Nikhil Rathi and Christine Lagarde just admitted the FCA and ECB cannot keep pace with AI development. They are right. And your firm cannot afford to wait for rules that may never come.
AI Governance  Trovix SiftLegal · Financial Services · Insurance · Accountancy

On 3 July, FCA CEO Nikhil Rathi said what many already knew: traditional rulemaking cycles cannot keep pace with AI development. Christine Lagarde added that agentic AI presents an unfunded cybersecurity crisis. For UK legal, insurance, financial services and accountancy firms, this is the admission that the regulatory framework you are being judged against today will be obsolete by the time it is finalised. The FCA Consumer Duty (PS22/9), SRA Code and PRA SS1/23 all assume human oversight and explainability. Agentic AI does neither. Your regulator knows this. Your regulator also knows it cannot move fast enough to address it. That creates a compliance vacuum — and vacuum fills quickly with liability.

This is not a new problem masquerading as an urgent one. It is the opposite. We have been watching the same pattern for three years: technology moves in weeks, enforcement moves in years, and firms are told to implement controls that do not yet exist in any usable form. The EU AI Act is the clearest example — a comprehensive ruleset that became law while most vendors were still arguing whether their products qualified as 'high-risk'. Lloyd's Blueprint Two talks about algorithmic governance for insurance. The ICO's UK GDPR guidance on AI still does not address autonomous decision-making at scale. Regulators are not slow because they are incompetent. They are slow because they are trying to write rules for technology that is changing while they write.

Here is Trovix's position: waiting for perfect regulation is a luxury you do not have. Firms using off-the-shelf generative AI tools — ChatGPT, Microsoft Copilot, basic RAG implementations like Harvey or Luminance — are gambling that their regulatory defence will hold up when audited. It will not. Those tools prioritise speed and general capability over auditability, retention control and explainability. They are not built for regulated environments. Firms that implement AI properly now — with documented purpose, controlled data lineage, audit trails and defensible design — will be compliant long before the rules catch up. And they will have learned something the regulators have not yet figured out: you do not need agentic AI to solve most of the problems facing mid-market practices. You need intelligent automation with governance built in from day one. Trovix Sift and Trovix Aria were designed around this principle precisely because we anticipated this gap.

What should you do right now? First, audit how AI is currently being used in your firm — including shadow AI, which is still AI. Second, map that use against FCA Consumer Duty principles, SRA Code of Conduct and ICO UK GDPR requirements. Third, implement governance that will survive regulatory scrutiny regardless of whether a rule exists yet. This means: documented AI decision-making, clear data handling, audit trails that show what the system did and why, and human review points at material steps. Fourth, use Trovix Watch to track the 12 regulatory changes that will affect you in the next 18 months — because they will come fast once they start. Do not wait for your regulator to close the gap. Close it yourself. The firms that do will be the ones that get audited and survive it.

Source: CNBC

Related Trovix product:

Trovix Sift →Book a demo →