Most financial services firms know they should be doing something with AI. Fewer than half are doing anything meaningful. That gap isn’t ignorance; it’s a considered response to a set of real concerns that don’t get talked about honestly enough. This article tries to do that.
The hesitation is understandable. But the cost of standing still is rising faster than most firm owners realise.
What’s actually holding firms back from adopting AI?
The honest answer is a cluster of overlapping concerns, none of which are irrational on their own. The problem is that together they’ve created a kind of paralysis, where the risk of acting and the risk of not acting both feel too large to manage.
The main barriers I hear from firm owners are: regulatory uncertainty about what AI use is permitted and expected, cybersecurity liability from deploying systems they don’t fully control, and the internal change required to make AI work at all. Each one is worth taking seriously.
What does the regulatory picture actually require right now?
The regulatory signal has sharpened considerably in the past few months. The FCA and the Bank of England have formally confirmed that frontier AI models now exceed baseline cyber resilience capabilities, treating AI governance as a hard regulatory obligation rather than a matter of internal best practice [1]. That’s a significant shift in tone.
What it means in practice for a small or mid-sized advice firm is that “we haven’t thought about AI yet” is no longer a safe answer. It may not expose you to immediate enforcement action, but it does mean you’re operating without a position on something regulators are actively watching. Firms that can’t explain their AI use (or their deliberate non-use) to a supervisor are in a weaker position than those who can.
EIOPA has separately identified data privacy and security concerns, regulatory compliance including GDPR, and a skills shortage as the most commonly cited barriers to AI adoption among insurance and financial firms across Europe [2]. Those findings map closely to what I see in the UK advice market.
The firms that wait for regulatory certainty before acting will discover that certainty arrived as an obligation, not a permission.
The Consumer Duty and SMCR frameworks already require firms to evidence how they reach decisions affecting clients. If AI is part of that process, it needs to be auditable, with human sign-off at each point where a regulated judgement is made. That isn’t a barrier to AI use; it’s a design constraint. Build to it from the start, and it’s manageable.
Is AI in financial services actually a cybersecurity risk?
Yes, and this one deserves more attention than it gets.
The attack surface has expanded beyond what most firms are prepared for. The risks now include prompt injection (where malicious inputs cause an AI system to behave outside its intended parameters), chatbot personality manipulation, and behavioural guardrail exploitation [1]. Any firm running an AI assistant, even a basic one, carries a growing operational risk liability it may not have fully assessed.
There’s also the vendor stability question. A number of application-layer AI tools that firms have built workflows around are under structural pressure as compute costs rise and startups either move upmarket or collapse. A firm that has embedded a third-party AI tool into its suitability review process and finds that tool discontinued or materially changed faces both a business continuity problem and a potential compliance gap. Vendor due diligence is now a compliance question, not just a procurement one.
None of this means don’t use AI. It means use it with governance built in, not bolted on afterwards.
What does the skills and culture gap actually look like?
This is the barrier firms talk about least and experience most.
Gartner identifies security and governance concerns alongside skills gaps as the primary obstacles slowing production adoption of agentic AI [3]. The skills gap isn’t just technical. It’s the gap between what a tool can do and what a team is ready to do with it, including how to check it, when to override it, and who is responsible when it goes wrong.
In financial services that gap is wider than in most sectors, because the regulatory consequences of a bad AI output aren’t abstract. A suitability letter drafted with AI assistance and not reviewed by a qualified adviser before sending isn’t a minor quality issue; it’s a potential compliance failure. The workflow has to reflect that, and building those workflows takes time and clear ownership.
The distinction that matters here is between AI adoption, which means layering new tools onto existing structures, and genuine operational redesign, which means rethinking how work is done in light of what the tools can actually do. Most firms that have had unsatisfying AI experiences have tried the first. The second is harder, but it’s the one that produces durable results.
What does staying on the sidelines actually cost?
