Artificial intelligence
AI Governance Review
The Financial Conduct Authority’s expectations have been made clear from several FCA publications:
The FCA have no plan for an AI rulebook. Instead, the UK regulator simply points to existing obligations under SYSC, MAR, SM&CR, Consumer Duty, operational resilience etc.
This supervisory approach is not restricted to the UK of course. Across the EU, firms must overlay the AI Act on top of current financial-services and data-protection requirements. In the US, AI is expected to be managed through the same compliance, supervision and disclosure structures that already apply to SEC-registered firms.
AI Governance Review
Independent gap analysis of current AI usage controls. Formal report with prioritised recommendations.
Framework Implementation
Full deployment of policies, risk assessments, use case register, approval workflows, and oversight structures.
Ongoing Oversight Service
Retained monitoring regulatory updates, periodic reviews, and management information reporting.
AI Data Governance
Bespoke programme focused on data classification, clean-up, and governance of data used within AI models.
What regulators expect in practice
All about some AI policies right? No, look at the FCA’s carefully crafted language – it’s much more about good governance.
Regulatory expectations are converging around governance, accountability, and demonstrable control.
Firms are expected to evidence:
- A clear and documented understanding of where AI is being used and by whom
- Defined ownership and accountability under SM&CR
- Appropriate controls and oversight
- Effective management of third-party risk
- Documentation and audit trails that demonstrate governance in practice
- Evidence that controls are operating effectively, supported by monitoring, testing, and management information
The Current AI Governance Challenge
The challenge firms face today is not theoretical. Across the industry, we see two structural gaps already in existence:
- The Capability gap. Oversight functions often lack the tools and understanding to govern AI effectively.
- The Implementation gap. There is no clear, consistent method to translate regulatory expectations into operational AI governance.
The core challenge firms now face in practice is how to consistently implement AI governance via tailored AI polices, acceptable use standards, AI risk assessments and ultimately, effective oversight frameworks.
Most firms are currently trying to solve this problem on their own due to a lack of direct rule making. If these gaps are not addressed, they become regulatory, operational, and reputational risks.
What we’re seeing in practice
Across regulated firms, we consistently see:
- No central AI inventory
- Informal or “shadow” use of tools such as ChatGPT and Copilot
- Limited visibility across AI use at firm level
- Unclear SM&CR accountability
- Third-party AI providers not subject to structured due diligence or oversight
- Governance frameworks that describe principles but do not translate them into operational controls and evidence
- Limited ability to evidence controls to regulators or investors
- Lack of internal audit or independent challenge of the governance programme
The AI Governance Reality
AI is already being used across firms in compliance, operations, and decision-making, often without formal governance or oversight and most commonly via staff personal accounts and access. The risk is that AI governance has not kept pace with development and deployment.
In practice, firms often lack a clear view of:
- what AI tools and models are being used and by whom?
- what they are being used for and what data is being used?
- how they are being controlled, if at all?
- who is accountable for oversight?
Industry research consistently shows that firms are deploying AI faster than they can govern it. The challenge is no longer whether to use AI, it is whether firms can demonstrate and evidence how its use is being governed. This is where most firms need a structured, proportionate approach to AI governance. Blueprint GRC can help.
Regulators are increasingly clear on this point, as evidenced in the FCA’s periodic, “Regulatory Priorities”, publications. In the UK, whilst there are no AI-specific rules yet, existing obligations apply in full, including under SYSC, MAR, SM&CR, and the Consumer Duty.
Firms remain fully accountable for outcomes, regardless of whether they are AI-driven.
Blueprint GRC’s Independent AI Governance Review
We offer an inexpensive impartial review of your AI governance arrangements, comparing your internal controls to those expected by the regulator and those being used by your peers. The output is an actionable report to be used internally, or to be used to evidence to stakeholders, including regulators, that your AI governance has been independently assessed and meets good governance objectives.
We review and report on whether AI governance is truly operational, and not merely theoretical. We want to see the capability and implementation gaps have been addressed.
