Company Brochure

AI Governance for Isle of Man Regulated Firms: What the FSA Expects from the Board

An empty boardroom table set for a governance review

Strengthen your compliance strategy

— with confidence. clarity. experts.

Book a
consultation

If your firm is using AI — or quietly testing it — and you are waiting for an Isle of Man AI rulebook to tell you what to do, you will be waiting a while. There isn't one. The Financial Services Authority has not published an AI-specific code, and that is not an oversight: AI is being governed through the obligations you already hold, not a separate regime. The board remains accountable for it. The AML/CFT framework already captures it. Your outsourcing, resilience and data-protection duties already apply to it. The practical question is therefore not "what are the FSA's AI rules?" but "how do we bring AI inside the governance we already run?"

That reframing matters, because most of what is written about AI governance is global, generic, and built around frameworks that have no legal force on the Island. The defensible Isle of Man answer is narrower and more useful: treat AI as technology to be risk-assessed, as a board-accountability matter, and as a third-party exposure — and you are most of the way there.

Does the Isle of Man have AI-specific regulation?

No. There is currently no AI-specific rulebook from the Isle of Man FSA, and you should be cautious of any source that implies otherwise. What the FSA has done is signal clearly where AI sits: inside oversight and change risk.

In its Supervisory Priorities 2025–2027, the Authority frames strong governance and appropriate board and senior-management oversight across a range of risks as critical — naming, as an example, firms facing different challenges "from climate risk or AI". It also indicates that it will continue to engage with firms going through significant change projects, including where that involves the extended use of new AI tools, and that it intends to collect information from firms on their use of AI to inform its own work.

Read plainly, that tells you the FSA's posture: AI is a governance, oversight and change-risk matter to be managed within your existing framework — not a new compliance silo with its own bespoke rules. The expectation falls on how you oversee and control the technology, not on a separate AI code you must implement.

We help Isle of Man firms place AI inside the governance framework the FSA already expects, rather than bolting on a generic policy.

AI is "technology" — so it's in your TRA

The most concrete place AI lands for an AML/CFT-regulated firm is the Technology Risk Assessment. Under the AML/CFT Code, a relevant person must assess the money-laundering and financing-of-terrorism risk posed by any technology used in its business — and the Code is explicit that this includes new and developing technologies. AI is, by any reading, new and developing technology. It is in scope.

That has a direct consequence. If you have adopted an AI-assisted onboarding or screening tool, used a model to triage alerts, or let a general-purpose assistant near client data, the TRA is where you record what the technology is, how it could weaken or strengthen your controls, and what you have done about it. Technology can improve AML/CFT effectiveness — but the same Code guidance warns it can weaken controls if applied badly or without sufficient understanding. An AI tool nobody assessed is precisely that failure mode.

The TRA is also the assessment most firms are missing or conflating with a cyber review, which is why it is worth getting right before AI multiplies the gap. We set out the standalone duty, the timing and what a defensible assessment contains in our guide to the Isle of Man Technology Risk Assessment.

A document review on a desk in muted blue tones

Board oversight: who is accountable for AI?

The board. The Isle of Man Corporate Governance Code places responsibility for risk management and for the firm's systems and controls at board level — and AI does not change where that responsibility sits. A model that makes onboarding decisions, drafts client correspondence or feeds your monitoring is part of your systems and controls, and the board is accountable for it in the same way it is accountable for any other.

In practice that means the board should be able to answer a short, uncomfortable set of questions. What AI is in use across the firm, including tools staff have adopted without a procurement decision? Who owns the risk for each? Where a model influences a regulated outcome — a customer risk rating, an alert disposition — is there meaningful human oversight, or has judgement quietly been delegated to software? These are governance questions, not technical ones, and "the IT team handles it" is not an answer a supervisor will find reassuring.

This is the same governance-first principle that applies across technology risk generally, set out in our piece on strengthening IT governance: oversight is a board responsibility, not a server-room afterthought.

We give boards a clear, defensible view of where AI is in use and who is accountable for it.

AI you didn't buy: third-party and embedded AI

The harder exposure is the AI you never deliberately adopted. Your case-management system adds an AI feature. Your screening provider starts using a model behind the scenes. A member of staff pastes client information into a free online assistant to save ten minutes. None of these arrived through a board decision, yet each is now part of your control environment.

