When the FCA and ECB admit the rulemaking cycle is broken, mid-market firms face a choice: wait for regulators to catch up, or build governance that works today. Trovix believes the firms that act now will own the advantage.
AI Governance  Trovix ReachLegal · Financial Services · Insurance · Accountancy

Last Friday, Nikhil Rathi and Christine Lagarde said what many have thought for months: traditional regulation cannot keep pace with AI, especially agentic systems. The FCA CEO was direct—the old cycle of rulemaking 'doesn't work' in fast-moving tech. This isn't academic. For UK legal, insurance, financial services and accountancy firms, it means the regulatory frameworks you're waiting for may not arrive in time to guide your current AI decisions. You're already deploying generative AI. The rules for how you should be doing that are still being drafted. That gap is not a loophole—it's a liability.

This story reveals a deeper truth about how AI adoption has actually unfolded. Most UK regulated firms have treated AI as a tooling problem—buy Harvey, Luminance, Microsoft Copilot, implement it, and compliance will catch up. But compliance hasn't caught up, and it won't, because AI development cycles and regulatory cycles are now fundamentally mismatched. The SRA, ICO, PRA, and FRC are all writing principles-based guidance (ISA UK, GDPR frameworks, SS1/23), but they're all aiming at a moving target. Firms that gambled on waiting for prescriptive rules have now lost two years of competitive advantage—and two years of governance debt.

Here's what we believe should happen instead. Mid-market firms need to move from 'compliant AI' thinking to 'governed AI' thinking. That means building internal AI governance frameworks now, not waiting for regulation to force you. Tools like Luminance and Harvey are good at what they do—extract value from documents, draft faster, reduce manual work—but they're not governance solutions. They're tactical. What's missing is the systematic audit trail, risk mapping, and decision-framework that show regulators you built AI defensively. That's why we built Trovix Audit—not to tick a compliance box, but to create a real-time record of how your firm is using AI, what it's deciding, and why. You need to know what your AI is doing before an FCA examination asks you.

Right now, identify three things: First, what AI systems are actually running in your firm today (not pilot projects—live systems touching client work or decisions)? Second, who owns the governance of each one—is it IT, fee management, risk, or no one? Third, do you have documented evidence that someone reviewed the output of that system before it reached a client or decision-maker? If you can't answer these clearly, your firm is exposed. Start with your highest-risk use cases—AI drafting in legal, underwriting in insurance, tax compliance in accountancy. Build a simple audit layer. Involve your compliance, risk, and fee-earning teams in one room. Make it clear that AI adoption is locked to governance maturity, not just capability. The firms that do this in the next 90 days will have a defence when regulators come asking questions. The ones that don't will be scrambling to retrofit governance onto systems that are already live.

Source: CNBC

Related Trovix product:

Trovix Reach →Book a demo →