Our approach is simple:
- Clarity over complexity
- Implementation over theory
- Evidence over policy
- Monitoring over assumption
We help establish control over AI usage, apply risk-based governance and oversight and evidence processes proportionate to how the technology is being used.
This ensures governance is proportionate, practical, and defensible in practice.
The objective is not to create a theoretical AI policy. It is to help firms translate high-level obligations into day-to-day operational governance that works across the Three Lines of Defence.
Blueprint GRC offers a structured, practical approach to governing AI in real-world environments. Our AI Governance Review creates a framework for good governance and is structured around four core components:
AI Control Framework
- AI Policy
- Acceptable Use Standard
AI Use Case Lifecycle
- Governance process and approval model
AI Assessment & Risk Framework
- Know Your Needs assessment
- Model / architecture assessment
- AI risk assessment
AI Oversight & Monitoring
- Vendor due diligence
- AI use case register
- AI monitoring framework
- Governance reporting
What good looks like
A well-governed approach to AI includes:
- Clear restrictions on AI use, including controls over data input and approved tools
- A complete inventory of AI use across the firm – at firm and employee level
- Defined ownership and SM&CR accountability
- A risk-tiered approach to assessing AI use
- Structured oversight of third-party tools
- Ongoing monitoring and oversight, including use case-level control validation, periodic review, and clear management information
- Documentation that can be relied upon in practice
- Documentation, reporting, and management information designed to evidence how AI governance operates in practice, supporting regulatory and investor scrutiny
- An independent assurance model that is proportionate to the firm, whether through in-house internal audit or a properly structured outsourced arrangement
AI Governance – Self Test
Ask yourself…
- Do we have a complete inventory of AI use across the firm (and our employees)?
- Could we clearly explain how AI outputs are governed?
- Is accountability for AI use defined across senior management and control functions?
- Do first-line teams know what they can and cannot do with AI in practice?
- Do second-line teams have enough visibility and technical understanding to challenge AI use effectively?
- Can third-line audit, whether internal or outsourced, rely on evidence for independent assurance?
- Would we be comfortable evidencing this to the FCA, SEC, ESMA, a relevant EEA National Competent Authority, or to investors?
- Could we evidence this clearly if challenged tomorrow?
AI Governance framework:
A practical, proportionate framework for implementing AI governance
Overview
AI is already being used across firms often without clear oversight, ownership, or documentation. While adoption has accelerated, governance has not kept pace.
Across the industry, firms are facing two structural challenges:
- A capability gap – oversight functions lack the tools and understanding to govern AI effectively
- An implementation gap – there is no clear, consistent way to translate regulatory expectations into operational AI governance
This creates a disconnect between how AI is being used and how it is governed.
The Financial Conduct Authority’s position is clear and reflects a broader global direction: existing obligations including under the Principles for Business, SYSC, SM&CR, and the Consumer Duty apply in full to AI.
Firms are not being asked whether they use AI. They are being asked to demonstrate how it is governed.
What the framework is designed to do
Our Framework helps firms:
- Identify and document how AI is being used across the business
- Establish clear ownership and accountability
- Assess and manage risks associated with AI use
- Align AI use with existing regulatory obligations (including SYSC, MAR, SM&CR, and the Consumer Duty in the UK)
- Implement appropriate controls and oversight
- Establish clear controls and standards governing how AI can and cannot be used
- Monitor AI use and outputs over time
- Produce evidence that can be relied upon by regulators and investors
AI Governance – Core components of the framework approach
AI Use Case Register
A central inventory capturing where and how AI is used across the firm, including ownership, purpose, and data inputs.
Risk Assessment Framework
A proportionate, risk-tiered approach to assessing AI use cases, allowing firms to focus effort where it matters most.
AI Policy & Acceptable Use
A clear, practical policy framework aligned to how AI is actually being used within the firm. This sets out how AI can and cannot be used, including expectations around data handling, acceptable use, and oversight.
Vendor Due Diligence
Structured assessment of third-party AI providers, including data handling, security, model governance, change management, and jurisdictional considerations.
