Building AI governance without a regulatory rulebook

Sixty percent of organisations across Asset, Auto and Equipment Finance already have a formal AI policy or governance board in place. Only 5.5% believe current UK regulation on AI is clear and supportive.

That gap is among the more striking findings in the AI Adoption, Workforce Redesign and Operational Readiness report from Resilient Management Solutions and Finance Connect. Internal governance is not waiting for regulatory clarity. In many cases, it is running well ahead of it.

Understanding what that means in practice, and what it should look like for regulated lenders, is increasingly urgent work.

The regulatory picture as it stands

The report finds that 36% of respondents consider UK regulation partially clear, with gaps remaining. A further 33% describe it as confusing or undeveloped. 

The scepticism is understandable. The UK has deliberately avoided legislating a bespoke AI framework, opting instead for a principles-based approach where existing regulators apply their rules to AI-enabled activities. For Asset Finance lenders, that means Consumer Duty, UK GDPR and FCA expectations are the operative framework today, not a dedicated AI statute.

The problem is that principles-based regulation requires interpretation, and interpretation in a fast-moving technology environment creates uncertainty. Firms are making significant AI investment decisions without clear guidance on where the boundaries sit.

What firms are doing instead

Rather than waiting for that clarity to arrive, many organisations are building internal governance structures to manage the risk they can see. Formal AI policies, governance boards, model oversight processes and risk frameworks are all emerging from what the report describes as a market that is prioritising risk rather than dismissing it.

That is a materially different posture from early technology adoption cycles, where governance often arrived after deployment rather than alongside it. The sensitivity of AI in lending decisions, combined with existing regulatory obligations, appears to be driving a more disciplined approach.

Guillaume Moulinet, EaaS Platform Director and Digital Product Manager at Volvo Financial Services, reflects this in his commentary on the report: “Transitioning from experiment to scale will demand robust governance and rigorous business oversight.”

What good governance actually requires

The report draws an important distinction. Having a formal AI policy or governance board is not the same as having governance that would satisfy a regulatory review. For regulated lenders, the threshold is considerably higher.

Meaningful AI governance in a lending context implies clear accountability for model decisions, explainability of outcomes, ongoing monitoring for drift and bias, auditability of the decision trail, and visible mechanisms for human oversight and escalation. Under Consumer Duty, it also requires evidence that AI-touched journeys produce fair outcomes for customers, not just operationally efficient ones.

Data protection sits at the top of the risk register. 38% of respondents identify GDPR as their greatest concern in AI adoption, ahead of bias and discrimination at 22% and regulatory compliance at 16%. That ordering suggests firms are thinking carefully about the data that underpins their AI programmes, not just the models themselves.

Confidence is conditional, not absent

The report also finds that around 60% of respondents are either somewhat or very confident in AI-supported credit or funding decisions, provided suitable controls exist. That conditional confidence is significant. The market is not signalling resistance to AI in consequential decisions. It is signalling that it wants governed, human-supervised deployment rather than autonomous decisioning without oversight.

That is a reasonable position, and one that aligns with where the regulatory direction of travel appears to be heading. The FCA has indicated that it intends to enable responsible AI adoption under existing rules, and is itself using AI to sharpen its own supervisory activity. Firms that have built documented, auditable governance frameworks are better placed when that scrutiny intensifies.

The practical implication

The gap between internal governance and regulatory clarity is not a reason for inaction. It is an argument for building governance that is robust enough to withstand the scrutiny that will eventually arrive, rather than the minimum required by rules that do not yet exist.

Consumer Duty, UK GDPR and model explainability requirements already provide a substantive framework. Firms that treat those obligations as the floor rather than the ceiling, and that document their governance decisions with the same rigour they would apply to any other regulated process, are already doing the work that matters.

The rulebook may still be incomplete. The governance cannot afford to wait for it.

Download the AI Adoption, Workforce Redesign and Operational Readiness report from Resilient Management Solutions and Finance Connect here.