Nikhil Rathi and Christine Lagarde have said something UK regulated firms need to hear: the traditional regulatory cycle is broken. When agentic AI systems evolve in weeks or months and rulemaking takes years, waiting for rules becomes a liability strategy, not a risk mitigation one. This isn't a prediction. It's happening now. For a mid-market law firm, insurer, financial services outfit or accountancy practice still treating AI as an optional feature, this is the moment your regulator just admitted the safety net has holes. The FCA, PRA, SRA and ICO are all scrambling. That scramble means one thing: you cannot outsource AI governance to waiting for guidance.
This story is part of a pattern we've been watching for eighteen months. First came the EU AI Act — technically binding law that nobody quite knows how to implement. Then came the wave of 'responsible AI' frameworks from vendors like Microsoft and OpenAI, each one promising compliance-by-design. Then came the real deployments: firms buying Harvey for legal work, Luminance for due diligence, Legora for case law, and generic Copilot for everything else. Each solved immediate problems. None solved the fundamental one: how do you know if the AI you're using is safe, auditable and regulatorily defensible when your regulator doesn't know either? The admission from Europe's top bankers is a statement of fact masquerading as a warning. The rulemaking gap is structural. It won't close.
Here's Trovix's direct take: the answer is not better rules faster. It's disciplined, documented, domain-specific AI that operates inside your control. That's radically different from the off-the-shelf AI products most firms are installing. Harvey is a general-purpose legal assistant built on large language models trained on broad corpora. It's powerful, but you inherit its training gaps and its black-box decisions. Luminance does pattern-matching at scale, which is brilliant for what it does, but it doesn't plug into your existing data workflows. Generic Copilot is free and feels smart until it generates a regulatory error and you have to explain it to the FCA. Instead, think of AI as a data and document problem first, and an intelligence problem second. Trovix Sift builds extraction logic you can audit and explain. Trovix Aria feeds only your firm's own knowledge, not the open internet. Trovix Watch tracks actual regulatory change in real time, not vendor roadmaps. These are not faster horses. They're built for the regulatory world as it actually is: uncertain, moving, and requiring proof.
What should you do Monday morning? First: stop treating AI as a cost centre to be optimized. Start treating it as a regulatory control to be documented. Second: audit what AI you're already using — not just the branded products, but Copilot, ChatGPT, Claude in your team's workflows. You almost certainly have blind spots. Third: if you're considering new AI, ask your vendor one hard question: can you audit and explain every decision your system makes? If the answer is 'it's a language model, so not exactly,' walk away. Fourth: build a small, scoped pilot with vendors who understand regulated firms. Trovix Brief handles intake automation with traceable logic. You can explain it to your regulator. Fifth: document everything. When the FCA finally releases its AI guidance — and it will — you'll need evidence that you were thoughtful before the guidance arrived, not reactive after. Rathi's admission that regulators can't keep pace is not permission to move faster. It's permission to be smarter about how you move.
Source: CNBC