The efficiency differential is real and widening. Intelliflo’s 2026 research found that tech-engaged advice firms saw a 97% time saving on specific administrative processes [4]. That figure is vendor-reported and reflects specific use cases rather than a whole-firm average, but the directional point holds: firms that have started integrating AI into operational workflows are freeing up meaningful adviser time. Those that haven’t are carrying that administrative load at full cost.
The EBA’s 2026 report on digital transition in banking noted 2,554 significant incidents recorded in 2024, up from 2,343 in 2023, as firms grappled with growing digital infrastructure complexity [5]. Firms that haven’t yet built AI governance frameworks are adding to that risk profile with each tool they eventually deploy under pressure, rather than by design.
The competitive picture is also shifting faster than the headline numbers suggest. Intelliflo’s data showed the share of “Champion” firms, those actively using technology strategically, rose by roughly a third in the past year, while the cohort of cautious “Explorers” shrank significantly [4]. The middle ground is eroding.
What should a firm actually do if it hasn’t started yet?
This doesn’t need to be a major project. It needs to be deliberate.
First, map what you already have. Most firms using Microsoft 365 or Google Workspace have AI capability they aren’t using. Copilot, Gemini, and built-in automation tools are often already licensed. Start there before evaluating anything new.
Second, pick one process and design it properly. The firms that get the most value from AI don’t try to automate everything at once. They pick a single, well-defined task, build the human review steps in explicitly, and prove the workflow before expanding it. Meeting notes, first-draft client communications, and research summaries are common starting points because the human review step is obvious and the downside of an error is low.
Third, document your position. Even if you decide AI has no role in your firm right now, write that down and review it annually. Regulators are increasingly interested in how firms are using third-party tools, including AI [1]. A firm that has thought about this and made a considered decision is in a better position than one that simply hasn’t engaged.
Fourth, treat vendor selection as a compliance question. Any AI tool used in a regulated process needs to be evaluated for data handling, auditability, and contractual stability. The IP and data rights disputes emerging from commercial AI agreements are a material risk for firms that signed contracts without legal scrutiny [6].
AI outputs used in any regulated process require human review before they are acted on. That applies to suitability drafts, client communications, and any document that touches an advice or compliance decision. That’s not a caveat; it’s the design principle the workflow needs to be built around.
The honest position
The firms doing this well aren’t the ones with the biggest technology budgets or the most appetite for risk. They’re the ones that took the question seriously, started small, and built governance in from the beginning.
The regulatory environment is not going to become clearer by waiting. The FCA and Bank of England’s direction of travel is toward firms having a demonstrable position on AI governance, not toward giving cautious firms more time [1]. Acting carefully and deliberately is the right response. Acting late is not.
If this is the situation your firm is in and you’d find it useful to think through what a sensible first step looks like for your specific setup, a discovery call with Cordrey Consulting is a good place to start.
This article is for informational purposes only and does not constitute regulated financial advice or a compliance opinion. Consult a qualified compliance professional for advice specific to your firm.
Sources
- [1] FCA and Bank of England, joint statement on frontier AI and cyber resilience, 2026. Primary source for the regulatory declaration that frontier AI exceeds baseline cyber resilience capabilities and constitutes a hard governance obligation for UK financial services firms. Available via FCA Publications.
- [2] EIOPA, report on generative AI adoption barriers in European insurance and financial services, 2026. Source for data privacy, GDPR compliance, and skills shortage as leading reported barriers.
- [3] Gartner, Hype Cycle for Agentic AI 2026 (2026). Vendor-sourced. Source for security, governance, and skills gaps as primary obstacles to production AI adoption.
- [4] Intelliflo, Intelliflo Insights research report, 2026. Vendor-sourced. Source for 97% time savings figure on specific administrative processes, and for Champion/Explorer cohort shift data.
- [5] EBA, report on digital transition in the banking sector, 2026. Source for significant incident counts: 2,554 in 2024 vs 2,343 in 2023.
- [6] Reported commercial litigation context around AI partnership agreements and IP/data rights disputes, 2026. Source for the claim that AI commercial contracts carry material legal exposure for regulated firms.