The problem isn't policy. It's proof.

A UK retail bank does not lack an AI policy.

At board level, the CRO can point to frameworks, principles, control structures.

On paper, governance exists.

In practice, decision proof does not.

The illusion

From the outside, the system looks under control.

• Policies define intent.
• Control frameworks define structure.
• Documentation is in place.
• Risk maps are signed off.
• Controls are reviewed quarterly.

Where it breaks

The harder question is not whether governance exists.

The harder question is whether governance can be demonstrated — not in theory, not in aggregate, but at the moment a single decision is questioned.

The shape of the problem

Take an AML monitoring model.

On a Wednesday in November the model flags a £42,000 wire transfer to a small business in Cyprus, a Tier-2 alert is raised, and an analyst clears it within forty minutes after a phone call to the relationship manager.

The system moves on. The decision disappears.

What remains

Eight months later the FCA's S166 review picks the same payment from a sample of 200, and asks why this transfer was cleared.

A regulator. A customer's solicitor. An internal Tier-3 escalation.

The first-line risk team looks back and finds:

• the alert ID
• the timestamp
• the analyst's name
• a free-text comment
• logs of the model run
• events from the case management system
• traces from the audit log

Fragments of activity.

Reconstruction

From those fragments, an explanation is assembled.

The input can be found. The outcome can be found.

The reasoning is inferred.

The policy still exists in the policy repo, but the version that applied that Wednesday in November has been superseded twice. The model still exists, but it was retrained in February against a different feature set. Thresholds have shifted. Context has changed. The original decision cannot be reconstructed.

The team cannot verify it against policy as it stood at the time of the alert. They cannot determine whether the criteria the analyst applied were the criteria the policy required.

The answer that goes back to the FCA is produced anyway.

Plausible. Defensible. And partly invented.

The time problem

Governance is not static.

Policies evolve. Models are retrained. Thresholds are adjusted. Ownership shifts.

The question that actually gets asked is not what is the policy now? It is what was the policy at the moment this decision was made? — and more importantly, can that be demonstrated?

The independence problem

Even when evidence exists, it is rarely independent.

The same case management system that recorded the alert produces the explanation. The same model registry that ran the inference reconstructs the reasoning.

This is not proof.

It is a system describing its own behaviour.

Procedural. Not forensic.

Why this matters

Day to day, this goes unnoticed.

Systems operate. Decisions are made. Outcomes are delivered.

Everything appears governed.

Until it isn't.

The moment of scrutiny

Governance is tested at a single point: when someone asks why.

Why this customer was declined. Why a particular transfer was cleared. The reason this particular loan was approved.

Not in aggregate, not in a dashboard, not in a board pack — in one specific case, on one specific Wednesday in November.

The gap

AI governance programs in tier-one banks focus on better policies, more documentation, and stronger framework alignment.

The failure is not in the policy.

It is in the decision.

A governed system does not reconstruct decisions later. It captures them at the moment they are made.

Input. Policy. Context. Outcome.

Bound together as a single signed artefact. Complete. Deterministic. Verifiable.

What changes

When the FCA letter arrives — why did this happen? — there is nothing to rebuild.

No stitching together of logs. No inference. No approximation.

The decision can be read.

Closing

Policies create intent.

Frameworks create structure.

But decisions are where governance actually happens.

If those decisions cannot be proven later, governance does not exist.