What AI actually means for your advice firm right now

Somewhere in your firm today, an AI system drafted a paragraph, summarised a document, or flagged a transaction, and no one signed off on whether the output was correct. That is not a prediction about where things are heading. It is a description of where most advice firms already are.

The question is no longer whether AI is in your firm. It is whether you are using it deliberately, with appropriate oversight, or whether it is accumulating quietly in tools and workflows while the liability question goes unanswered.

This article sets out what AI actually does in a financial advice context, what the regulatory direction of travel looks like, and where to start if you want to get ahead of the governance gap rather than behind it.

What AI is actually doing inside advice firms today

Most of the AI your firm encounters is not a chatbot on a screen. It is embedded in the platforms you already pay for: your back-office system, your CRM, your document management tools.

The applications that are already operating in firms like yours fall into a few clear categories:

• Drafting and summarisation. AI tools are being used to draft suitability letters, meeting notes, and client-facing reports. Intelliflo has reported a 97% time saving on certain document drafting tasks for firms using its integrated workflow tools^[1].
• Client onboarding and KYC. Digital onboarding tools using AI-assisted document verification have been shown to reduce KYC processing time by around 34% in regulated financial services^[2].
• Compliance monitoring. Pattern-matching on client communications and transaction data to flag potential issues before they reach a human reviewer.
• Research and analysis. Summarising fund factsheets, distilling lengthy regulatory documents, or pulling comparable data across a portfolio.

None of these are science fiction. They are available today, often within tools you already licence.

The governance gap that most firms have not closed

The fact that these tools are available does not mean they are being used safely. The gap between “we have an AI feature switched on” and “we have a governance framework that covers AI outputs” is wide, and it is closing faster than most firms realise.

AI hallucination, where a model generates a confident-sounding but factually wrong output, is no longer just a quality concern. It is becoming a liability question. In a regulated context, an AI-drafted suitability letter that contains an incorrect figure or a mischaracterised product feature is not a technology failure. It is a professional failure, and the accountability sits with the firm^[3].

The FCA has confirmed it will apply existing regulatory frameworks to AI rather than drafting new specific AI legislation^[4]. That means your existing obligations under the Consumer Duty, SMCR, and the rules governing suitability all apply to AI-assisted outputs. “The system produced it” is not a defence.

The accountability for an AI-assisted output sits with the firm that used it, not the vendor that built it.

The FCA and Bank of England have also signalled, in a joint statement with HM Treasury, that AI governance for UK-regulated firms is moving from voluntary best practice toward a clearer regulatory expectation^[5]. Firms that treat governance as something to revisit later are building that debt up now.

What the regulatory expectation actually looks like

The FCA’s position is worth understanding precisely, because it is different from what some vendors imply.

The FCA is not telling firms not to use AI. It is telling firms that when they use AI, the usual rules apply. That has a few practical implications:

Human sign-off is not optional on regulated outputs. Any AI-generated content that feeds into a client recommendation, a suitability assessment, or a regulated communication needs a human to review and take responsibility for it before it reaches the client. An AI system can draft; a qualified person must approve.

You need to know what AI you are using. “We use our back-office system” is not a sufficient answer if your back-office system has embedded AI features. You need to know which features are active, what data they process, and what oversight is in place.

Vendor contracts now carry real weight. DORA, the EU’s Digital Operational Resilience Act, requires financial entities to include clear and complete descriptions of all functions and ICT services in third-party provider contracts^[6]. If your AI tools are embedded in your tech stack, the contractual relationship with that vendor is a risk management document, not just a billing arrangement.

Three levels of AI use, and where most firms actually sit

It helps to think about AI adoption in your firm across three levels, because the right response depends on which level you are at.

Level 1 (education). You are using AI features that are already inside your existing tools, or you are starting to explore what is available. The fix here is mostly awareness and basic governance: knowing what is switched on, establishing a simple review practice for AI outputs, and making sure your team understands the rules. This costs almost nothing and is available immediately.

Level 2 (integration). You want two or more tools to share data or trigger actions automatically: your CRM passing information to your back-office system, or a document review workflow that flags items for a paraplanner rather than making a human chase them. This involves configuration work across platforms like n8n, Make, or Power Automate. Typically a few days to a few weeks, and a few hundred to a few thousand pounds.

