← All insights
AI Governance

Using AI in a regulated business — without losing control

Michael Ahmed

Plenty of firms now ask not "should we use AI?" but "how do we use it without getting into trouble?" In a regulated business that's exactly the right question – because adopting AI isn't really a technology decision, it's a control decision. Can you explain what it did, evidence it, and stand behind it?

AI doesn't remove accountability – it concentrates it

If an AI tool helps decide a customer outcome, the firm still owns that outcome. Under Consumer Duty and similar regimes, "the model did it" is not an answer. So the question for every AI use case is the one I'd ask of any process step: who is accountable, what's the control, and where's the evidence?

Put it inside a mapped process, not beside one

The safest place for AI is inside a process you already understand. When a step is mapped, owned and measured, you can drop AI into it with clear inputs, a defined decision, and a human checkpoint where the stakes warrant one. Bolting AI onto an undefined process just makes a black box harder to audit.

What "governed AI" actually looks like

  • Explainability – you can say, in business terms, why a decision was made.
  • Human-in-the-loop – proportionate to risk: light-touch where stakes are low, a real checkpoint where outcomes matter.
  • An audit trail – inputs, outputs and overrides logged, so you can reconstruct what happened.
  • Boundaries – clear rules on what the AI may and may not do, and what gets escalated.
  • Data discipline – because an AI is only as trustworthy as the data and process feeding it.

The analyst's job

This is squarely business-analysis work, not just a technical one. Someone has to map where AI touches the customer journey, tie each use to an owner and a control, and make the whole thing demonstrable to risk, compliance and audit. That's the difference between AI as a liability and AI as a genuine, defensible capability.

The bottom line

Regulated firms don't need to fear AI – they need to govern it the way they govern everything else: mapped, owned, evidenced and proportionate. Get the process and controls right, and AI becomes something you can put in front of an auditor, not something you hope they don't ask about.

Get in touch