The Forbes story cuts to the heart of a problem UK regulated firms are pretending doesn't exist yet: every time an employee uses ChatGPT, Claude or Microsoft Copilot on a client matter without logging it, your firm is creating undocumented liability. European regulators have now handed down $7 billion in GDPR fines, with the pace accelerating sharply since 2023. The EU AI Act's compliance deadlines for high-risk systems in financial services have slipped from August 2026 to late 2027—but that delay should not be mistaken for mercy. It means regulators are building enforcement capacity while firms squander the window to govern AI themselves. For UK law firms, insurers, wealth managers and accountancy practices operating under FCA Consumer Duty PS22/9, SRA Code of Conduct for Solicitors, and the PRA's rulebook, this is not a future problem. It is a now problem. Your CFO and compliance officers are already liable for uncontrolled AI use in your organisation. Most have simply not been told.
What this story reveals is a structural failure in how mid-market professional services firms have adopted AI. Most have done it backwards: they bought tools first (often generic large language models with no domain training), then tried to retrofit governance. Harvey, Legora and Luminance have each built governance and audit trails into their platforms from the start, because they understood that high-stakes legal and financial work demands recorded reasoning and accountability. The broader pattern here is that firms treating AI as a software subscription rather than as a material control will face the same reckoning that befell those who ignored data handling in 2018–2022. The ICO UK GDPR enforcement notices are now joined by AI-specific liability vectors: confidentiality breaches via prompt injection, hallucinated legal research, mis-trained bias in credit decisions, and unlicensed tax advice generated by fine-tuned models. Regulators are not coming to applaud innovative adoption. They are coming to audit what you have documented and what you cannot explain.
Here is Trovix's honest view: ungoverned AI is a governance failure, not a technology failure. The problem is not that Claude or Copilot are bad products. The problem is that they have no built-in audit trail of what your solicitors, underwriters or financial advisors asked them, what they received, and whether that output went into a client file. Trovix's approach has always been to treat AI governance as a material control—equivalent to case management sign-off or deal approval workflows. Trovix Audit creates a persistent record of AI interactions within your practice management system or deal platform, so that when the FCA or SRA comes asking what happened to a particular client matter, you can show them the reasoning chain, the inputs, the guardrails applied, and the human review step. That is not a nice-to-have. Under ISA UK 260 and PRA SS1/23, that is now a control objective. Most firms still think AI governance is a compliance checklist. It is actually your liability moat.
What should a mid-market law firm, insurance firm, wealth manager or accountancy practice actually do in July 2026? Start here: appoint a single owner (usually the Chief Financial Officer or General Counsel, not IT) who is accountable for AI governance. Second, audit what AI tools your people are already using—the answer will shock you. Third, establish a simple classification: which matters or client interactions involve high-risk use cases under the EU AI Act? Those require recorded workflows and human approval. Fourth, deploy logging and audit infrastructure now, before a client complaint forces you to admit you do not know what happened. Fifth, schedule a six-month review of your AI governance posture against Trovix Watch regulatory monitoring, because the EU AI Act's final compliance deadlines will land in late 2027 and you will have wasted the 18 months you had to prepare. The firms that treat this as a finance and control problem will be ahead of those still treating it as a technology problem. The regulators are already watching.
Source: Forbes