Your firm uses AI. Can you prove how?

Think of it as the person a regulator would call first — not the person who happens to know most about AI. In FCA-regulated firms this maps to a named Senior Manager under SM&CR. In law firms, the equivalent is the Compliance Officer for Legal Practice (COLP). In accountancy practices, the responsible principal. The role has different names across sectors — the requirement for one named, board-recognised individual does not.

This includes AI features built into software you already use (such as Microsoft 365 Copilot or your case management system), and tools your staff may be using on their own initiative — including browser extensions, ChatGPT, or similar tools installed without firm approval. It also includes your obligations as a deployer of general-purpose AI models such as ChatGPT, Microsoft Copilot, or Claude — which carry specific obligations under Articles 25 and 26 of the EU AI Act.

This includes how AI tools should be prompted, who must review the output at each stage, and whether sign-off is recorded — not just assumed. This assumes the tool has been formally approved by the firm for its users.

If a regulator or client raised a concern today, could this function produce a record of which AI tools were used, by whom, on what tasks, and what human review took place? The ICO's statutory Automated Decision-Making Code (SI 2026/425, in force May 2026) and the Data Use and Access Act 2025 Section 80 require meaningful human oversight of automated decisions affecting individuals — under UK law, now, regardless of EU AI Act timing.

The EU AI Act is already in force. From 2 August 2026, new transparency obligations apply — including informing clients and candidates when AI is used in decisions affecting them. Separately, UK regulators including the ICO, FCA, and SRA already require documented AI governance under existing frameworks. Firms that have not assessed their position are exposed on both fronts regardless of EU AI Act enforcement timing.