AI Governance in the United Kingdom: Who Oversees AI and How the Regulatory Approach Works

This article describes UK AI governance as at June 2026. UK policy has evolved through several government publications and agency guidance documents since 2023. Readers should verify current government and regulator positions directly with primary sources. This article does not provide legal advice. The ICO, DSIT, and other UK regulators are the authoritative sources for obligations in their respective domains.

The UK's Approach: Principles Over Legislation

The UK government's stated position, articulated through its 2023 AI White Paper and subsequent policy documents, is that existing laws and regulators should address AI risks within their domains, supported by government-set principles, without new horizontal AI legislation. This contrasts with the European Union's approach of creating binding, horizontal legislation (the EU AI Act) that applies across all sectors.

The five cross-cutting principles the UK government has asked regulators to apply to AI are:

1. Safety, security, and robustness
2. Appropriate transparency and explainability
3. Fairness
4. Accountability and governance
5. Contestability and redress

These principles are not legally binding on their own. Individual regulators determine how to implement them within their sector remit. The practical effect is that AI compliance obligations in the UK are sector-specific and depend on which regulatory frameworks apply to your business activities.

Key UK Bodies: What They Oversee

ICO (Information Commissioner's Office): The ICO regulates data protection under UK GDPR and the Data Protection Act 2018. UK GDPR is the post-Brexit equivalent of EU GDPR, now maintained separately. For AI, the ICO's primary concern is how AI systems process personal data. The ICO has published extensive AI and data protection guidance covering: lawful basis for AI processing, automated decision-making and profiling rights under UK GDPR Article 22, AI fairness and data minimisation, and privacy-by-design in AI development. ICO guidance on AI and data protection: ico.org.uk.

DSIT (Department for Science, Innovation and Technology): DSIT leads UK government AI policy, including the AI White Paper, the AI Safety Institute (which conducts safety evaluations of advanced AI models), and the National AI Strategy. DSIT coordinates the multi-regulator AI governance model and sets the policy framework within which sector regulators operate. DSIT: gov.uk/DSIT.

CMA (Competition and Markets Authority): The CMA has conducted market studies into AI foundation models and AI in digital markets. Its AI interest centres on competition concerns: AI market concentration, barriers to entry for smaller players, and whether AI foundation model providers hold positions that could harm competition. The CMA has international coordination arrangements with equivalent bodies in the EU and US. CMA AI updates: gov.uk.

FCA (Financial Conduct Authority): The FCA applies its existing regulatory framework to AI use in financial services. Areas of focus include AI use in credit decisions, robo-advice, algorithmic trading, financial crime detection, and customer-facing chatbots. The FCA has published a discussion paper on AI and has integrated AI considerations into its existing Consumer Duty framework.

Ofcom: Ofcom regulates AI and algorithms in the context of online safety and broadcasting. The Online Safety Act 2023 imposes obligations on online platforms that include AI-driven content recommendation systems.

UK GDPR and AI: The Data Protection Layer

For most businesses using AI tools in the UK, the most immediately applicable regulatory framework is UK GDPR, not AI-specific legislation. Key UK GDPR provisions that apply to AI:

• Article 22 (automated decision-making): Individuals have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects. This applies to AI systems used in credit scoring, recruitment filtering, insurance pricing, and similar contexts. Where Article 22 applies, businesses must provide a lawful basis for automated processing and ensure individuals can request human review.
• Fairness and transparency: AI systems that process personal data must operate transparently. Privacy notices should describe AI processing. Individuals should be able to understand, in plain terms, that AI is being used and for what purpose.
• Data minimisation: AI systems should not collect more personal data than necessary for their stated purpose. This is a common point of friction in AI deployments that use large volumes of training data.
• International transfers: Transferring personal data from the UK to AI systems hosted in third countries requires an appropriate transfer mechanism. The UK has its own adequacy assessment process, separate from the EU's.

The ICO's guidance on AI and UK GDPR is the authoritative reference for data protection obligations: ico.org.uk.

The AI Safety Institute

The UK AI Safety Institute (AISI), established in 2023 and operating within DSIT, conducts safety evaluations of advanced AI models, particularly frontier large language models. Its work focuses on systemic AI safety risks rather than day-to-day business AI use. AISI works with AI developers to evaluate model capabilities and safety characteristics before and after deployment.

AISI is not a compliance or enforcement body for typical business AI use. Its primary relevance is to AI developers and deployers of advanced AI systems at scale. AISI publications and safety evaluations are publicly available at: gov.uk.

