When the FCA CEO says rulemaking cycles are broken, he is not being pessimistic—he is describing what many mid-market firms are already experiencing. The question now is whether you are managing that gap or ignoring it.
AI Governance  Trovix WatchLegal · Insurance · Financial Services · Accountancy

Nikhil Rathi and Christine Lagarde have just said out loud what compliance teams have been whispering for eighteen months: AI technology moves in weeks, regulation moves in years, and nobody has yet built a credible defence mechanism. The FCA chief is right. Current rulemaking cycles—designed for regulated products that take five years to develop and deploy—cannot keep pace with agentic AI systems that are materially different every quarter. This matters acutely to mid-market law firms, insurers, financial services firms and accountancy practices because you are the ones being asked by partners and senior management to deploy AI productivity tools right now, and you have no clear regulatory playbook. The Consumer Duty (PS22/9) assumes you know what your AI does. Most firms deploying Harvey, Legora or Luminance for document review or legal research do not yet have a defensible answer to that question, let alone a compliance audit trail.

What this story reveals is that regulation is moving from pre-approval to real-time supervision. The old model—get product approved, deploy at scale, audit annually—is already dead for AI. The EU AI Act and the ICO's practical guidance on UK GDPR make clear that firms must now manage risk continuously, not just at go-live. The PRA's approach to AI governance (SS1/23) and the SRA's ethical guidance on technology are both pointing toward the same fact: regulators cannot prevent bad AI before it enters practice. They will catch it during practice. That means your firm's first line of defence is not waiting for perfect rules. It is building internal governance that assumes imperfect technology and documents why you deployed it anyway.

Trovix's view is direct: most firms are betting on the wrong part of AI. They are buying chat interfaces and hoping for compliance. That is backwards. The real risk sits in three places: (1) knowing what your AI is actually doing on each matter or claim, (2) proving to a regulator that you understood the risk and managed it, and (3) updating your risk assessment when the AI changes. This is where many single-vendor solutions—including otherwise capable products from Microsoft Copilot, Harvey or Luminance—leave firms exposed. They solve the productivity problem brilliantly. They do not solve the governance problem. You need both. Trovix Watch exists precisely because watching what rules change is only half the job. Watching what your deployed AI is actually doing in real matters is the half that regulators will ask about when (not if) they examine you. Trovix Audit is built to answer that question before they ask it.

Do this now. First: audit what AI you are already running, who approved it, and whether you can explain the risk in writing to the FCA, PRA, FRC, ICO or SRA depending on your sector. Do not skip this because the tool was free or because 'everyone else' is using it. Second: demand that any new AI tool—whether it is document review, client intake or matter management—comes with a risk assessment you understand, not one the vendor wrote. Third: build a quarterly review cycle for any AI in active use. Rathi is telling you that annual compliance is dead. If you wait until next year's audit, you will be three or four generations of AI behind. A mid-market firm that does this will find that deploying AI becomes faster and more confident, not slower. A firm that ignores it will find that a regulatory examination becomes very uncomfortable very fast.

Source: CNBC

Related Trovix product:

Trovix Watch →Book a demo →