---
title: >-
  You can delegate the decision, not the accountability: AI and the SM&CR
  reasonable steps test
description: >-
  Under the Senior Managers and Certification Regime, accountability for what
  happens in a business area is personal and cannot be handed to a model. As AI
  takes on more decisions, the "reasonable steps" defence depends on evidence a
  senior manager can actually produce.
author: murilo
date: '2026-06-20'
tags:
  - smcr
  - fca
  - accountability
  - governance
  - financial-services
categories:
  - ai-governance
---
The Senior Managers and Certification Regime was built on a simple and uncomfortable principle: that someone, by name, is accountable for what happens in each part of a regulated firm. It was the regulator's answer to a decade of enforcement cases in which responsibility evaporated upward and outward until no individual could be held to account for a failure that everyone, collectively, had presided over. The regime fixed responsibility to people. As firms hand more of their decision-making to AI systems, that principle collides with a tempting assumption, that delegating a decision to a model also delegates the responsibility for it. It does not, and the gap between those two things is where senior managers are most exposed.

## What the regime actually requires of an individual

Under the regime, individuals performing Senior Management Functions hold a Statement of Responsibilities that sets out, in plain terms, the areas of the business for which they are accountable. Sitting alongside this is the Duty of Responsibility: where a firm breaches a regulatory requirement, a senior manager responsible for that area can be held personally accountable if they did not take the steps a reasonable person in their position would have taken to prevent the breach.

The pivotal phrase is "reasonable steps". The regime does not make a senior manager a guarantor against every failure. It does not demand that nothing ever goes wrong. It asks a narrower and more answerable question: when something went wrong, did the responsible individual take the steps a reasonable person in their role would have taken to prevent it. A senior manager who can show they understood the risks in their area, put proportionate controls in place, monitored them, and acted on what the monitoring showed has a defence. One who cannot show those things does not.

Below the senior management layer, the Conduct Rules extend a baseline of individual accountability across most of a firm's staff. But it is at the senior level, where responsibility is mapped explicitly and the Duty of Responsibility bites, that the arrival of automated decision-making poses the sharpest question.

## Why automation does not dilute responsibility

When a decision is made by a person, the chain of accountability is intuitive. The person who made it, and the manager responsible for them, can be asked to explain it. When the same decision is made by a model, firms sometimes behave as if the accountability has moved into the system, as if the model itself now owns the outcome. The regime does not recognise this transfer. A model is a tool deployed within a business area, and that area still belongs, on someone's Statement of Responsibilities, to a named individual.

This means the senior manager accountable for a function does not shed responsibility by automating it. If anything, automation expands what reasonable steps must cover. A reasonable person responsible for an area in which AI makes or materially influences decisions would be expected to understand what those systems do, to satisfy themselves that the decisions are sound and fair, to ensure there is oversight proportionate to the risk, and to be able to intervene when something looks wrong. The question a regulator will ask after a failure is not whether the model erred. It is whether the responsible senior manager took reasonable steps given that a model was making the decisions.

## Reasonable steps is an evidential standard

Here is the part that turns a governance principle into a practical infrastructure problem. The reasonable steps defence is not established by assertion. A senior manager cannot simply state, after the fact, that they exercised appropriate oversight. They must be able to show it, and the showing is documentary. The defence is only as strong as the evidence available to support it.

Consider what that evidence has to demonstrate for an area where AI makes decisions. It must show that the senior manager understood the system's role and its limitations. It must show that controls existed and operated, that decisions were monitored, and that exceptions were surfaced and addressed. And when a specific decision is challenged, it must be possible to retrieve that decision and reconstruct how it was made, what it was based on, and what oversight applied to it. Without that, the senior manager is left arguing for the existence of oversight they cannot evidence, which is a weak position to occupy in front of a regulator.

The difficulty is that most firms cannot produce this evidence on demand for automated decisions. Oversight is described in policies and committee minutes that speak in generalities, while the decisions themselves live in systems that were never designed to be examined one case at a time. The policy says decisions are monitored; the systems cannot show that any particular decision was. That gap, between described oversight and demonstrable oversight, is precisely what the reasonable steps test exposes.

## Closing the gap before it is tested

The way to close the gap is to treat the evidence of oversight as something produced automatically as decisions are made, rather than something assembled under pressure after a failure. A senior manager is in a far stronger position if, for any decision in their area, the firm can retrieve a complete and reliable account of how it was reached and what controls applied, than if that account has to be reconstructed from fragments while a regulator waits.

This reframes AI governance from a matter of documentation to a matter of capability. Committees, policies, and risk frameworks remain necessary, but they describe intent. What demonstrates reasonable steps is the ability to show that intent was realised in the decisions themselves. A senior manager who can stand behind every automated decision in their area with a retrievable record has not merely written a good policy. They have the evidence the regime actually asks for.

The regulatory direction reinforces this from several sides at once. The Consumer Duty asks firms to evidence good outcomes for customers. The data protection regime, as it reshapes the rules on automated decisions, requires firms to demonstrate the safeguards around them. And the SM\&CR holds named individuals to account for the areas in which those decisions are made. They are different obligations, but a firm that can produce a reliable record of every AI decision answers the evidential heart of all of them.

## The accountability stays with you

The promise of automation is that it takes work off people's hands. For most of a firm that is exactly what it does. But for the senior manager whose name sits against the function, automation does not take the accountability off their hands. It changes the form of the reasonable steps they must take and, crucially, the evidence they must be able to produce. The decision can be delegated to a model. The responsibility for it cannot. The firms that internalise this early, and build the evidence of oversight into how their AI decisions are made, will be the ones whose senior managers can answer the regulator's question with a record rather than a hope.

### Give your senior managers evidence, not hope.

Request early access to Aegis Trace and our technical documentation.

[Request Access →](/request-access)