4 Jun 2026

The EU AI Act deadline is concentrating minds on compliance documentation, but the harder problem is the one most teams haven't started: how do you actually enforce what an AI agent is allowed to do at runtime?

A policy document saying your agent operates under least-privilege principles is not the same as technically enforcing it. In consumer credit, where an agent might be querying affordability data, triggering bureau calls, or updating application states, the gap between written policy and actual system behaviour is where your regulatory exposure lives.

The pattern that matters here is treating AI agents like external service accounts, not internal trusted processes. That means:

• Identity at the agent level, not just the user or session level
• Scoped permissions that are checked on every call, not assumed at startup
• An audit trail that captures what the agent was authorised to do, what it attempted, and what was denied

UK firms often think the EU AI Act is someone else's problem. It is not. The FCA's own thinking on AI governance is moving in exactly the same direction, and the Consumer Duty obligation to demonstrate good outcomes requires you to explain what your automated systems actually did and why. You cannot do that without the infrastructure described above.

The investment case for this work is also stronger than it looks. Building proper authorisation and audit patterns for AI agents is not compliance overhead. It is the foundation for safely expanding what those agents can do. Right now most teams are artificially constraining agent scope because they have no confidence in what the system will actually attempt. Fix the permissions model and you fix that constraint.

The question worth sitting with is whether your current AI governance programme is producing artefacts that describe intended behaviour, or controls that enforce it.

The framing around AI-first UX tends to focus on enterprise productivity tools and knowledge workers. That's the wrong place to look if you're building consumer credit products in the UK.

The more interesting question is what happens to a regulated loan application journey when the interface stops being a form and starts being a conversation. Right now, our origination flows are essentially digitised paper. A sequence of fields, disclosures, affordability questions, consent checkboxes. Compliance teams have spent years getting comfortable with exactly what the customer sees and when they see it.

Agentic UX breaks that contract. If an AI can carry context across a workflow, answer questions mid-journey, and adapt what it surfaces based on the conversation, then the "journey" as a fixed, auditable sequence starts to dissolve. That's not a UX problem. That's a Consumer Duty problem.

The FCA's focus on good outcomes and fair treatment assumes you can point to the experience a customer had. You can screenshot a form. Auditing a conversational agent that behaved differently for different customers because it was personalising in real time is a genuinely harder compliance challenge.

• The obligation to present information clearly doesn't disappear because the interface is conversational
• Pre-contractual disclosure requirements don't care whether the customer is reading a screen or talking to an agent
• Vulnerable customer identification becomes more complex when there's no standardised journey to assess against

None of this means AI-first UX is the wrong direction for consumer credit. A well-designed conversational experience could do a much better job of explaining loan terms than a wall of text most customers scroll past. The potential for genuinely improved comprehension is real.

But the teams building these journeys need compliance and technology working together from the start, not compliance reviewing a finished prototype. The question worth sitting with is whether your organisation is structured to do that, or whether you're still treating UX as something that gets signed off at the end.