From the FCA’s Mills Review to Ofgem’s new AI guidance, UK regulators are converging on one message: if you’re deploying AI, you need to govern it. Here’s what that means for financial services and energy.
The Regulatory Walls Are Closing In
Three out of four UK financial services firms are already using AI. That statistic, from the FCA and Bank of England’s joint survey, should focus minds — because the governance frameworks those firms are operating under are about to be tested like never before.
On 20 January 2026, the House of Commons Treasury Select Committee published a blunt assessment: regulators are not doing enough to manage the risks AI presents. The Committee Chair, Dame Meg Hillier, said publicly that she does not feel confident the UK financial system is prepared for a major AI-related incident.
A week later, on 27 January, the FCA launched the Mills Review — a long-term examination, led by Executive Director Sheldon Mills, of how AI will reshape retail financial services through to 2030, covering everything from agentic AI systems to consumer outcomes and market structure. This isn’t a theoretical exercise. It’s the regulator signalling where enforcement attention is heading.
And this isn’t just a financial services story. In May 2025, Ofgem published its first dedicated AI guidance for the energy sector, and has since launched AI Regulatory Laboratories — collaborative sessions where energy companies can stress-test their AI deployments against the regulatory framework. A proposed AI Technical Sandbox would go further still. The message is consistent: governance isn’t a nice-to-have, it’s a prerequisite.
The FCA has confirmed it will not introduce AI-specific regulations. Instead, it expects firms to demonstrate that existing frameworks — Consumer Duty, SM&CR, SYSC, and operational resilience rules — already cover their AI deployments. The Treasury Committee has recommended that the FCA publish comprehensive, practical guidance on how existing consumer protection rules apply to AI by end of 2026.
For any organisation using AI to process applications, assess eligibility, triage customer enquiries, or make decisions that affect individuals — this expectation has teeth.
Ofgem’s AI guidance builds on the UK government’s five AI principles and applies them directly to the energy sector. It covers governance, risk approach, and competencies for ethical AI use. The regulator is also exploring an AI Technical Sandbox — a controlled digital environment for testing AI tools under regulatory oversight.
For energy companies using AI across predictive maintenance, real-time operational decisions, digital twins, and supply chain optimisation, the expectation is clear: demonstrate that your AI is safe, secure, fair and sustainable.
The EU AI Act: The Deadline Moved — but the Obligation Didn’t
While UK regulators take an outcomes-based approach, the EU has gone prescriptive. The EU AI Act was originally set to enforce its high-risk AI system requirements from 2 August 2026. Then, on 7 May 2026, EU lawmakers reached provisional agreement on the Digital Omnibus — pushing the high-risk compliance deadline to December 2027 for standalone Annex III systems (including those used in financial services, public-sector decision-making, critical infrastructure, and employment) and to August 2028 for AI embedded in regulated products.
Some organisations will read that as a reprieve. The smart ones will read it as a runway.
Here’s what hasn’t changed: the EU AI Act is law. The requirements for high-risk systems — risk management, data governance, transparency, human oversight, accuracy, and cybersecurity — are defined and published. The penalties remain severe: up to €35 million or 7% of global annual turnover. And notably, deployer transparency obligations under Article 50 still apply from 2 August 2026, with provider watermarking requirements now due by December 2026.
Even for UK-headquartered organisations, the EU AI Act matters. If you serve EU customers, process EU citizen data, or deploy AI systems whose outputs are used within the EU, you’re in scope. And in practice, many organisations are finding it easier to build governance frameworks that satisfy both the UK’s outcomes-based expectations and the EU’s prescriptive requirements simultaneously.
The Omnibus delay also reveals something important: even the EU’s own regulators acknowledged that the compliance infrastructure — harmonised standards, classification guidance, technical documentation templates — wasn’t ready. Organisations that use this window to build governance foundations now will be in a far stronger position than those who treat December 2027 as a fresh starting gun.
Key Dates on the Regulatory Horizon
Why This Demands a Platform Approach
Here’s the challenge I see repeatedly in conversations with clients across financial services and energy: governance is treated as an afterthought. AI models get built, deployed, and embedded into business processes — and only then does someone ask, “How do we audit this? Who’s accountable? What happens when it drifts?”
That approach doesn’t survive regulatory contact. What’s needed is end-to-end governance from the start — covering the full lifecycle from data provenance and model development through to deployment monitoring, bias detection, and compliance reporting.
The common threads across both sectors are striking:
Explainability and transparency — whether it’s an AI system triaging student loan applications or optimising production on an offshore platform, regulators want to know how decisions are made, and so do the people affected by them.
Fairness and bias monitoring — the FCA’s Mills Review explicitly highlights proxy discrimination and discriminatory pricing as central threats. In energy, Ofgem’s principles require AI to be used fairly with clear accountability.
Operational resilience — the October 2025 AWS outage that disrupted Lloyds Banking Group, Halifax, and HMRC was directly cited by the Treasury Committee. When cloud-dependent AI systems fail, who picks up the pieces? The Critical Third Parties Regime is coming, and AI/cloud providers will be in scope.
Audit trails and compliance automation — manually documenting AI governance doesn’t scale. As organisations move from a handful of AI use cases to hundreds, you need automated policy enforcement, risk dashboards, and regulatory reporting.
Where IBM watsonx.governance Fits
This is exactly the problem IBM watsonx.governance is designed to solve. It provides a single platform to direct, manage and monitor AI — whether you’re running IBM models, open-source models, or third-party systems from providers like OpenAI or Amazon SageMaker. It works across hybrid cloud and on-premises environments, which matters enormously in regulated industries where data sovereignty is non-negotiable.
|
Lifecycle Governance
Automate end-to-end oversight of models, applications and agents — including the new agentic AI monitoring capabilities. |
Compliance Accelerators
Pre-built coverage for the EU AI Act, ISO 42001, NIST AI RMF, and an expanding portfolio of emerging AI policies. |
|
Risk & Security
Real-time monitoring of risk metrics, security vulnerabilities, bias detection, drift monitoring and explainability. |
Deploy Anywhere
Govern models deployed on any platform — AWS, Azure, on-premises — wherever your AI lives. |
The Bottom Line
The EU’s Omnibus delay has given organisations extra time — but UK regulators aren’t waiting, and neither should you. The FCA expects governance to be in place now, under existing frameworks. Ofgem expects the same. The organisations that use this window to build robust, automated AI governance will move faster, deploy with more confidence, and face fewer regulatory surprises.
The ones that can’t will find themselves explaining to regulators, auditors, and boards why they didn’t see this coming — despite every possible signal.
The regulatory runway is there. Use it to build, not to delay.
Continuing the Conversation
The regulatory direction of travel for AI is becoming clearer, even if the practical implications are not.
If you’re navigating similar questions around AI accountability, governance, or operational readiness, I’m always open to a thoughtful discussion and exchange of perspectives.
Disclaimer: The postings on this site are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
This article is intended for informational purposes only and does not constitute legal, regulatory or compliance advice. While every effort has been made to ensure accuracy at the time of publication, the regulatory landscape is evolving rapidly. Readers should consult qualified legal and compliance professionals for guidance specific to their organisation. References to IBM products and services are for illustrative purposes and do not constitute a contractual commitment. All regulatory citations are based on publicly available sources current as of May 2026.
Views expressed do not reflect the views of any IBM clients or partners.
Leave a Reply