Every AI demo in the last year follows the same script. An agent books a restaurant, summarises some emails, maybe fills in a spreadsheet. The audience claps. The presenter says something about “the future of work.” Nobody mentions what happens when the agent gets it wrong.
In those demos, nothing happens. A bad restaurant booking is a mild inconvenience. A badly extracted risk figure on a Lloyd’s submission is a regulatory incident.
Fifteen years of building AI systems for organisations where mistakes have consequences (the Cabinet Office, the Bank of England, NHS trusts, Lloyd’s market participants) makes one thing clear. The distance between demo AI and production AI in these environments is not something you bridge with better prompts.
The compliance problem nobody talks about
Here is a scenario that plays out weekly across the London insurance market. An MGA receives 200 submission documents. Each one arrives in a different format: PDFs, spreadsheets, emails with attachments, scanned broker slips from the 1990s that someone photographed with their phone. An underwriter needs to extract the risk data, assess whether it fits their appetite, and respond within hours.
The obvious AI play is to automate the extraction. Feed the documents in, get structured data out. Every vendor on the planet will tell you they can do this.
What they will not tell you is what happens six months later when the FCA asks to see your decision-making process. Under Consumer Duty, firms must demonstrate that outcomes for customers are fair. If an AI agent triaged a submission and it was declined, the firm needs to explain why. Not “the model said so.” An actual explanation, with an audit trail, showing what data was extracted, what rules were applied, and where a human reviewed the decision.
This is where most AI projects in regulated industries quietly die. The technology works in the lab. It falls apart the moment someone asks “can you prove this to a regulator?”
Data sovereignty is not optional
The second wall is data. Insurance submissions contain personal data, medical records, financial details. Legal documents are covered by professional privilege. Investment research is material non-public information.
Sending this to an API endpoint in Virginia is what happens when firms use most SaaS AI tools. For a marketing team, that is a tolerable risk. For a Lloyd’s managing agent processing claims data that includes medical reports, it is potentially a breach of FCA outsourcing rules. For a law firm feeding client contracts into a US-hosted tool, it is a question the SRA will eventually ask, and “we didn’t think about it” will not be an adequate answer.
The firms getting AI right are the ones deploying on their own infrastructure, in their own geography, with their own encryption keys. Less glamorous than a ChatGPT integration. Also the only approach that survives when someone with regulatory authority asks uncomfortable questions.
The eighteen-month roadmap
There is a pattern that destroys more enterprise AI initiatives than any technical challenge. Call it the Roadmap Death Spiral.
A firm decides to adopt AI. They hire a consultancy. The consultancy produces a 200-page strategy document. Six months pass. A proof of concept is built in a sandbox with synthetic data. Another six months. The POC is declared a success. Then someone discovers that deploying it in production requires solving data governance, infrastructure, security, and integration problems that nobody scoped. The executive sponsor has moved on. The budget is exhausted. The slides get filed.
A FTSE 250 insurer, two years into this path, had a beautiful strategy deck and zero agents in production. This is not unusual.
What actually works is starting small and getting to production fast. Pick one workflow. Build one agent. Deploy it on real infrastructure with real data and real governance controls. See what breaks. Fix it. Build the next one.
Production agents have shipped in six weeks for organisations that had been “exploring AI” since 2024. The difference is not technical sophistication. It is the willingness to start with something useful rather than something all-encompassing.
Watch the Lloyd’s market
The Lloyd’s market is the bellwether for where regulated AI is heading. Blueprint Two is pushing the market toward digital-first operations. The firms running agentic AI are seeing submission processing times drop from days to hours, bordereaux validation that catches errors humans miss, compliance monitoring that runs continuously rather than in quarterly fire drills.
But they are not using off-the-shelf AI products. They are deploying purpose-built agents that understand their specific workflows, connect to their specific systems, and operate within their specific regulatory constraints. A submission triage agent for a Lloyd’s managing agent looks nothing like a document classifier for a retail insurer, even though the underlying models are similar.
This pattern will spread across legal and asset management within two years. Not because the technology is new, but because the deployment model is finally catching up with the regulatory reality.
What “production-ready” actually means
An AI agent that is production-ready for a regulated environment meets a specific bar. Every action the agent takes is logged in an immutable audit trail. There are human-in-the-loop gates before any client-facing output. The deployment runs on infrastructure the firm controls, with encryption keys the firm manages, in a geography the firm specifies.
It also means the agent works. Not in a demo. Not on test data. On the actual documents, in the actual workflows, with the actual edge cases. The submission that arrives as a 47-page PDF with the key figures buried in a table on page 31. The bordereaux with a column that means something different depending on which broker sent it.
The firms that treat governance as an afterthought are the ones that never ship. The firms that build it in from day one are the ones with live agents processing real work, right now, while their competitors are still refining strategy decks.
Nobody at AI conferences wants to talk about this. It is not a model gap. It is a deployment gap. And the organisations that close it first will have a compounding advantage that is very difficult to catch.