Governance & Approval Process
Defined ownership, accountability, and approval workflows to ensure appropriate oversight of AI use.
Monitoring & Oversight Framework
Structured monitoring of AI use at the use case level, including control validation, Use Case Owner attestations, compliance sampling, and management information reporting.
Governance & Evidence Pack
Documentation, reporting, and management information designed to evidence how AI governance operates in practice, supporting regulatory and investor scrutiny.
Our framework is:
- Proportionate – scaled to the size and risk profile of the firm
- Practical – designed for lean compliance and operational teams
- Regulator-aligned – grounded in FCA expectations and consistent with global direction
- Evidence-driven – built to stand up to regulatory and investor scrutiny
The result is a framework that can be implemented, operated, verified, and evidenced, not just documented as a disparate set of policies weak under FCA scrutiny.
Ongoing Oversight Service
Rarely do regulatory expectations fit into a ‘one and done’ approach, nor do the underlying factors ever stand still. AI Governance is no exception and consequently we offer an ongoing level of support.
Retained solution
Continued access to subject-matter experts.
Market and regulatory updates
Proactive input from external developments.
Periodic reviews
Revisiting your AI Governance framework to consider internal changes and external influences.
Management and information reporting
Create periodic reporting to evidence management engagement.
AI Data Governance
Fragmented data equals friction
Disparate or inconsistent data can result in:
- Excessive reconciliation cycles
- Delayed or inaccurate reporting
- Slower decisions
- Missed opportunities.
When data is fragmented, decisions are slow and may be poor. Hours spent on scrubbing and reconciliation could be used more efficiently. The foundation matters – get the data right first.
Deploying AI?
Start with Authority
Strong AI begins with stronger data foundations.
Divergent data risks the integrity and success of any AI implementation — getting to the master source or single truth is vital.
The hidden cost of data chaos
Data errors remain one of the top challenges for investment managers
- Teams waste significant time on data reconciliation
- Most firms lack centralized data discovery
- Decisions made on stale data in real-time markets
- Different teams working from different versions of truth
- Critical reports delayed because data “doesn’t match”
- Hours wasted on firefighting, not alpha generation
- Manual processes that don’t scale with AUM growth
- AI and internal systems producing inconsistent outputs
Confidence in your numbers is non-negotiable.
Analytics · Alpha · AI
All powered
by Trusted Data
What We Deliver
Precision-engineered data foundations that transform chaos into confidence
- Eliminate reconciliation bottlenecks
- Accelerate reporting from days to hours
- Strengthen trust in NAV and risk analytics
How We Transform Your Data
Seamless Integration: Unify all data sources into one analytics layer
Advanced Aggregation: Synthesize across funds without losing granularity
Actionable Analytics: Data structured for investment decisions
Built for Confidence and Scale
Quality Controls: Catch errors at source, not month-end
Future-Proof Models: Flexible data models that evolve with your business without costly system overhauls
End-to-End Governance: GDPR-compliant with full audit trails
The Blueprint GRC Advantage
While competitors wrestle with Excel chaos, you could be making decisions on real-time trusted data. Turn data into your competitive advantage.
Domain Expertise: We speak NAV, attribution, compliance – not just tech
Cost-Optimized: Enterprise capabilities without enterprise overhead
Proven: From boutique managers to global platforms
Ready to Build Trust in Your Data?
- Optimise fast accurate data for investment decisions
- Augment disparate data for regulatory reporting
- Reduce, maybe remove complex and time-consuming reconciliations
- Clean data before use, reduce false positives, improve data-governance
- Gain confidence in accuracy of AI output
If data is unified, performance accelerates. Let’s transform your data infrastructure into a decision engine.
Who this is for
- FCA Regulated firms including both buy-side and sell-side
- Firms with EU and US regulatory nexus that need a consistent AI governance model across jurisdictions
- Other regulated firms using AI within their operations
- Businesses seeking to formalise or strengthen existing AI governance
Get in touch
If you would like independent support to help ensure your AI Governance stands up to scrutiny, we would be happy to walk you through our approach.