Nikhil Rathi and Christine Lagarde have just admitted something regulators hate admitting: the rules will always lag the technology. The question is whether your firm will lead, follow, or stumble in the gap between innovation and instruction.
AI Governance  Trovix SiftLegal · Insurance · Financial Services · Accountancy

On 3 July, the FCA CEO and ECB President publicly acknowledged that traditional rulemaking cycles cannot keep pace with AI deployment — particularly agentic AI systems that act independently and at speed. This is not a theoretical concern dressed up for a regulatory panel. This is the honest admission that the supervisory frameworks governing UK legal, insurance, financial services and accountancy firms are already out of phase with what is being built. The Consumer Duty (PS22/9), ICAEW guidelines, SRA guidance on AI tools and PRA SS1/23 all assume a world where humans review AI decisions before they are acted upon. That world is closing. Agentic systems do not wait for human review cycles. If your firm is waiting for the FCA to issue definitive rules on agentic AI before you deploy it, you will be waiting while your competitors move.

This story is the culmination of a pattern that has accelerated over the past 18 months. First came the generic warnings: AI poses risks, be careful. Then came the sector-specific guidance: financial services firms must document their use of generative AI (FCA 2024), lawyers must ensure AI-generated legal research is verified (SRA Code), insurers must manage algorithmic bias in pricing (Lloyd's Blueprint Two). But these frameworks all assume the deployment model of 2024–2025: a human buys a tool (Harvey, Legora, Luminance, Microsoft Copilot) and uses it as an assistant within their existing workflow. They do not account for what is happening now: multi-step AI agents that chain decisions, call APIs, update records and escalate only exceptions. The ECB's warning about 'defense mechanisms yet to be found' is not hyperbole. Regulators do not know how to supervise systems that are partially autonomous.

Here is what Trovix believes: the gap between regulation and deployment is not a temporary misalignment. It is structural. Regulators operate on an 18-24 month cycle from consultation to rule. Agentic AI changes the threat surface every quarter. This means UK firms cannot rely on rules to tell them what is safe. They must embed governance into their systems from the moment they integrate AI, not after the FCA issues guidance. That requires: first, relentless monitoring of what your AI actually does (not what it is supposed to do) — document intelligence, knowledge retrieval and process automation must be transparent and auditable at every step. Second, continuous reassessment of risk, not one-time vendor due diligence. Third, the ability to isolate and roll back AI decisions if they breach your risk appetite, your regulatory obligations or your client duties. Tools like Trovix Watch exist precisely because the regulatory environment is not static — your response cannot be either. Products that promise 'set and forget' governance (and many do) will fail the moment your agentic system encounters a decision it was not trained for. Products that hide their reasoning — that treat AI as a black box that delivers answers — will collapse under the weight of the FCA Consumer Duty requirement to act in customers' best interests, or the ICO's expectation of transparency under UK GDPR Article 13.

If you are a mid-market law firm, insurance broker, financial adviser or accountancy practice, here is what you should do right now. First: audit which of your current AI tools are actually doing what you think they are doing. Have you truly tested whether your document AI can handle your specific clause definitions (not the vendor's test set)? Have you verified that your RAG assistant is retrieving the right precedents, not hallucinating? Second: design a governance layer before you scale. This is not about compliance theatre or a policy document that nobody reads. It is about building into your systems the ability to explain, evidence and reverse AI decisions. Third: stop waiting for the sector rulebook. Implement ISO 42001 now — not because it is mandatory, but because it gives you the framework that regulators will eventually demand. Fourth: partner with providers who can demonstrate transparency — not just in their marketing, but in their audit logs, their training data provenance, and their handling of your data.

Source: CNBC

Related Trovix product:

Trovix Sift →Book a demo →