Most AI consultants are technologists. They have never sat across a table from a regulator. Most compliance and risk veterans haven't gone deep enough on AI to know what it can and can't do, where the real exposures are, or how to evidence a process that includes a model in the loop.
The gap between the two is where mid-market regulated businesses get hurt. I spent years inside one of those businesses, in financial-services claims, and I can tell you exactly where the bill lands.
Three places the gap shows up
Data handling. UK GDPR requires a lawful basis for every processing activity. Most off-the-shelf AI tools don't surface what they're doing with your data — what's logged, what's used for training, where it's stored, who can access it. If you can't answer those questions, you don't have a lawful basis. You have a problem waiting for a complaint.
Automated decision-making. Article 22 restricts solely-automated decisions with legal or significant effects. "The AI scored this and we didn't review it" is exactly the kind of phrase that makes a regulator's pen come out. Most "AI workflows" don't think about this until the first complaint lands.
Audit trail. SRA, FCA, and the ICO all expect you to evidence your processes. "The model decided" is not an evidence trail. The bar isn't "did you do the right thing?" — it's "can you prove how, when, and why, in a form a regulator will accept?"
What I learned at Get Claims Advice
Compliance isn't the policy on the wall. It's the day-to-day decisions, the audit trail, the data-handling reality. Get either wrong and the audit eats you — not because anyone was malicious, but because the evidence wasn't there when it needed to be.
That principle applies directly to AI adoption. The question isn't "can the AI do this?" The question is "if a regulator asked us to walk them through this decision in twelve months, could we?" If the answer is no, you're not done.
How 8i builds compliance in
Every audit we run includes a compliance read — what data the proposed AI moves touch, what regulatory regimes apply, what evidence the operation will need to retain.
Every roadmap we deliver flags the regulatory implications alongside the commercial ones. Not as an afterthought. As a peer concern.
Every retainer client gets a quarterly compliance review. Not because it's glamorous. Because compliance debt compounds in exactly the same way technical debt does, and the bill comes due at the worst possible moment.
If you're in financial services, legal, healthcare, or any regulated sector, and the phrase "we've been experimenting with AI" applies to your operation, we should talk before the bill arrives. Book an audit.