Nikhil Rathi's admission this week that the FCA cannot keep pace with AI development is not a policy statement. It is a confession that the entire regulatory system built on 18-month rulemaking cycles and annual handbook updates cannot function in a world where agentic AI systems evolve in weeks. Christine Lagarde made the same point about systemic risk: defenses are lagging. For UK regulated firms — law practices under SRA Code obligations, insurers managing Lloyd's Blueprint Two requirements, financial advisers bound by FCA Consumer Duty PS22/9 — this creates a moment of dangerous clarity. You cannot wait for formal rules to arrive. They will not arrive in time to protect you.
This is the pattern repeating across every regulated sector. Harvey and other legal-focused AI vendors marketed themselves as compliance-ready because they could cite early FCA engagement. Luminance and similar document AI tools promised to stay ahead of regulatory change through continuous model updates. Yet the real problem is not those products — it is that the regulatory operating system itself has become the bottleneck. The EU AI Act exists but is not yet in force. The ICO's AI governance guidance sits alongside residual GDPR rules that do not contemplate truly autonomous systems. The FRC's ISA UK audit standards pre-date the scale of AI assurance work now required. Every major regulator is now scrambling to shift from prescription to principle-based frameworks, but the shift will take years while agentic AI ships in months.
Trovix's view: firms that wait for regulators to solve this problem first will lose. The answer is not to deploy less AI or to demand 'responsible' general-purpose models — Microsoft Copilot and similar tools deployed without sector-specific governance will only amplify your risk. The answer is to implement AI with visible, auditable, governance-first architecture from day one. That means real-time monitoring of what your AI systems are doing (Trovix Watch exists precisely because regulators now expect this), documented decision rationales that survive FCA interrogation, and tested rollback procedures. It means treating AI implementation as a compliance event, not a technology event. The firms that will survive the regulatory reset are not those with the most sophisticated AI. They are those with the most transparent AI.
What should a mid-market firm do now? First: stop treating AI governance as a future problem. Your SRA compliance team, your PRA SS1/23 file, your ICO Data Protection Impact Assessment — all of these need amendment to account for AI systems already in production. Second: audit what AI you actually have. Many firms have Shadow AI — Microsoft Copilot running on document review, ChatGPT processing client data — that sits outside any governance framework. Third: if you are building new AI workflows, require documented audit trails and human-in-loop decision points for regulated outputs. Trovix Audit was built because firms were asking: how do we prove to a regulator that we have control? The answer is: keep evidence. Keep it detailed. Make it searchable. The regulatory reset is coming. The firms that have already done the governance work will have answers. The firms still moving fast and breaking things will be broken by regulators.
Source: CNBC