AI governance is no longer an IT committee agenda item — it is a board-level compliance obligation with real regulatory teeth. The Financial Conduct Authority and the Bank of England issued a joint statement in May 2026 signalling that advanced AI deployment in UK financial services now carries systemic risk implications, while the EU AI Act’s first major enforcement milestone arrives in August 2026. Boards that have deferred this conversation are running out of time.

This briefing sets out what UK senior executives need to understand about the shifting regulatory landscape, where accountability now sits under the Senior Managers and Certification Regime, and the concrete steps boards must take before the summer enforcement window closes.

Why Has AI Governance Become a Compliance Emergency Now?

The pace of regulatory convergence has caught many boards off guard. Three major developments have compressed the timeline for action. First, the FCA launched its long-term Mills Review in January 2026, examining how AI is reshaping retail financial services — a signal that supervisory expectations are hardening even before new rules are written. Second, the Competition and Markets Authority published guidance in March 2026 on agentic AI systems, making clear that autonomous AI decision-making must comply with existing consumer protection law, creating immediate obligations for any firm using AI agents in customer-facing roles. Third, the EU AI Act’s high-risk system requirements reach full enforcement in August 2026, directly affecting UK organisations that operate across European markets or process EU citizen data.

The FCA and PRA have not introduced bespoke AI legislation. Instead, they are mapping existing regulatory frameworks — including the Senior Managers and Certification Regime, UK GDPR, and the FCA’s Consumer Duty — onto AI deployment decisions. This is consequential: it means accountability for AI-related failures can already be traced directly to named senior individuals. The FCA’s May 2026 joint statement on frontier AI and cyber resilience makes this accountability trail explicit for the first time.

Executive Action:

• Map every AI system in use across your organisation against the FCA’s five core principles: safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress.
• Identify the Senior Manager within scope of SMCR who holds accountability for each material AI deployment — this should be documented before your next board meeting.
• Brief your board on the EU AI Act August 2026 milestone if your organisation has any cross-border EU exposure.

What Does the Boardroom Actually Know About AI Risk?

The gap between executive ambition and board competence on AI is wide and, according to recent research, surprisingly persistent. According to Deloitte’s 2026 State of AI in the Enterprise report, nearly three-quarters of boards are perceived to have only moderate or limited AI expertise. Yet 81% of UK respondents in the same study rated AI strategy as a top or high organisational priority. That mismatch — high ambition, low capability — is precisely the environment in which compliance failures occur.

More troubling is the pattern of regulatory paralysis. Research published in May 2026 found that 51% of UK chief executives had delayed AI initiatives specifically because of regulatory uncertainty — a figure that has nearly doubled from 26% the previous year. Hesitation is understandable, but delay is not a governance strategy. Regulators are unlikely to treat inaction as a mitigating factor when they investigate AI-related consumer harm or systemic failures.

KPMG and INSEAD’s joint publication of Global AI Board Governance Principles in April 2026 offers the most practical framework currently available for boards seeking to demonstrate oversight. The principles establish that boards must actively govern AI — not merely receive updates from the CTO — with clear expectations on risk appetite, ethical guardrails, and escalation protocols. INFORMD has been tracking this framework as a reference point for the UK executives it briefs across technology, finance, and governance.

Executive Action:

• Commission an honest board skills audit focused specifically on AI literacy — not digital awareness in general, but governance-level understanding of model risk, explainability, and algorithmic accountability.
• Use the KPMG/INSEAD AI Board Governance Principles as a self-assessment benchmark at your next board offsite or strategy day.
• Establish a standing AI risk agenda item at board level, separate from the technology or digital transformation update.

Where Does Accountability Sit Under SMCR for AI Decisions?

The Senior Managers and Certification Regime is now the primary accountability mechanism through which the FCA and PRA will pursue individuals when AI-related failures occur. The May 2026 joint statement from the FCA and Bank of England explicitly frames frontier AI and cyber resilience as linked systemic risks — and SMCR’s Duty of Responsibility means that if a firm cannot demonstrate reasonable steps were taken to prevent a regulatory breach, the relevant Senior Manager faces personal liability.

