The UK's deliberate regulatory choice
When the EU was developing the AI Act, the UK government was making an explicit choice to go in a different direction. The 2023 AI White Paper articulated a "pro-innovation" approach: rather than enacting prescriptive horizontal AI legislation, the UK would rely on existing sector regulators to apply their domain expertise and existing powers to AI, guided by five cross-sector principles — safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress.
This approach reflects a genuine philosophical difference from the EU's risk-based classification framework. The UK's position is that sector regulators are better placed to assess AI risks in their domains than a central legislative framework. Whether this proves correct depends significantly on how effectively sector regulators adapt their frameworks to AI's distinctive characteristics.
ICO: UK GDPR and AI
The Information Commissioner's Office is the most active UK regulator in AI governance, both because UK GDPR applies broadly to AI systems processing personal data and because the ICO has invested significantly in developing AI-specific guidance. The ICO's Explaining Decisions Made with AI guidance — developed in partnership with the Alan Turing Institute — addresses the UK GDPR's Article 22 requirements for automated decision-making, providing practical guidance on what meaningful explanation looks like in AI contexts.
UK GDPR's Article 22 (retained from EU GDPR) gives individuals the right not to be subject to solely automated decisions that produce legal or similarly significant effects. The ICO has been active in enforcing data protection requirements in AI contexts and has brought enforcement action against several organisations for algorithmic practices that breached UK GDPR. For any organisation using AI in significant decisions affecting UK individuals — credit, insurance, employment, healthcare — ICO's AI guidance should be treated as the baseline compliance expectation.
FCA: AI in financial services
The Financial Conduct Authority has engaged extensively with AI governance in financial services. The FCA's 2022 joint discussion paper with the Bank of England, Prudential Regulation Authority, and Payment Systems Regulator on AI and machine learning identified the key governance challenges and signalled regulatory expectations. The FCA's Consumer Duty (effective 2023) creates obligations for good consumer outcomes that interact directly with AI governance — AI-driven systems that lead to poor consumer outcomes, through design or error, are a Consumer Duty concern regardless of whether they were AI-driven.
The FCA has been pragmatic about AI adoption in financial services, recognising its potential for beneficial outcomes alongside governance risks. Its approach has been to engage with industry on AI governance through initiatives like the Digital Sandbox and regulatory sandbox, while making clear that existing regulatory obligations apply to AI as to other means of delivering financial services.
The EU AI Act problem for UK organisations
One consequence of Brexit that UK organisations sometimes underestimate is the EU AI Act's extraterritorial reach. The Act applies to providers who place AI systems on the EU market or put them into service in the EU, operators who use AI systems in the EU, providers and operators outside the EU where the output of their AI system is used in the EU. UK organisations with EU customers are within scope of the EU AI Act regardless of the UK's own regulatory approach. This means that while UK-based organisations are not subject to UK AI legislation, they may simultaneously be subject to EU AI Act obligations for their EU-facing activities. Managing this dual environment — UK GDPR and ICO for domestic activities, EU AI Act for EU-facing activities — is the practical governance challenge for many UK organisations.
