Nikhil Rathi just said the quiet part out loud: traditional compliance cycles don't work for AI. The FCA CEO and Christine Lagarde at the ECB are not calling for better rules—they are admitting that the rulemaking machine itself is broken when it comes to technology moving at AI speed. For UK law firms, insurers, asset managers and accountancy practices, this is both a warning and a release. The warning is that reactive compliance—waiting to see what the FCA Handbook says before moving—will leave you exposed. The release is this: you don't have to wait. Regulators have just acknowledged they can't police your way to safety. You have to build it yourself.
This is the third act of a play that started in 2023. First came the hype cycle, where every vendor promised ChatGPT would replace your paralegals. Then came the reality check: products like Harvey, Luminance and Microsoft Copilot got real work done, but introduced new risks nobody had fully mapped. Now comes the reckoning. The FCA Consumer Duty (PS22/9) requires you to act in clients' interests. The SRA Code demands competence and integrity. The PRA's SS1/23 framework expects boards to govern technology risk. But none of these rules explicitly tell you how to govern agentic AI systems—because they could not have predicted what these systems would do. Regulators are effectively saying: the gap between AI capability and rulebook is now a feature, not a bug. It will always be.
Trovix's view is that mid-market firms treating AI governance as a compliance checkbox will fail twice: once when the technology outpaces their policy, and again when regulators finally do catch up and ask why they were not thinking ahead. The firms that will survive are those building AI governance as a living discipline, not a static policy. This means three things. First, real-time visibility into how AI is actually being used—not just a spreadsheet of approved vendors. Second, capability to test and measure AI outputs against your own standards (client confidentiality, conflict detection, accuracy thresholds) before regulators define them for you. Third, the ability to prove it. This is not something a ChatGPT plugin or a generic compliance tool dashboard gives you. Trovix Audit was built precisely for this: to let you see, measure and govern AI use as it evolves, not as a retrospective audit. Tools like Luminance and Harvey are strong at doing legal work with AI. They are not designed to let you prove governance. That gap matters now.
If you run a mid-market firm, your next action is not to write an AI policy addendum. Your next action is to audit what AI is already in use—in discovery workflows, document review, case strategy, underwriting, tax modelling, audit sampling. You will find more than you thought. Then you need to know: which outputs are being relied on by whom, for what decisions, with what stakes? Which of those meet your firm's tolerance for error or bias? Which would fail client duty tests if they went wrong? Only then do you build governance that matches reality. If you do this before regulators legislate it, you are ahead. If you wait for the FCA to publish an AI governance standard, you will be behind, scrambling, and probably non-compliant with the Consumer Duty and SRA Code in the meantime. Rathi has just given you permission to move faster than the rules. Use it.
Source: CNBC