This has practical implications that go beyond the CTO or Chief Digital Officer. A CFO overseeing AI-driven credit decisioning, a COO responsible for an AI-powered operational workflow, or a CEO who approved an agentic AI deployment in a customer service function each carry potential accountability exposure. The question is not whether your organisation uses AI — virtually every large UK enterprise does — but whether the governance around that use is robust enough to satisfy a regulator in the event of an audit or incident.

Changes to the SMCR regime itself are expected in mid-2026, with the government signalling a more flexible regime run directly by the financial regulators. The direction of travel is toward greater, not lesser, individual accountability for material business decisions — including AI deployment.

Executive Action:

• Review your Statements of Responsibilities for all Senior Managers to ensure AI governance accountability is explicitly documented where material AI systems are in use.
• Engage your General Counsel or company secretary to assess whether your current AI governance documentation would satisfy a regulatory inquiry under the Duty of Responsibility.
• Where agentic AI systems are deployed in customer-facing contexts, conduct a rapid Consumer Duty alignment review with your compliance function.

How Should UK Boards Structure AI Governance for the Year Ahead?

There is no single required structure, but the regulatory expectation is clear: AI governance must be visible, documented, and owned at the top. The most effective frameworks INFORMD has observed among UK mid-to-large organisations share three characteristics. First, they separate AI risk from general technology risk on board agendas — the risk profiles are distinct enough to warrant distinct treatment. Second, they establish cross-functional AI governance committees that include legal, compliance, data, and operational representatives alongside technology leadership. Third, they maintain an AI systems register — a living document that records what is deployed, what decisions it influences, and who is accountable for it.

The multi-jurisdictional pressure is not going away. The convergence of the UK’s sector-based principles framework, the EU AI Act’s risk-tiered enforcement model, and the SEC’s growing focus on AI-related disclosures for US-listed entities creates a compliance environment with no obvious precedent. UK boards with international exposure need a governance posture that is coherent across all three regimes — a challenge that requires legal, strategic, and operational input at the highest level.

Executive Action:

• Establish or refresh an AI systems register before Q3 2026, covering all material AI deployments and their governance ownership.
• If your organisation has EU market exposure, conduct a gap analysis against EU AI Act high-risk system requirements ahead of the August 2026 enforcement milestone.
• Consider external assurance on your AI governance framework — the same rigour applied to financial controls under Provision 29 of the UK Corporate Governance Code should now be applied to AI risk.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

Frequently Asked Questions

Does UK AI regulation apply to all industries or just financial services?

The UK government has adopted a sector-by-sector approach rather than a single AI Act equivalent. Financial services firms face the most immediate obligations through the FCA, PRA, and the Senior Managers and Certification Regime. However, the ICO enforces UK GDPR obligations on automated decision-making across all sectors, and the CMA’s new guidance on agentic AI applies to any organisation using autonomous AI in consumer-facing contexts. Any UK board using AI in material business decisions faces governance obligations regardless of sector.

What does the EU AI Act mean for UK companies after Brexit?

The EU AI Act applies to any organisation that places AI systems into the EU market or uses AI systems that affect EU citizens — regardless of where the organisation is headquartered. UK businesses with European operations, EU customers, or EU data processing activities need to assess their AI systems against the Act’s risk tiers. High-risk AI systems face the most significant compliance requirements, including conformity assessments, documentation obligations, and human oversight requirements, all of which come into full force from August 2026.

What is the Senior Managers and Certification Regime’s relevance to AI governance?

SMCR creates personal accountability for named Senior Managers when regulatory failures occur within their area of responsibility. Because the FCA and PRA are applying existing regulatory frameworks — including SMCR — to AI deployment decisions, the individual who approved or oversees a material AI system can be held personally accountable if that system causes harm, breaches Consumer Duty, or facilitates a regulatory breach. The FCA’s May 2026 statement on frontier AI makes this accountability trail explicit, reinforcing that AI governance is a personal liability issue for Senior Managers, not just an organisational one.

How quickly do UK boards need to act on AI governance?

The regulatory clock is already running. The FCA’s Mills Review, the CMA’s agentic AI guidance, and the EU AI Act’s August 2026 enforcement milestone all create near-term obligations for UK boards. Additionally, mid-2026 changes to the SMCR framework are expected to increase direct regulator oversight of individual accountability. Boards that do not have documented AI governance frameworks, named accountability owners, and a current AI systems register risk being caught unprepared for an inspection or incident that exposes those gaps. The time to act is before a regulatory event forces the issue.