Last month's Red Hat survey landed quietly but should have landed loudly. 87% of UK business IT decision-makers use agentic AI systems. Only 25% have strong governance in place. Less than half have visibility of where their data actually lives or how it is processed. For law firms operating under SRA Code obligations, insurance firms bound by FCA Consumer Duty PS22/9, accountancy practices under FRC ISA UK rules, or financial services firms subject to PRA SS1/23, this is not a theoretical risk. This is a live breach vector. Regulators do not care that you deployed an LLM-backed system quickly. They care deeply that you cannot explain what it did, where your client data went, and whether it stayed within your approved security perimeter.
This survey is part of a pattern that has defined 2025 and 2026: the gap between AI adoption pace and governance maturity has not closed—it has widened. Many firms bought Harvey, Legora, Luminance, or Microsoft Copilot assuming these products came with governance built in. Some do. Many do not—or more accurately, they provide governance *for the tool itself* but leave the firm responsible for documenting data flows, maintaining audit trails, and proving compliance to regulators. That responsibility has no owner in three-quarters of UK businesses. The EU AI Act is tightening. The ICO's enforcement on UK GDPR is accelerating. Lloyd's Blueprint Two now mandates AI governance for the insurance market. A governance plan written in PowerPoint and forgotten in a shared drive folder is not a governance plan. It is evidence of negligence.
Trovix's approach to this is built on the premise that governance must be *embedded in process, not bolted on afterwards*. Rather than asking 'What AI should we buy?', regulated firms need to ask 'What data flows through our operation and who is accountable for each one?' Trovix Watch monitors regulatory change in real time so your governance framework updates before the deadline, not after. Trovix Sift gives you complete visibility of what data moves through document workflows and extraction pipelines—no black boxes, no guesswork. Trovix Aria is a RAG knowledge assistant that does not hallucinate client advice back into case files. It answers fee-earner questions against your own vetted knowledge base, with full auditability. These are not replacements for governance policy. They are its skeleton. The firms that will survive regulatory scrutiny in 2027 are not the ones that deployed the most AI. They are the ones that know exactly what their AI is doing and can prove it.
If you are a mid-market law firm, insurance broker, financial services outfit, or accountancy practice and you have deployed agentic AI in the last 18 months, you need to do three things immediately. First: map your current data flows. Where does client data enter your systems? Which processes touch it? Where does it exit? Write this down. Second: audit your existing tools for auditability and data residency. If you cannot answer 'What did this system do to this document?' with a timestamped, logged answer, you have a governance gap. Third: establish single accountability for AI compliance—not a committee, not a working group, one person or one team with budget and authority. Only then add new AI capacity. The firms still operating without this clarity are not ahead of the curve. They are exposed.
Source: Computer Weekly