The Red Hat survey is damning but not surprising. Eighty-seven per cent of UK IT decision-makers have deployed agentic AI systems—autonomous agents that make decisions, retrieve data, and act without human intervention at every step. Yet only 25% have what researchers call 'strong governance' in place. Less than half know where their data actually lives or how it moves through these systems. For regulated firms in legal, insurance, financial services and accountancy, this is not a competitive inconvenience. It is a breach waiting to happen. The FCA Consumer Duty, SRA Code of Conduct for Firms, PRA SS1/23 on outsourcing and governance, and the ICO's UK GDPR guidance all demand that firms maintain effective systems and controls. Data you cannot see, processes you do not understand, and decisions you cannot explain do not meet that standard. Regulators have been explicit: AI systems that operate without governance are treated like any other uncontrolled business process. Enforcement follows.
This survey captures a pattern we see repeatedly across the mid-market: firms have adopted AI tools—often off-the-shelf agentic systems like Microsoft Copilot for enterprise, or specialized legal AI like Harvey or Luminance—without first building the governance scaffolding these tools demand. The tools themselves are powerful. Harvey's reasoning capability in contract review is genuinely useful. Luminance's anomaly detection catches real risks. Copilot integrates smoothly into existing workflows. But none of these products can compensate for absent governance. They cannot tell you what data they saw, why they made a decision, whether they hallucinated, or whether they complied with your data retention policy. Those answers have to come from your firm's architecture, not the tool's marketing. The gap exists because governance is slower, less visible, and less exciting than buying the next AI product. It does not generate quick wins. It generates compliance and trust. And right now, too many firms are betting that the regulators will move slowly. They will not.
Trovix's view is straightforward: agentic AI without real-time visibility and control is malpractice in a regulated firm. It is not enough to audit what your systems did last week. You need to know what they are doing now, what data they are accessing, and whether those decisions meet your control framework. This requires three things working together: first, you need visibility—which means understanding your data estate and where agentic systems are actually operating. Second, you need governance that sits upstream of deployment, not downstream of failure. That means knowing what regulatory obligations apply to each system, what data sensitivity rules are in play, and what human oversight is required. Third, you need continuous monitoring. A one-time governance review is worthless. The EU AI Act, which many UK firms operate under or will soon face through cross-border clients, requires ongoing compliance monitoring. Trovix Watch was built precisely because firms told us that governance frameworks sit in static documents while their AI systems evolve daily. You cannot govern what you cannot see in real time. Products like Harvey and Luminance excel at what they do, but they sit inside your firm's data and process layer. They assume you have already solved the governance layer. For most firms, you have not.
If you run a mid-market law firm, insurance underwriting unit, financial services compliance team, or accountancy practice, here is what you should do this week: First, take honest stock of where agentic AI is actually running in your firm right now—not where you planned for it to run, but where it is operating. Second, check whether you can actually articulate, in writing, how each system meets your regulatory obligations under the SRA, FCA, PRA, or ICO frameworks. If you cannot write it down clearly, you do not understand your own governance. Third, audit your data visibility. If you cannot answer the question 'What data has this agentic system seen in the last 30 days?' you have a compliance gap. Fourth, bring your IT, compliance, and risk teams into the same conversation. AI governance is not an IT problem alone. It is a business control. Finally, map your governance framework to the specific AI systems you use, not to generic 'AI governance best practice'. A control that makes sense for document automation does not automatically work for autonomous decision-making systems. Build this now, before the regulators force you to rebuild it under investigation.
Source: Computer Weekly