When Nikhil Rathi tells CNBC that 'traditional rulemaking cycles don't work' with AI, particularly agentic AI, he is admitting that the FCA's rulebook—including the Consumer Duty (PS22/9), existing section 55D expectations, and the PRA's SS1/23 principles for operational resilience—was written for a different technology era. Christine Lagarde's statement that 'means of defence have yet to be found' is starker: Europe's top regulators are saying they do not yet have the supervision tools to understand the risks posed by fast-moving AI systems. For UK regulated firms in law, insurance, financial services and accountancy, this creates a specific problem: you are being asked to comply with frameworks that are incomplete, while your competitors may be deploying AI systems with speed and minimal governance. The FCA will ultimately enforce against firms, not the toolmakers. You are the supervised entity with the liability.
This story is part of a larger pattern. Regulators have spent 2024–2026 playing catch-up: the EU AI Act was finalised with broad definitions and risk tiers that struggle to accommodate real-world AI workflows; the FRC and ICO have issued guidance on AI and governance that is necessarily principles-based because the technology moves faster than rules can; the Lloyd's of London Blueprint Two and PRA supervisory expectations have all shifted toward 'demonstrate you know what your AI does' rather than 'follow this specific process'. What this reveals is that compliance teams can no longer rely on a single standard or rulebook. Instead, firms must build internal capability to assess, monitor and evidence the behaviour of their AI systems continuously—because the rules will catch up later, and when they do, regulators will ask for that evidence.
Trovix's perspective: firms deploying off-the-shelf AI tools like Harvey, Legora, Luminance, or Microsoft Copilot without a governance layer are taking unnecessary risk. These products are powerful, but they are tools, not compliance frameworks. A law firm using Harvey for contract review without documented understanding of its output quality, bias, and error rates will struggle to evidence compliance with the SRA Code of Conduct when supervisory focus tightens. An insurer deploying agentic AI for claims processing without real-time visibility into decision logic faces acute PRA operational resilience risk. The solution is not to avoid these tools—they have genuine value—but to implement them alongside governance infrastructure that provides continuous visibility and auditability. This is where purpose-built governance platforms become essential. Trovix Watch solves part of the problem by monitoring regulatory change in real time, so compliance teams can anticipate and adapt. Trovix Audit goes further: it provides the dashboard and evidence trail that regulators will eventually demand, allowing you to show exactly how your AI systems are performing, where risks exist, and how you are managing them. Neither tool makes AI compliance easy—nothing can, not yet—but both acknowledge Rathi's point: rules move slowly, and you need infrastructure to survive the gap.
What your firm should do starting today: first, map every AI system currently deployed or planned (including off-the-shelf products and internal builds). Second, assign ownership: who is responsible for understanding what this system does and documenting its limitations? Third, implement a monitoring regime that captures output quality, error patterns and any drift in performance. Fourth, create a simple register of decisions: when did you deploy it, what problem does it solve, what controls are in place, and what would supervisors need to see to be satisfied you are managing the risk? This is not a compliance box to tick. It is the evidence that the FCA and PRA will ask for when they come asking about AI. Firms that wait for the rulebook to be finished will still be building this infrastructure in 2027, under audit, under pressure, and possibly under enforcement. Firms that build it now will be ready.
Source: CNBC