And Most People are Covering the Wrong Thing.
Perhaps like many you have been reading all about the EU AI Act, maybe you’ve even attended the odd briefing and left more confused than you were when you started. That’s normal, the entire situation is a complete minefield, and the EU AI Act isn’t even the one most UK based businesses should be worried about.
Download the UK AI Governance Framework (PDF)
The legislation and oversight relevant to the UK consists of the following:
UK GDPR and the Data (Use and Access) Act 2025 the workhorse of UK AI governance. If your AI system touches personal data, this applies. The Data (Use and Access) Act came into force on 5 February 2026 and replaced Article 22, which governed automated decision-making. It shifted the legal question from “do we have a basis to justify AI decisions at all?” to “are our safeguards robust enough?” It also wrote contestability into law: the right of anyone affected by an AI decision to challenge it, seek explanation, and obtain redress. Enforced by the ICO. [1][2]
The Equality Act 2010 if your AI produces decisions that create disparate impacts on protected characteristics (age, disability, race, sex, religion), you have an equality law problem regardless of whether you intended discrimination. AI does not get an exemption. Enforced by the EHRC. [3]
The Employment Rights Act 2025 signals growing UK legal expectations around fairness and accountability in AI-assisted workforce decisions. Relevant to recruitment, performance management, and pay. Overlaps with ICO exposure for the same HR functions. [4]
The Online Safety Act 2023 applies to online services using AI for content moderation, recommender systems, or automated decisions affecting users. Enforced by Ofcom. [5]
The Digital Markets, Competition and Consumers Act 2024 gives the CMA expanded powers to scrutinise AI-related markets, partnerships, and mergers. If your organisation is deploying AI at scale or entering AI partnerships, this is relevant. Enforced by the CMA. [6]
The Consumer Duty (FCA, 2023) financial services organisations using AI in customer decisions, credit scoring, or product recommendations must demonstrate good outcomes for customers. The FCA is active on AI explainability and algorithmic oversight. Enforced by the FCA. [7]
The five cross-sector AI principles (UK AI White Paper, 2023) non-statutory, but applied by every sector regulator within existing enforcement frameworks. Safety, transparency, fairness, accountability, and contestability. They are not soft guidance, they are the lens every regulator uses when it looks at your AI deployment. [8]
That is seven overlapping frameworks, five regulators, and no single document that tells you where they all intersect. The EU AI Act, which most briefings seem to cover, does not govern UK domestic operations in any of the above. It has extraterritorial reach only if you operate in EU markets.
In an Enterprise setting, the people responsible for understanding all of this, and for building the human oversight infrastructure each of these frameworks requires, are the AI compliance teams, CHROs, data controllers, and operations directors. Many may have been handed a deck about Brussels, which as I said before is necessary if you do business in the EU and deal with EU data, but is a whole different topic entirely.
What’s Happening In The Legal Landscape?
On 22 April 2026, Sir Colin Birss, the Chancellor of the High Court and the UK’s lead judge on AI, gave a formal speech. His position: if your people are using public AI tools with confidential information, your organisation may have already lost legal privilege and not know it. He distinguished explicitly between uncontrolled public AI (unacceptable risk) and properly configured, governed enterprise AI (safe). He was the first UK judge to admit using ChatGPT to write part of a judgment. He knows the territory from inside the machine, not from the outside. [17]
In reality, the ICO has been the most active UK regulator on AI so far. In March 2026 it published its ‘Recruitment Rewired’ report, which examined how over 30 UK employers were using automation in hiring. [9] The findings were blunt: organisations claiming to include meaningful human review in their AI-assisted recruitment processes were doing so in ways that were often inconsistent, superficial, or unevenly applied. Automated decisions were being made without applicants knowing it.
The ICO’s own guidance on automated decision-making is specific about what genuine human oversight means: involvement must do three things:
- Come after the automated output
- Relate to the actual outcome, and
- Carry real authority to change it.
A decision does not fall outside the scope of UK GDPR just because a human has rubber-stamped it. [1] If monitoring shows reviewers are routinely agreeing with AI outputs without demonstrating genuine assessment, the ICO will treat those decisions as solely automated.
In October 2025, the ICO fined Capita £14 million for data protection failures following a cybersecurity breach. [10] The principle it applied, that no organisation is too big to ignore its responsibilities to the personal data entrusted to it, is the same principle now running across AI governance. The fine was not for an AI decision, and the principle transfers directly.
On 29 May 2026, the ICO published its 2026/27 priorities: an AI code of practice, dedicated guidance on agentic AI, and greater regulatory certainty on how data protection law applies to AI deployment. [11] That code of practice does not yet exist, but the enforcement powers that will give it teeth already do.
On 3 June 2026, the Digital Regulation Cooperation Forum (the joint body of the ICO, FCA, CMA, and Ofcom) opened a call for input on consumer interest and AI. The deadline is 3 July 2026. [12] The framework is still being actively shaped. The organisations waiting for clarity before they act are waiting for something that is not coming, at least, not before enforcement does.
The Numbers and Industry Take
A survey of 507 senior UK IT decision-makers, published by Trustmarque in July 2025, found that 93% of UK organisations are running AI and only 7% have the governance frameworks to support it. [13]
PwC’s 2026 AI Performance Study surveyed 1,217 senior executives across 25 sectors. [14] 74% of AI’s economic value is captured by just 20% of organisations. The leaders were 2.8 times more likely to have redesigned workflows around AI and built governance foundations. Employees in those organisations were twice as likely to trust AI outputs. The differentiator was not budget or model access. It was the methodology layer underneath the tools.
