The Red Hat survey published in April 2026 captures a stark reality for UK regulated firms: agentic AI adoption has outpaced governance by a factor of three. Of 87% of IT decision-makers deploying these systems, only 25% have established strong governance frameworks. Worse, less than half have complete visibility of where their data is stored and processed. For law firms bound by SRA Code obligations, insurance firms under the Lloyd's Blueprint Two, and financial services firms subject to FCA Consumer Duty PS22/9 and PRA SS1/23, this is not a distant problem. It is a live audit and compliance failure. The ICO has already warned on UK GDPR violations from unmonitored AI processing. The EU AI Act will tighten these requirements further. UK regulated firms sitting in this governance gap are exposed.
This is symptomatic of a wider pattern: vendors have successfully sold the outcome (faster work, better decisions) without solving the operational problem (where is my data, who controls the model, what happens when it fails). Generic tools like Microsoft Copilot, while useful for general productivity, offer no visibility into regulated data flows or compliance posture. More specialist vendors — Harvey for legal, Luminance for document review, Legora for contract analysis — solve vertical problems but often sit outside the governance perimeter. The result is shadow AI: systems that work well in isolation but create blind spots for boards and compliance teams. The survey is less of a surprise and more of a confirmation that the industry has treated AI governance as an afterthought rather than a foundational requirement.
Trovix's view is different: governance must be designed into the system from deployment, not bolted on after. This means three things. First, complete visibility of data flow — where data enters the system, how it is processed, where it is stored, and how it is protected. Second, compliance-native design: the system should enforce SRA, FCA, PRA and ICO obligations as part of its operation, not as a separate audit function. Third, explainability: any regulated firm must be able to explain to a regulator exactly what an AI system did and why. Tools like Trovix Audit are designed specifically to close the visibility gap identified in this survey — not by adding reporting layers, but by making governance inherent to the AI infrastructure. The alternative is to accept that your AI systems are ungoverned, unauditable and, ultimately, unlawful.
If you lead IT, compliance or risk at a mid-market law firm, insurer, financial services firm or accountancy practice, the action is immediate. Audit your current AI deployments — including ChatGPT instances, vendor tools, and any agentic systems — and map them against your SRA obligations (if legal), your FCA Consumer Duty obligations (if financial services), or your ISO 42001 commitments. Identify what data each system touches, who controls the model output, and whether you can explain it to a regulator. If the answer to any of these is 'we don't know', that deployment is a risk. Then fix it. Not by ripping out tools, but by implementing a governance layer that gives you the visibility and control that the survey shows three-quarters of the market still lacks. Your board should ask: do we have it? If not, when will we?
Source: Computer Weekly