Three-quarters of UK IT leaders claim to have AI governance when they actually have hope. That gap between deployment and oversight is not a management problem—it is a regulatory risk that will catch firms unprepared.
AI Governance  Trovix SiftLegal · Insurance · Financial Services · Accountancy

The Computer Weekly finding cuts to the heart of a dangerous pretence. Eighty-seven per cent of UK business IT decision-makers have deployed agentic AI systems—tools that act autonomously on behalf of the firm—yet only 25 per cent have governance frameworks in place to oversee them. Worse still, less than half know where their data actually lives or how it is processed. For firms regulated under the FCA Consumer Duty, PRA operational resilience rules, SRA Code Part C, or ICO UK GDPR, this is not just poor practice. It is a compliance breach waiting to happen. When the FCA examines third-party AI risk or the SRA investigates client data handling, a spreadsheet governance plan will not satisfy the inquiry. The regulator will ask: where did that data go? Who had access? How was the model trained? If your answer is 'we are not sure', you have already failed.

This is the inevitable result of how AI has been sold to mid-market firms over the past eighteen months. Enterprise software vendors—Microsoft with Copilot Pro, firms like Harvey marketing their legal models, even the agentic platforms now bundled into major cloud suites—have moved fast and with confidence. The message has been simple: deploy AI, measure productivity gains, expand adoption. Governance, audit trails, model explainability and data provenance have been treated as Phase Two concerns. But Phase Two is happening now. Firms are discovering that they cannot audit what they cannot see, cannot control what they cannot track, and cannot explain decisions made by systems they do not fully understand. The 89 per cent calling for public policy to enforce open-source AI principles is a symptom of this panic. They want external structure because internal discipline has collapsed.

This is where the approach taken by most conventional AI products falls short. Tools like Luminance or Legora offer smart document analysis and contract review, but they operate within a framework of 'deploy and trust'. The vendor certifies the model. The firm implements it. When something goes wrong—a hallucination in a contract clause, a data breach, an unexplained decision—accountability becomes diffuse. Trovix takes a different view. Trovix Audit is built around the principle that governance must be visible and verifiable from day one, not bolted on later. Every agentic action is logged. Every data movement is tracked. Every decision is explainable. This is not just compliance theatre. It is the difference between a firm that can answer a regulator's questions and a firm that cannot. Trovix Sift applies the same discipline to data extraction and document intelligence—you see exactly what the model has learned, where it is pulling information from, and what confidence level it assigns to each decision. That visibility is not optional for regulated businesses. It is foundational.

If you are a mid-market law firm, insurer, financial services company or accountancy practice and you have deployed agentic AI in the last twelve months without establishing complete visibility of data flows and model decisions, act now. Audit your current deployments. Map where data is stored, who can access it, what models are processing it, and how decisions are logged. Do not wait for a regulatory visit to discover gaps. The firms that will thrive through the next phase of AI adoption are those that can demonstrate governance, not those that hope no one asks difficult questions. If your current AI vendor cannot show you an audit trail, cannot explain model behaviour, or cannot map your data—they have sold you risk, not capability.

Source: Computer Weekly

Related Trovix product:

Trovix Sift →Book a demo →