The FCA has admitted regulators cannot keep pace with AI development. UK firms that wait for rules before moving on AI governance are already behind. The answer is not waiting—it is building compliance into how you deploy AI, not after.
AI Governance  Trovix AriaLegal · Financial Services · Insurance · Accountancy

On 3 July, Nikhil Rathi, CEO of the FCA, admitted what many in regulated firms already know: the traditional rulemaking cycle is broken for AI. Regulators work in years; agentic AI evolves in weeks. This is not a future problem—it is happening now. For mid-market law firms, insurers, financial services businesses and accountancy practices, this statement is both clarifying and uncomfortable. It means the FCA Consumer Duty (PS22/9), PRA SS1/23, and other existing frameworks were never designed for the speed at which AI actually moves. You cannot wait for the next piece of regulation to tell you whether your AI implementation is compliant. By the time it arrives, your AI will have evolved beyond it.

This story is the public articulation of a regulatory failure that has been building since generative AI entered the workplace in 2022. Firms adopted Harvey, Legora, Luminance, and Microsoft Copilot without clear compliance signals. Some implementations succeeded; many created blind spots. The EU AI Act came too late and already feels inadequate. ISO 42001 and the ICO's GDPR guidance filled some gaps but not all. What regulators are now saying—albeit quietly—is that governance must become a firm problem, not a regulatory problem. The firms that wait for the FCA to issue detailed AI rules will find themselves in the worst position: neither compliant with current frameworks nor ahead of emerging ones.

Here is Trovix's direct assessment: the answer is not better AI products. It is governance infrastructure that can evolve faster than your AI does. Tools like Luminance and Harvey are excellent for their specific use cases—document review, legal research, claim triage. But they do not solve the governance problem. A firm using Harvey without proper data lineage, audit trails, and human oversight is exposed. We see this in practice constantly. The firms that are genuinely de-risking their AI use are the ones building three things: (1) a live compliance dashboard that tracks which models are in use, what they are being asked to do, and who is responsible; (2) clear decision frameworks for when AI assists and when humans must decide; (3) continuous documentation of why specific AI choices were made, not just that they were made. Trovix Audit exists precisely because mid-market firms cannot afford to treat governance as a separate compliance project—it has to be embedded in how AI is actually used, updated in real time, and auditable to regulators.

What should your firm do right now? First, stop waiting for the FCA to issue comprehensive AI rules. They have just told you, publicly, that they cannot. Second, audit what AI is currently in use across your firm—including shadow AI implementations that no one has formally approved. This is not theoretical; the SRA, FCA, and ICO are increasingly asking firms to produce this inventory. Third, establish a governance board with clear ownership of AI decisions, not a committee that meets quarterly. Fourth, implement systems that create an audit trail. If you cannot explain to a regulator why you chose a specific model, why you trained it on certain data, and what human oversight is in place, you are not compliant—regardless of what the rule book says. Trovix Reach and Trovix Aria are tools for deployment; Trovix Sift handles the data layer. But none of them matter if you do not have governance that moves at the speed of your AI.

Source: CNBC

Related Trovix product:

Trovix Aria →Book a demo →