The model risk function has attested that all deployed AI systems are performing within tolerance. The ethics committee has signed off on fairness assessments. The second line of defence has confirmed that the AI risk framework is in place and operating. The audit committee approves the governance report. The minutes record that the committee has assessed the effectiveness of the internal controls and risk management systems governing AI-assisted decisions. The box is ticked.

Three months later, an AI-assisted mortgage approval decision produces an outcome that a customer challenges under the Consumer Duty. The Financial Ombudsman refers the case to the FCA. The FCA opens an investigation. The investigator requests the contemporaneous decision record for the specific mortgage decision that is the subject of the complaint. The bank produces the attestation letters, the model risk function's aggregate performance metrics, and the ethics committee's fairness assessment. The investigator asks for the decision record itself: what information picture the AI system was operating against at the moment that specific decision was made; what human review, if any, was applied to that specific output before it was acted upon; what the system could not see that might have changed the outcome.

The audit committee's quarterly assessment shows that the AI governance framework was in place, was being monitored, and was operating within established parameters. The FCA's investigation requires something different: evidence that the governance framework operated at the decision level, for a specific decision, at the exact moment the decision was made. These are not the same standard. They were not designed to be the same standard. This is the oversight paradox: audit committees are required to assess governance effectiveness, but the governance frameworks they are assessing were not designed to capture the artefacts an audit committee actually needs to certify that assessment.

FRC UK Corporate Governance Code Provision 25 requires that audit committees assess and monitor the effectiveness of the company's internal controls and risk management systems. The provision does not distinguish between types of control. An AI-assisted decision in a material transaction is a control. Like any control, its effectiveness must be assessed and its operation monitored.

Current AI governance frameworks assess control effectiveness at the framework level: the governance processes are in place, the model risk function is operating, the oversight procedures exist, the performance thresholds are being met. These are necessary assessments. They are not sufficient to satisfy Provision 25 at the decision level.

Decision-level control assessment would answer a different set of questions: for this specific AI-assisted decision, what was the information picture the system was operating against; what information was it not given that might have changed the outcome; what human review occurred before the output was acted upon; who was that human reviewer and what authority did they exercise; who was the named individual accountable for the decision if it was subsequently found to be wrong. A governance framework that answers these questions at the moment each material AI decision is made is a framework that allows an audit committee to certify, with evidential support, that controls are operating effectively. A framework that answers them only at the quarterly or annual level, by aggregation, does not.

The oversight paradox is this: an audit committee can review all the right attestations, assess all the right governance processes, and still have no contemporaneous evidence that the framework operated at the decision level for any specific decision the committee is responsible for certifying. The framework is there. The monitoring is happening. The evidence that proves control effectiveness, decision-by-decision, at the moment each decision was made, is not.

The standard AI governance review, in a quarterly audit committee update, typically covers five dimensions.

First, the model risk function's attestation that all deployed models are performing within established performance parameters. Second, the ethics function's assessment that fairness metrics across demographic groups are within tolerance. Third, the second line of defence's confirmation that the AI risk framework maps to regulatory requirements and is being implemented. Fourth, any new deployments in the quarter and their associated risk classification. Fifth, any incidents or model performance degradations that have triggered escalation.

None of these dimensions, taken together or individually, answer the oversight question that Provision 25 requires: are the controls that governed this specific material AI decision operating effectively at the decision moment. They answer the question of whether the governance framework is in place and operating. They do not answer whether the governance operation at each decision moment is generating the evidence a regulator would later ask for.

An audit committee reviewing a model risk function's attestation that fairness metrics are acceptable is assessing a control. But it is assessing it at one level of abstraction removed from the decision itself. The committee is asking: does the model risk function believe the fairness metrics are acceptable? The committee is not asking: given the specific applicants rejected by this model, was the information picture the system was operating against captured before the rejection was acted upon, and is that information picture now accessible for examination?

This is the same distinction that separated weeks 2 and 3 of this newsletter. Week 2 asked what the governance framework requires. Week 3 asked what evidence the named Senior Manager must produce to satisfy the reasonable steps defence. This week applies the same distinction to the audit committee's oversight obligations. The framework is one question. The decision-moment evidence is another.

Three regulatory instruments converge on the same standard by different routes. Each arrives at the requirement for decision-level governance evidence independently, and the convergence is the signal that the standard is the governing one.

FRC Provision 25 requires audit committees to assess and monitor control effectiveness. For AI-assisted decisions in regulated processes, "effectiveness" means the control operates at the decision moment, not at the framework aggregation level.

FCA Handbook SYSC 4.1 requires firms to ensure that their internal control systems are adequate and that the first and second lines of defence assess the effectiveness of those control systems. Internal audit's assessment of an AI governance framework, without accompanying evidence that the framework operated at the decision level for material decisions, is an assessment of process adequacy, not operational effectiveness.

