Three-quarters of UK IT leaders have no strong AI governance in place—but 87% are already running agentic AI systems. For regulated firms, this gap isn't a problem to solve eventually. It's a compliance failure happening right now.
AI Governance  Trovix SiftLegal · Insurance · Financial Services · Accountancy

The Red Hat survey hitting Computer Weekly this week isn't a shock—it's a confirmation. 87% of UK business IT decision-makers have deployed agentic AI systems, yet only a quarter have strong governance controls. For regulated firms in law, insurance, financial services and accountancy, this isn't a nice-to-have gap. It's a compliance breach waiting to happen. The FCA's Consumer Duty PS22/9, the SRA Code, the PRA's SS1/23 prudential guidance, and ICO's UK GDPR enforcement all require demonstrable control over data, third-party relationships and AI decision-making. If you cannot show auditable control over what your agentic AI is doing with client data, you're exposed.

What's really happening is the industry deployed first and thought second. Generic large language models like Microsoft Copilot, GPT-4 and Claude arrived with frictionless integration. Firms bolted them into workflows before anyone asked: where does the data go? Who owns the model? What happens if it hallucinates a legal opinion or misses a material insurance fact? The result is a generation of IT leaders who have bought speed but surrendered governance. The EU AI Act, now in enforcement phase, will make this worse for cross-border UK firms. And the ICO is already signalling stricter stance on AI-driven processing of personal data. The regulatory ratchet is tightening, but most firms are still pretending it isn't.

Here's Trovix's honest take: agentic AI in regulated professional services cannot be generic. A general-purpose chatbot answering email or summarising documents is one thing. An agentic system making decisions about legal discovery, insurance liability assessment, financial advice or audit scope is something else entirely. Tools like Harvey and Luminance got legal traction because they were purpose-built for that sector. They came with audit trails and client confidentiality baked in. But even those tools sit inside a governance void for many firms—used as islands without central oversight. What's missing across the board is a control layer: visibility into what AI systems are doing, with whom, to what data, and why. That's why Trovix Audit exists—not to replace governance, but to make it real and auditable. If you cannot see what your agentic AI is doing, you cannot govern it. You're just hoping.

If you're a mid-market law firm, insurer, financial services business or accountancy practice, the conversation with your IT and compliance leadership should start here: audit your agentic AI estate right now. Make a list. Where is it running? What data is it touching? Who are the third-party vendors? What contractual controls do you have over data residency, model retraining and output liability? Then—and only then—decide whether to expand or lock it down. Some agentic use cases are legitimate within your risk appetite. Others are not. The worst path is the one most firms are on: use first, ask permission never. The FRC's ISA UK audit framework is also moving toward AI-aware audit procedures, which means your external auditors will start asking these questions in 2027. Better to have answers before they do.

Source: Computer Weekly

Related Trovix product:

Trovix Sift →Book a demo →