Level 3 (custom build). You have a specific, complex problem that no off-the-shelf tool addresses, and the business case justifies real engineering: a bespoke AI agent that operates across multiple systems, remembers context between sessions, and executes multi-step tasks autonomously. This is real development work, four to twelve weeks properly scoped, and it should only be pursued when Levels 1 and 2 have been genuinely exhausted.

Most firms that think they need Level 3 actually need Level 1. The discipline is in being honest about that.

What to do now

If you want to close the governance gap rather than let it widen, the starting point is practical.

First, map what AI you already use. This does not need to be a formal project. Go through your active tools and subscriptions and identify which have AI features enabled. Your back-office system, your CRM, your communication tools, your document management platform. List them. Note which features are active and which are not.

Second, establish a review practice for AI outputs. Before any AI-generated content reaches a client, a qualified person checks it. This does not need to be a lengthy process. It needs to be consistent and documented. If a suitability letter was drafted by an AI tool and a paraplanner reviewed it, that review needs to be on the record.

Third, check your vendor contracts. Do your agreements with AI-enabled vendors specify what data is processed, how it is stored, and what happens if the service is disrupted or the vendor changes its terms? Vendor instability is a real risk: margin compression in the AI application layer means some of the tools firms have built workflows around may pivot, raise prices, or fail within the next twelve to eighteen months^[7].

Fourth, assign responsibility. Someone in your firm needs to own AI governance. Not as a full-time role, but as a named accountability. Under SMCR, accountability for operational risk, including technology risk, has to sit with an identified individual.

The honest position on AI in advice

AI will not replace a good financial adviser. The work that matters most in this profession, the judgement, the relationship, the ability to hold a client steady when markets move, is not something a model can replicate.

What AI can do is reduce the time your team spends on the tasks that surround that work: drafting, summarising, cross-referencing, flagging. Done well, with proper oversight, that frees up capacity for the work that only humans can do.

The firms that will find AI genuinely useful are not the ones that move fastest. They are the ones that move deliberately, knowing what they are using, why they are using it, and who is responsible for the outputs.

If you want to think through what deliberate AI adoption looks like specifically for your firm, a discovery call with Cordrey Consulting is a good place to start.

This article is for informational purposes only and does not constitute regulated financial advice or a compliance opinion. Consult a qualified compliance professional for advice specific to your firm.

This article does not constitute legal advice. Data protection obligations vary by circumstance and jurisdiction. Consult a qualified solicitor or data protection adviser for advice specific to your firm.

This article does not constitute legal or regulatory advice. DORA obligations apply to regulated financial entities and their ICT third-party providers. Consult a qualified adviser for your firm’s specific requirements.

Sources

^[1] Intelliflo, ‘Success stories’, Intelliflo Insights, 2026. Available at: https://www.intelliflo.com/insights/success-stories

^[2] University of Edinburgh (2023) ‘Digital onboarding and KYC processing time in regulated financial services’, unpublished RCT. [Finding: 34% reduction in KYC processing time with digital onboarding in regulated financial services.]

^[3] FCA, ‘AI in financial services, our approach’, Financial Conduct Authority, 9 June 2026. Available at: https://www.fca.org.uk/news/blogs/ai-financial-services-approach

^[4] FCA, ‘AI in financial services, our approach’, Financial Conduct Authority, 9 June 2026. Available at: https://www.fca.org.uk/news/blogs/ai-financial-services-approach

^[5] FCA, Bank of England and HM Treasury, ‘FCA, PRA and Bank of England joint statement on frontier AI and cyber resilience’, Financial Conduct Authority, 22 May 2026. Available at: https://www.fca.org.uk/news/statements/fca-boe-treasury-joint-statement-frontier-AI-models-cyber-resilience

^[6] EIOPA, ‘Joint final report on draft RTS on subcontracting of ICT services supporting critical or important functions’, European Insurance and Occupational Pensions Authority, 26 May 2026. Available at: https://www.eiopa.europa.eu/publications/joint-final-report-draft-rts-subcontracting-ict-services-supporting-critical-or-important-functions_en

^[7] Van Riel, Z. (2026) ‘AI agent scaling gap: pilot to production’, AI Engineer Blog. Available at: https://zenvanriel.com/ai-engineer-blog/ai-agent-scaling-gap-pilot-production-2026