EU AI Act Article 14 requires that high-risk AI systems are operated under human oversight that enables those responsible to detect and correct failures. That oversight requirement is not satisfied by aggregate performance monitoring. It is satisfied only by a governance architecture that records, contemporaneously with each decision, that human oversight was actually applied at the decision moment, by whom, in what form, and with what authority.

Three instruments. Three routes. One evidential standard: the decision-level governance record.

The calendar to the EU AI Act compliance deadline is now the same calendar that governs the audit committee's next assessment cycle. An audit committee that conducts its semi-annual AI governance review after 2 August 2026 will be reviewing governance frameworks against a new and binding regulatory standard. The FCA's expectations for AI governance maturity will have shifted in response to enforcement activity in the first days after the deadline. The first regulatory examinations under the EU AI Act will have begun.

The audit committee that waits until August or September to require evidence of decision-level governance oversight will be requiring it after the FCA's enforcement gaze has already arrived. The audit committee that requires it now, in May and June, has the advantage of time to close the gap before regulatory attention arrives.

The steps are specific and sequential.

First: establish what the audit committee is currently being asked to certify. In the next quarterly or semi-annual AI governance report, before the committee approves it, require the second line of defence to specify what evidence supports the claim that AI governance controls are "operating effectively". If the answer is quarterly model risk attestations and annual ethics assessments, the committee now knows the evidence gap.

Second: map the decision-level governance evidence requirement to the specific AI systems in scope. Which AI systems contribute to decisions that fall within the high-risk categories of the EU AI Act or the material transaction definitions of FCA Handbook SYSC? For each system in that scope, what would a decision-level governance record contain, and in what format would it need to be in order for the FCA to examine it in the event of an investigation?

Third: require the demonstration of the architecture. The audit committee does not need to implement decision-level governance records before 2 August. It needs to require that the technology function and the second line of defence produce an architectural specification for how those records would be captured, what data they would contain, and what timeline would be needed to move from the current attestation-based model to a contemporaneous governance model.

Fourth: minute the requirement formally. In the next audit committee meeting at which AI governance is discussed, record that the committee has required the production of a specification for decision-level governance evidence capture, that the committee understands the current governance framework does not produce such evidence, and that the committee is requiring the specification as the basis for assessing feasibility and timing. That minute is not the answer to the audit committee's governance obligation. It is the answer to the question a regulator will ask later: did the audit committee identify the evidence gap, did it require action to close that gap, and is there a contemporaneous record that it did so?

The governance architecture that satisfies the audit committee's Provision 25 assessment obligation is the same architecture that satisfies the FCA's reasonable steps requirement and the EU AI Act's effective oversight requirement. It is not a quarterly report. It is not an aggregate performance metric. It is a contemporaneous governance record that captures, at the moment each material AI decision is made, four data structures: the system version in use at that moment; the information picture the system was operating against; the human review applied before the output was acted upon; and the accountability chain that names who accepted responsibility for the decision.

An audit committee's assessment of governance effectiveness, informed by a review of representative samples of such records across the population of material AI decisions made since the last assessment period, is an assessment that is based in evidence. An audit committee's assessment of governance effectiveness, informed by a model risk function's quarterly attestation that performance metrics are acceptable, is an assessment based in process. The two are not equivalent, and regulators are not treating them as though they are.

The question an audit committee must ask before 2 August 2026 is not whether the governance framework is in place. It is whether the governance framework produces, at the moment each material AI decision is made, the evidence that allows the committee to certify that the controls governing those decisions are operating effectively. That is the question Provision 25 requires the committee to answer. That is the question the FCA's regulatory examiners will ask the committee to evidence. That is the question that will be asked again and again as enforcement activity in the post-deadline environment accelerates.

For most audit committees, the honest answer to that question today is: we do not know. The frameworks attest that controls are in place. The governance processes exist. The evidence that proves they operate at the decision level does not yet exist.

The time to require that evidence is now, before the deadline, not after it, when the FCA's first enforcement letters begin to arrive. The audit committee that takes the four steps above before 2 August 2026 has begun the process of closing the oversight paradox. The audit committee that waits will be managing the gap from a position of regulatory vulnerability rather than governance readiness.

The 91 days from today to 2 August are the window in which the audit committee can move from assessing governance in the abstract to assessing governance in evidence. That is the oversight obligation Provision 25 requires.

Dr. Ivan Roche FRSS FRSA MInstP is the Founder and Principal Advisor of Otopoetic Limited, an AI governance advisory practice based in Belfast. Otopoetic works with regulated firms in financial services, insurance, aviation, and healthcare to establish decision-level governance architectures before regulatory examination. The Governance Classification Briefing identifies your current exposure across five accountability dimensions in 45 minutes. Enquiries: otopoetic.com