The managing director of a 60-person managed services provider has last year’s £120,000 external advisory invoice on her desk. The FCA’s recent examination flagged inconsistent documentation across her seven core policies. The finance director carries vendor contracts, the operations head health and safety, the head of customer success drafts the privacy notices nobody updates. She has read about Vanta, Spellbook and Harvey, and she knows the FCA’s AI Live Supervised Testing framework commenced in January 2025.
Her question is the right one. Not whether AI belongs in compliance, but which two of the six deployable jobs to compress first, who the qualified individual will be, and what the FCA will want to see next. Compliance is the function where regulators are now openly inviting AI rather than tolerating it, provided the audit trail and the qualified individual are in place. Six jobs to deploy, four to leave with a qualified human, and one cautionary case (Mata v Avianca) that explains why the boundary holds.
What jobs does AI do well in compliance and risk today?
Six jobs have hit the maturity threshold for a £1m to £10m UK regulated SME in 2026. Contract review and term extraction runs at 94 percent accuracy on standard-form agreements and 85 to 90 percent on heavily customised ones. Policy drafting captures 75 to 85 percent of substantive content. Regulatory horizon scanning, vendor due diligence, DPIA preparation and AI register discovery round out the set.
The numbers are concrete. Slaughter and May’s 2025 pilot across 50 UK SME clients documented a 52 percent average time reduction on contract review (35 percent on customised, 75 percent on standard-form). An Ironclad case processed 80 vendor contracts in 8 hours against 40 to 60 hours of junior legal time, with 23 non-standard provisions flagged for human review. A 25-person London fintech generated drafts of seven core policies (AML, KYC, Conflicts, Market Abuse, Third-Party Risk, Operational Resilience, Records) and the FCA gave positive feedback. A Manchester insurance broker on Vanta identified 47 regulatory developments in six months, 14 of which triggered policy updates and 8 of which would have been missed manually. A 35-person Cambridge healthtech firm completed three DPIAs in 24 to 32 hours of internal time against £24,000 to £36,000 of external fees. The ICO’s 2025 guidance explicitly endorses AI-assisted DPIAs, which takes that job from tolerated to encouraged.
Where are UK SMEs actually using these tools?
The platform stack for compliance has settled into three layers. Contract and legal carries Spellbook (£150 to £400 per user per month, Word plugin), Harvey (£300 to £800 per month), Ironclad (£250 to £600 per month, lifecycle and obligation calendar), LinkSquares, ContractPodAi and Robin AI. 360 Business Law’s AiLa is accessible to solo and small firms at £100 to £300 per month.
Compliance automation and audit-readiness carries Vanta (£800 to £3,500 per month for SOC 2, ISO 27001 and FCA-aligned frameworks), Drata (£600 to £2,500), Hyperproof and OneTrust (£1,500 to £5,000 for multi-policy and privacy). The privacy and vendor-risk specialists are Ethyca (£1,000 to £4,000 for consent management and DPIAs), TrustCloud (£400 to £1,500 for third-party questionnaires), Riskimmune for risk register, and Diligent (£1,200 to £4,000) for board risk dashboards. Regulatory horizon scanning runs on FinregE and Zango AI. A typical UK SME runs two to three of these for £800 to £3,000 per month total, with payback driven by elimination of 200 to 400 hours of annual compliance work. The earlier piece on vendor due diligence questions for any AI tool goes deeper on procurement scoring.
Where does AI still fall short in compliance and risk?
Four jobs remain human work, and the boundary is sharp. High-stakes legal advice and novel risk interpretation sit with a qualified solicitor. A 2025 UK technology firm relied on AI analysis that a cloud-services liability cap was reasonable under English contract law, then learned the cap was likely unenforceable under the Unfair Contract Terms Act 1977. The FCA followed up.
The 2025 FCA guidance is explicit on this point. AI systems should not be the sole basis for determining regulatory obligations in novel situations or providing legal advice on regulatory interpretation. Novel regulatory frameworks sit outside the AI’s training data by definition. When the FCA issued ESG investing guidance, firms using AI found systems trained on historical data did not reflect the new requirements; human advisors had to correct, eroding the efficiency gain. Court submissions and formal regulator interactions are the third boundary, and the cautionary case is Mata v Avianca, where AI-generated arguments included fabricated citations that appeared authoritative but did not exist. A 2025 UK Commercial Court matter echoed the pattern with plausible citations to non-existent cases. The fourth boundary is hallucinations in technical citation work. One firm using AI to generate its AI register found 15 percent of NIST and ISO references were inaccurate. Independent verification by a qualified compliance professional before any regulatory submission is non-negotiable, and pairs naturally with the governance gap audit that should precede any rollout.
What does a 90-day starter rollout look like?
Three phases for a 60-person UK regulated SME. Days 1 to 30 are assessment and governance, 30 to 50 staff hours, no major tool spend. The work is a time-allocation audit, a regulatory mapping that surfaces four to eight priority areas, and a governance framework naming the qualified individual, human-review requirements, audit-trail standards and escalation procedures. Vendor evaluation runs in parallel.
Days 31 to 60 are the controlled pilot, roughly 60 to 100 hours. Scope it narrowly, for example “review all vendor IT support contracts to extract key service levels and termination rights”, with 20 to 40 hours of data preparation, 15 to 20 of workflow design, and 4 to 6 hours per user of training. Success metrics are 40 to 60 percent time reduction and 90 percent-plus AI-versus-human-review agreement on routine matters. Days 61 to 90 are production rollout, expanding from the pilot category to broader scope, monthly performance reporting and 10 to 15 hours per month of ongoing monitoring. Total first-year cost typically lands at £11,000 to £29,000 (software £4,000 to £15,000, implementation £3,000 to £8,000, training £2,000 to £3,000, governance £2,000 to £3,000). Year-1 efficiency gain runs £15,000 to £45,000, with payback in 6 to 12 months. The two-page AI policy template is the right starting document for the policy-drafting beat in Phase 1.
What should you ask a compliance AI vendor before signing?
Five procurement questions separate platforms that pass an FCA examination from those that fail. First, FCA AI Live Supervised Testing alignment: does the vendor support the governance, audit trail and human-accountability mechanisms the framework requires? Get it in writing. Second, the named qualified individual: who takes personal professional responsibility for governance and use of the AI system? The FCA expects the role named explicitly in 2026.
Third, ICO and Data Use and Access Act 2025 compliance. Where is the data processed, what is the lawful basis, and does the platform support DPIA workflows, deletion requests and data portability under the Act in force February 2026? Fourth, citation verification: ask the vendor to expose its accuracy testing and require a documented workflow for human verification of every regulatory or standards reference before submission. Assume a 15 percent error rate on technical citations until proven otherwise. Fifth, ISO/IEC 42001 and EU AI Act readiness. Is the vendor building toward ISO/IEC 42001 certification and EU AI Act high-risk obligations from 2 August 2026? UK-only SMEs benefit too, because regulators are aligning expectations and customers in regulated sectors are starting to ask. AI in compliance amplifies whatever governance discipline already exists; if that discipline is thin, the rollout will surface it before the FCA does.
If you would like a second pair of eyes on which two compliance bottlenecks to compress first, and on whether the audit trail holds up against the next FCA examination, book a conversation.