This is third-party and outsourcing risk, and it is already governed. Where a function or technology you rely on is provided by another party, the obligation to understand, assess and oversee that arrangement is yours — you cannot outsource the accountability. Embedded AI inside a vendor product sits squarely within that duty, which is why vendor due diligence and contractual clarity about what a supplier's model does with your data belong in your assessment. Our guidance on outsourcing and third-party risk sets out that responsibility in full.

There is also a group dimension. Where AI tools or systems are introduced across a group, the Code expects a relevant person to satisfy itself that the group's risk assessment of that technology is specific enough for its own business — and to assess it independently where it is not. Inheriting a head-office AI tool is not the same as having assessed it.

Server racks and network equipment lit in cool blue

A proportionate AI governance baseline

You do not need an enterprise AI programme to be defensible — you need to bring AI inside the governance you already run, proportionate to how much you actually rely on it. A workable Isle of Man baseline has a few connected parts.

Start with an inventory: a current record of where AI is used across the firm, including embedded and free-tool use. Risk-assess each material use through the Technology Risk Assessment, capturing the effect on your AML/CFT controls. Keep meaningful human oversight wherever a model touches a regulated decision, so accountability stays with a person. Address data protection — if an AI tool processes personal data, your data-protection obligations and, for higher-risk processing, a data-protection impact assessment still apply. Apply vendor due diligence to embedded and supplied AI. And give the board periodic, plain-language assurance that the above is happening.

Recognised external frameworks can help you structure that work — the NIST AI Risk Management Framework, the NCSC's guidance on using and securing AI, and ISO/IEC 42001, the standard for an AI management system, are all sensible reference points. Treat them as useful scaffolding, not as the source of your obligations: on the Isle of Man, those come from the FSA's expectations, the AML/CFT Code and the Corporate Governance Code. The frameworks help you meet the duty; they do not define it.

A single figure seen from behind at a glass office wall overlooking a muted blue cityscape at dusk

Common mistakes we see

The first is waiting for a rulebook that is not coming, and treating the absence of an AI-specific code as permission to do nothing. The FSA's expectation is already live; it just lives inside your existing obligations. The second is the shadow tool — staff using AI assistants with client data, entirely outside any assessment, because nobody asked. The third is conflating an AI policy with AI governance: a one-page policy on the intranet is not the same as an inventory, a risk assessment and board oversight that someone actually maintains. The fourth is importing a global "AI governance framework" wholesale and assuming it satisfies Manx requirements — it may help, but it is not the obligation. And the last is treating AI as purely an IT matter, when the accountability the FSA is signalling sits with the board.

We help Isle of Man regulated firms govern AI proportionately — from an honest inventory and a defensible Technology Risk Assessment to board-level assurance — grounded in the FSA's expectations rather than generic global advice.

Frequently asked questions

Does the Isle of Man FSA have specific AI regulations?

No. There is no AI-specific FSA rulebook. The Authority's Supervisory Priorities 2025–2027 treat AI as a matter of board and senior-management oversight and change risk, to be managed within a firm's existing governance, risk and compliance framework — not as a separate regime with its own bespoke rules.

Is AI covered by the AML/CFT Technology Risk Assessment?

Yes. The AML/CFT Code requires a relevant person to assess the risk posed by any technology it uses, and expressly includes new and developing technologies. AI falls within that, so a material AI tool that touches your AML/CFT controls should be captured and risk-assessed in your Technology Risk Assessment.

Who is accountable for AI in a regulated firm?

The board. Under the Isle of Man Corporate Governance Code, responsibility for risk management and for the firm's systems and controls sits at board level, and AI is part of those systems and controls. Day-to-day work can be delegated, but accountability for oversight cannot.

Do we need an AI policy?

A policy can help, but it is not the obligation and not enough on its own. What matters is governance you actually run: an inventory of where AI is used, a risk assessment of each material use, meaningful human oversight of regulated decisions, attention to data protection, and board oversight. A policy with none of that behind it is a document, not control.

Knight Consultancy Limited
(Company No: 136669C)
Design House, Hills Meadow, Douglas,
Isle of Man ,IM1 5EB

© Knight Consultancy Limited {{Y}}. All Rights Reserved. Privacy Policy

Website and marketing partner: Yellowstone Accounts

Knight