What This Means for Businesses Using AI Tools in the UK

For businesses operating in the UK or processing data about UK individuals, the practical AI governance questions are:

• Does your AI system process personal data? If yes, UK GDPR applies. The ICO's AI guidance covers the specific obligations. This applies to nearly all business AI uses involving customer or employee data.
• Does your AI system make automated decisions with significant effects? Article 22 UK GDPR restrictions and rights apply. Review your AI-assisted decision processes to identify where this triggers.
• What sector are you in? Financial services, healthcare, education, and other regulated sectors have ICO obligations plus sector-specific regulator expectations. The FCA, MHRA (medical devices), and Ofqual (education) each have AI-relevant guidance within their domains.
• Are you a platform with AI-driven content? The Online Safety Act 2023 creates obligations for online platforms that extend to algorithm-driven recommendation systems.

UK vs EU: Different Models, Different Obligations

Since Brexit, UK and EU AI governance have diverged. The EU AI Act creates binding horizontal requirements that apply to AI systems placed on the EU market, regardless of where they are developed. The UK has no equivalent legislation and has explicitly chosen not to pursue one at this stage.

For businesses operating in both the UK and EU, this means separate frameworks apply. A high-risk AI system under the EU AI Act may require conformity assessments, CE marking equivalent, and registration in the EU AI database. Obligations that have no direct UK equivalent. UK GDPR and EU GDPR obligations also differ in certain respects, including transfer mechanisms and enforcement jurisdiction.

Our regional hub covers how these frameworks compare across major jurisdictions: AI Governance by Region.

Australian Businesses and the UK Framework

Australian businesses that process personal data about UK individuals are subject to UK GDPR obligations, including data transfer requirements when that data is processed outside the UK. Separately, Australian businesses using UK-based or US-based AI tools face Privacy Act APP 8 obligations under Australian law when personal information about Australians is involved. For Australian businesses, the domestic starting point is: AI and the Privacy Act in Australia. Understanding how data flows into AI tools is the practical first step: What Happens to Your Customer Data in ChatGPT.

Is there a UK AI Act?

As at June 2026, the United Kingdom has not enacted a standalone AI Act. The UK government's stated approach is to use existing laws and empower existing regulators to address AI risks within their domains, rather than passing new horizontal AI legislation. This is a deliberate policy choice designed to maintain regulatory flexibility and support AI innovation. The government has indicated it will monitor whether this approach remains adequate as AI capabilities develop. Verify current government policy at gov.uk.

Does UK GDPR apply to AI systems?

Yes. UK GDPR applies to any processing of personal data, including processing by AI systems. Key provisions that apply to AI include: Article 22 rights related to automated decision-making, transparency and fairness obligations for AI that processes personal data, data minimisation requirements, and lawful basis requirements for AI training on personal data. The ICO has published detailed AI and data protection guidance covering all these areas: ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/.

What is the ICO's role in AI regulation in the UK?

The ICO (Information Commissioner's Office) is the UK's data protection regulator. For AI, it applies UK GDPR and the Data Protection Act 2018 to AI systems that process personal data. This is currently the primary binding regulatory framework for most business AI use in the UK. The ICO has published extensive AI-specific guidance, conducts AI audits, and has enforcement powers including fines for serious breaches of UK GDPR. The ICO does not approve AI systems before use, but it can investigate and take action after the fact.

How does UK AI governance differ from EU AI governance?

The EU AI Act is binding horizontal legislation that categorises AI systems by risk level and imposes specific obligations on high-risk AI systems placed on the EU market. The UK has no equivalent legislation; it uses a principles-based, sector-led model where existing regulators apply existing powers to AI. For businesses operating in both markets, EU AI Act compliance obligations are additional to UK GDPR and sector-specific UK requirements. The EU's extraterritorial reach means businesses that develop or deploy AI systems used in the EU face EU AI Act obligations regardless of where they are based.

What is the UK AI Safety Institute?

The UK AI Safety Institute (AISI) is a government body within DSIT that conducts safety evaluations of advanced AI models. It works with AI developers to assess frontier model capabilities and safety characteristics. AISI is not a compliance or enforcement body for typical business AI use and does not regulate day-to-day AI tool deployment. Its work is primarily relevant to developers of advanced AI systems. AISI publications are available at gov.uk/government/organisations/ai-safety-institute.