how agentic AI actually works in regulated environments. A Copilot-powered document review system is not the same as a spreadsheet. It does not sit passively. It makes decisions. It touches sensitive data. It generates advice. And if you cannot see which data it touched, when, and why, you have not got governance. You have got hope.

Trovix's position is straightforward: governance without visibility is theatre. You need three things in sequence. First, genuine visibility into where AI systems are deployed, what data they process, and what decisions they make—not quarterly audit reports, but live operational dashboards. This is what Trovix Audit exists to provide: real-time governance mapping that firms can actually navigate. Second, you need to connect that visibility to regulatory obligations—FCA rules, SRA code, PRA expectations, ICO GDPR principles, ISO 42001 frameworks. Generic AI governance does not work. Yours must fit your actual regulatory envelope. Third, you need to monitor what is actually changing in that envelope. Regulators are still writing AI rules. The EU AI Act will bite harder. Trovix Watch flags the changes that matter to your sector before they become penalties. Other vendors sell you governance tools. We sell you the visibility that makes governance real.

For a mid-market law firm, insurer, accountancy practice or financial services operation right now: stop treating AI governance as a compliance checkbox. Start by auditing what AI systems you are actually running—not just the obvious ones, but every GPT integration, every automaton, every vendor tool that uses LLMs behind the scenes. Map what data each system touches. Identify gaps in visibility. Then work backwards to governance. If you cannot answer 'who approved this system to run on client data' and 'where is client data stored after processing' with the same confidence you answer insurance claims queries, you have a problem bigger than a policy document will fix. Get visibility first. Governance follows.

Source: Computer Weekly

Related Trovix product:

Trovix Audit →Book a demo →