The Red Hat survey hits harder than most governance reports because it names the exact contradiction UK regulated firms are living with: 87% have deployed agentic AI systems, yet only 25% have strong governance in place. More damning still: fewer than half know where their data actually lives once an AI agent touches it. For law firms, insurers, financial advisers and accountancy practices, this is not an efficiency problem. It is a regulatory exposure. The SRA Code, FCA Consumer Duty PS22/9, PRA SS1/23, and the incoming EU AI Act all demand firms know what their systems are doing, why they are doing it, and who is accountable when they get it wrong. An AI agent that can draft contracts, assess claims or extract financial data without governance is not a productivity tool. It is a compliance violation waiting to be discovered.
This story reveals a pattern that has become impossible to ignore: UK professional services firms bought the AI agent narrative without buying the governance infrastructure to support it. Products like Harvey, Luminance and Legora made agentic AI sound inevitable and safe. Many firms deployed them on the assumption that the vendor had 'solved' governance. They have not. Neither Harvey nor Luminance nor any commercial AI product can solve governance for your firm—they can only make governance harder by distributing decision-making across systems you do not fully control. The gap between deployment and governance is not closing. It is widening. And the firms closing it fastest are not using off-the-shelf agents. They are building controlled environments where AI augments human judgment rather than replacing it.
Trovix's approach to this problem is deliberately different from the agentic model. Rather than deploying AI agents that make independent decisions and then trying to retrofit governance around them, we build governance into the moment of implementation. Trovix Sift gives you complete visibility into what data an AI system has seen and extracted. Trovix Aria is a knowledge assistant that augments your fee-earners' judgment—it surfaces information, it does not make decisions on their behalf. Trovix Watch monitors regulatory change so you know when your governance model needs to adapt. This is not about moving slower. It is about moving with accountability. It means your partners can explain, audit and defend every decision an AI system was involved in. That is the governance model that passes FRC ISA UK, Lloyd's Blueprint Two and ICO UK GDPR scrutiny. It is also the model that survives enforcement.
If you are a mid-market firm that has already deployed agentic AI without strong governance, your first move is not to rip it out. It is to audit it. Know what decisions it has made. Know where your data went. Know what your audit trail actually says. Then, for new use cases, separate the layers: use AI to surface candidates and patterns, but keep humans in the decision loop. Build governance from day one, not after deployment. If you are still in the planning phase, do not assume any vendor has solved governance for you. They have not. Ask for an audit trail. Ask for data residency guarantees. Ask for explainability. If they cannot answer those questions, they are not ready for your firm. The 25% of UK IT leaders with strong governance did not get there by trusting vendors. They got there by treating AI governance as infrastructure, not as an afterthought.
Source: Computer Weekly