The Project Management Institute published what it describes as the world’s first ANSI-approved AI Standard for project professionals authored in September 2025: 275 pages governing the delivery of AI systems from business understanding to operationalisation. [15] It governs the project, but stops at deployment. The question of what the humans directing the deployed system do next is left entirely open. The ICO’s contestability requirements start exactly where that standard ends.
To top it all off, after all that only 5% of companies report meaningful productivity gains. [16] The tools have outstripped the humans running them.
What does adequate human oversight actually look like in practice?
- It requires a named human with the authority to override AI outputs.
- Documented constraints on what AI is permitted to produce.
- Defined outcomes the AI is working toward, set before it starts, against which every output can be assessed.
- A record of the logic applied.
- The capacity to contest any decision it produces.
The contAIn™ framework, the strategic methodology layer that directs AI and puts humans above the AI loop maps precisely to what the ICO, the Data (Use and Access) Act 2025, and the five UK AI principles collectively require. Seven principles with seven answers to the questions the regulators are already asking.
| Principle | What it means | UK requirement it answers |
|---|---|---|
| C. Constraint | What AI is permitted to produce, within defined limits set before it starts. | Safety / Accountability |
| O. Oversight | The active human function of reviewing, directing and remaining above what AI produces. | Accountability / Contestability |
| N. Necessity | The decision, before any AI is deployed, about what it should be used for and whether it should be used at all. | Safety / Fairness |
| T. Transparency | A documented record of what logic was applied, by whom, toward what end. | Transparency / Contestability |
| A. Authority | The named human on whose instruction AI operates and whose accountability is on the line. | Accountability |
| I. Intent | The defined outcome the AI is working toward, set by the human before the work begins. | Accountability / Fairness |
| N. Not Negotiable | The floor below which no AI output can go, regardless of what the machine produces. The records needed to show compliance. | Contestability / Safety |
This is not a compliance checklist. It is a human operating system: the methodology infrastructure that makes genuine human oversight real, makes AI contestability meaningful, and makes accountability something more than a name on an org chart.
The answer to a moving regulatory target is not to wait for it to stop moving. It is to build the thing that works regardless of where it lands.
If your organisation has a named data controller, does that person have the authority, the information, and the capacity to override what your AI produces today?
For more information on how contAIn™ can be applied in your organisation contact [email protected]
A note on scope. The seven principles set out in this article represent the elements of the contAIn™ framework that map directly to current UK AI governance requirements. The full contAIn™ methodology is broader than what UK regulation currently requires. As the UK regulatory landscape evolves, and it will, this mapping will be updated accordingly. The methodology exists because the problem of directing AI is larger than compliance. Compliance is the floor, not the ceiling. More at contain.digital.
configure YOUR system. contAIn™ the chaos. control YOUR outcome.
References
[1] ICO, ‘How do we ensure individual rights in our AI systems?’, Guidance on AI and data protection. ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/how-do-we-ensure-individual-rights-in-our-ai-systems/
[2] Data (Use and Access) Act 2025. Royal Assent 19 June 2025, in force 5 February 2026. legislation.gov.uk/ukpga/2025/18/introduction/data.htm
[3] Equality Act 2010. legislation.gov.uk/ukpga/2010/15/contents
[4] Employment Rights Act 2025. legislation.gov.uk/ukpga/2025/36/enacted
[5] Online Safety Act 2023. legislation.gov.uk/ukpga/2023/50/contents
[6] Digital Markets, Competition and Consumers Act 2024. legislation.gov.uk/ukpga/2024/13/contents
[7] FCA, Consumer Duty, 2023. fca.org.uk/firms/consumer-duty
[8] UK Government, ‘A pro-innovation approach to AI regulation’, March 2023. gov.uk/government/publications/ai-regulation-a-pro-innovation-approach
[9] ICO, ‘Recruitment rewired: an update on the ICO’s work on the fair and responsible use of automation in recruitment’, March 2026. ico.org.uk/about-the-ico/what-we-do/recruitment-rewired/
[10] ICO, ‘Capita fined £14m for data breach affecting over 6m people’, 15 October 2025. ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/10/capita-fined-14m-for-data-breach-affecting-over-6m-people/
[11] ICO, ‘ICO response to government on safe AI-powered innovation’, 29 May 2026. ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/ico-response-to-government-on-safe-ai-powered-innovation/
[12] Digital Regulation Cooperation Forum, call for input on consumer interest and AI, 3 June 2026. drcf.org.uk/news-and-events/news/call-for-input-consumer-interest-and-ai
[13] Trustmarque, ‘AI Governance Index 2025’, July 2025. trustmarque.com/resources/press-release-ai-governance-report
[14] PwC, ‘2026 AI Performance Study’, 13 April 2026. pwc.com/gx/en/news-room/press-releases/2026/pwc-2026-ai-performance-study.html
[15] Project Management Institute, CPMAI Exam Content Outline, September 2025. pmi.org/certifications/ai-project-management-cpmai
[16] Asana, ‘Asana Unveils Operating System for Human-Agent Teams’, BusinessWire, 4 June 2026. businesswire.com/news/home/20260604472500/en/Asana-Unveils-Operating-System-for-Human-Agent-Teams
[17] Sir Colin Birss, Chancellor of the High Court, ‘Legal professional privilege in the Age of AI’, speech to the City of London Law Society, 22 April 2026. judiciary.uk/speech-by-the-chancellor-of-the-high-court-legal-professional-privilege-in-the-age-of-ai/
Samantha Maeer | Founder and Creator, contAIn™ | 30 years operating at the sharp end of tech and project management across the UK, Southeast Asia and the Middle East. Creator of the strategic methodology layer that directs AI and puts humans above the AI loop. | contain.digital ORCID: https://orcid.org/0009-0000-5439-3645
This article was originally published on Substack.