What On-Premise AI Actually Looks Like.

The firm handled acquisition targets for clients across financial services, pharmaceuticals, and technology. By early 2025, its lawyers were under competitive pressure from larger firms, and from clients themselves, to turn around initial contract reviews faster. The obvious solution was AI-assisted document analysis. The obvious tools were cloud-based.

The problem was immediate. Client NDAs routinely contained explicit prohibitions on transmitting deal documents to third-party systems. Several clients had begun adding specific clauses referencing AI tools by category. Uploading an unredacted acquisition agreement to a US-hosted API was not a grey area. It was a direct breach of privilege and, in some cases, a breach of contract. The partners knew this. The associates knew this. The tools remained unused.

The practice manager approached the problem as an infrastructure decision rather than a legal tech procurement. The question was not "which AI tool to buy" but "how to make AI available with data remaining within the building." After evaluating several options, the firm deployed an on-premise appliance running open-weight models locally, integrated with its existing document management system.

The deployment took eleven days from delivery to production, including configuration, integration testing, and a half-day training session for fee earners. There was no requirement for any cloud account, API key, or data processing agreement with a third party. The model ran entirely within the firm's own network.

Fee earners began using the system immediately for first-pass contract review, clause identification, and document summarisation. Because the model ran locally, the policy question about whether a particular document could be processed was materially simplified. Partners could now give clients a concrete answer to the question "where is our data processed?" The answer, "on our own hardware, in our building", was consistent with the NDA requirements the firm had on file and materially reduced the compliance ambiguity that had slowed adoption.

The SRA's guidance on AI in legal practice recommends that firms using AI for client work establish clear governance frameworks and ensure senior oversight, in particular that Compliance Officers for Legal Practice actively supervise AI integration. With a local deployment and full logging of all model interactions, the firm's COLP had complete visibility over every AI-assisted task, satisfying both the SRA's requirements and the firm's own professional indemnity conditions.

Patient data is among the most tightly regulated categories under UK GDPR. Health information is special category data under Article 9, requiring not only a lawful basis for processing but specific conditions for how that processing takes place. NHS England's own guidance on AI in healthcare often requires a Data Protection Impact Assessment where AI-based processing is likely to be high risk, and specifies that organisations must be the controller, not just a processor, of any patient data used by AI systems.

The clinical director had already investigated cloud-based AI scribing tools and document assistants. The Data Processing Agreements offered by the major vendors were workable, but only for data routed through UK data centres. The CLOUD Act problem remained: the parent entities of every major cloud AI platform are US-domiciled. Legal advice confirmed that no contractual arrangement with a UK data centre subsidiary could fully insulate the clinical group from the extraterritorial jurisdiction of US federal law over the parent company. The DPIAs could not be signed off in good conscience.

The group deployed two on-premise appliances, one per primary clinic location, running Private AI for staff use and a lightweight automation layer via n8n for connecting AI outputs into the practice management system. Patient-facing interactions remained handled by existing clinical software. The AI layer was used exclusively for administrative tasks: drafting referral letters from clinical notes, summarising patient histories for specialist handover, and generating internal correspondence.

Critically, the entire stack ran on hardware physically located within each clinic. Data was not routinely transmitted over any external network connection. The DPIA for each location was straightforward to complete precisely because there was no third-party processor involved. The clinic was the sole controller and the sole processor. The ICO's guidance on AI and data protection was satisfied by design rather than by contractual arrangement.

The administrative burden on clinical staff fell materially. Referral letters that previously required 15–20 minutes of dictation and typing were reduced to a 5-minute review-and-sign process. Patient history summaries for specialist handover, previously compiled manually from fragmented records, were produced in under two minutes. The group's practice managers reported that the net time saving across both locations amounted to several hours per week per clinician, time redirected to patient contact.

The Care Quality Commission inspection the following quarter noted the practice's AI governance framework positively, specifically the combination of local data residency, complete logging, and the preservation of clinical decision-making as a human function. The local deployment had made it straightforward to demonstrate that AI was being used as an administrative assistant rather than as a decision-making system, the distinction the CQC's own guidance requires.

The FCA's 2026 AI governance framework has shifted the compliance burden onto Senior Managers in a specific and personal way. Under the Senior Managers and Certification Regime, the individual who signs off on an AI-assisted client recommendation cannot simply point to a vendor contract as their evidence of oversight. They must demonstrate that they understood the decision logic, that appropriate controls were in place, and that a complete audit trail exists for regulatory review.

Cloud-based AI tools, even enterprise-tier products from reputable vendors, can make satisfying this requirement significantly more difficult. The model weights change without notice, making it significantly harder to reconstruct exactly which model version produced a given output on a given date. The logging available to end users is high-level usage data, not granular prompt-and-response records. The FCA's Consumer Duty requirements under PRIN 2A add a further layer: for any AI used in customer-facing journeys, firms must evidence how customer outcomes were considered at design and deployment, and how poor outcomes are monitored and remediated. This can be significantly harder when the AI infrastructure belongs to a third party and the audit trail sits on their servers.

The firm's Chief Operating Officer, the designated SMF24 with responsibility for technology systems under SM&CR, led a deployment of an on-premise appliance with the full Dify AI platform layer, allowing the firm to build structured AI workflows for market synthesis and client communication drafting. Every query, every model response, and every human edit was logged locally with timestamps and user attribution. The log was stored on the firm's own infrastructure, encrypted at rest, and accessible to compliance officers without submitting a data request to any vendor.

The critical architectural point was that the SMF24 could now point to an immutable, locally held audit record for every AI-assisted output the firm had produced. The model version was fixed and documented. The prompts were logged. The outputs were logged. The human review step was logged. The entire chain of accountability that the FCA requires under SM&CR was present, complete, and under the firm's own control.

The operational benefits were real but secondary to the compliance outcome. Research synthesis that previously required two to three hours of analyst time was reduced to a 30-minute review-and-edit process. Client communication drafting became faster and more consistent. But the firm's most significant gain was the ability to use AI at all in regulated workflows, something that had been effectively blocked by the SM&CR accountability gap inherent to cloud-based tools.

When the FCA's supervisory team made a routine enquiry about the firm's AI use in client-facing processes, the SMF24 was able to produce a complete record within an hour. The response required no vendor co-operation, no data extraction process, and no uncertainty about what had been logged. That response is precisely what the FCA's 2026 AI governance expectations require, and precisely what cloud-based deployments can make structurally harder to achieve.