AI governance for local authorities means cabinet can show where AI is used, which residents it affects, who owns each decision, and what evidence proves fairness, data protection, transparency, security and Best Value before a tool goes live.
That is already a live governance question, not a future procurement issue. The Local Government Association's 2025 survey received responses from 33% of English councils, so it is a snapshot rather than a census, but the snapshot is still telling: 95% of respondents were using or exploring AI, 83% were using or exploring generative AI, and 20% were using or exploring predictive AI, including systems that try to predict an outcome for an individual or assign people to a service pathway (LGA state of the sector, June 2025).
Councils are adopting AI where the public will notice it: social care triage, advice and benefits, waste and environmental services, planning support, contact centres, procurement, finance and cyber security. The question for elected members and statutory officers is not whether AI is innovative. It is whether the authority can show its working when a resident, scrutiny chair, auditor, regulator or ombudsman asks why a decision was made.
Key takeaways
- AI use in councils is already broad: the LGA found 95% of responding councils using or exploring it, with corporate use, adult social care, children's services and advice and benefits among the most common or most promising areas.
- Local government is not in the current mandatory scope of the Algorithmic Transparency Recording Standard, but GOV.UK recommends ATRS records for local government and even for tools outside strict scope.
- The most exposed council uses are resident-facing: social care, benefits, homelessness, planning, enforcement and complaints, where personal data, equality impacts and public trust converge.
- Cabinet approval should require evidence, not assurance by adjective: an AI register, DPIA, equality impact assessment, supplier evidence, security mapping, human decision record and monitoring plan.
- The Best Value frame matters because AI can affect service delivery, value for money, governance and risk management, all areas councils already have to evidence.
Who this applies to
This playbook is for councils, combined authorities and arm's-length public bodies using AI in public services or internal council operations. It also applies where a supplier uses AI inside a bought system, because the public function remains the authority's function.
Start with the areas where an error touches a person: social care referral routing, benefits eligibility support, homelessness prioritisation, enforcement risk scoring, planning representations, special educational needs casework, complaint triage and resident chatbots. Corporate tools matter too, but a bad meeting summary rarely has the same consequence as a wrongly escalated care case.
The LGA's commissioning guide, co-developed with the ICO, EHRC and London Office of Technology and Innovation, is blunt about scope: it applies to AI-based technologies councils buy for staff to use and technologies contracted out to a private company to use or build on the council's behalf, especially where they can have a significant impact on citizens or influence policies and services (LGA responsible buying guide, April 2025).
AI governance for local authorities: the cabinet decision
Cabinet should not be asked to approve "AI" as a general programme. It should be asked to approve defined uses, with conditions attached. The decision frame is short:
- Purpose: what resident, service or operational problem is this tool solving, and why is AI needed rather than ordinary workflow or analytics?
- Affected people: which residents, businesses, staff or service users could be affected, and are any protected groups more likely to be affected?
- Decision status: is the system advisory, or can its output trigger a decision, escalation, refusal, priority score or intervention?
- Evidence threshold: what must exist before go-live: DPIA, equality impact assessment, ATRS record, security review, supplier evidence, human review route and monitoring plan?
- Accountability: which cabinet member, statutory officer and senior responsible owner will answer for outcomes, not just delivery?
- Exit condition: what evidence would pause, roll back or terminate the tool?
This is the same stance we set out in the wider guide to the UK having no single AI Act. Local authorities are not waiting for one central AI rulebook. They are applying existing public law, data protection, equality, procurement, cyber and governance duties to a new class of systems.
Controls and evidence cabinet should require
The control set below is sized for a council cabinet paper, audit committee pack or scrutiny item. It turns "responsible AI" into evidence that can be read.
| Control | Evidence to table | Owner |
|---|---|---|
| AI register | Current list of AI and algorithmic tools, including supplier-embedded features, use case, service area, decision status and go-live date | Senior responsible owner |
| DPIA and data map | Data Protection Impact Assessment, lawful basis, personal-data flows, retention period and privacy notice wording | Data protection officer |
| Equality assessment | Equality Impact Assessment, protected-characteristic risk review, testing for differential performance and monitoring plan | Equality lead and service director |
| ATRS record | Draft or published transparency record describing what the tool does, why it is used, data used, human role and accountable owner | Digital or transparency lead |
| Supplier assurance | Bidder DPIA or EqIA, training-data description, performance testing, bias testing, model-change notice and audit rights | Commercial lead |
| Human decision route | Named person or role that reviews outputs affecting residents, override route, complaint route and decision log | Service director |
| Security evidence | NCSC cloud-principles mapping, access controls, incident process, data location, resilience and supplier security evidence | SIRO or cyber lead |
| Monitoring and stop rule | Metrics for accuracy, fairness, complaints, overrides, drift and service impact, with thresholds for pause or withdrawal | Audit committee or cabinet portfolio holder |
The bidder evidence is not an optional courtesy. The LGA guide says councils can reasonably ask suppliers for DPIAs, EqIAs and Algorithmic Impact Assessments, and can build those questions into tender and award processes. It also warns that AI technologies can introduce or perpetuate bias through training data, which is exactly why procurement cannot be separated from equality and data protection review. The buying version of this control set is the local-authority AI procurement checklist.
The public-transparency artefact is equally practical. The Algorithmic Transparency Recording Standard enables public-sector organisations to publish information about the algorithmic tools they use and why. GOV.UK says ATRS can drive public understanding, enable senior responsible owners to take accountability and clarify supplier transparency requirements (ATRS guidance for public-sector bodies). The updated Data and AI Ethics Framework goes further: central government departments and relevant arm's-length bodies must use ATRS, and the framework recommends it for local government even where not mandated (Data and AI Ethics Framework).
Framework mapping
Councils do not need to invent a local AI standard from scratch. They need a map that connects each live use to frameworks already recognised by officers, auditors and regulators.
| Framework | What it asks in practice | Council evidence |
|---|---|---|
| Best Value Duty | Are arrangements securing continuous improvement with economy, efficiency and effectiveness, with good governance and risk management? | Cabinet paper, business case, risk register, monitoring metrics and audit committee review |
| UK GDPR and ICO AI guidance | Is the processing lawful, fair, transparent, accurate and accountable, with DPIA and individual rights addressed? | DPIA, privacy notice, Article 30 record, human review and complaint route |
| Public Sector Equality Duty | Have equality impacts been assessed before and during use, not after harm appears? | EqIA, representative testing, bias review and outcome monitoring |
| ATRS | Can the public understand what the tool does, why it is used, what data it uses and who is accountable? | Draft or published ATRS record |
| NCSC cloud security principles | Is cloud-hosted AI protected for data in transit, asset protection, separation, governance and operational security? | Security review, supplier evidence, incident response and service resilience plan |
| ISO 42001 and NIST AI RMF | Is there a repeatable management system for policies, risk, impact assessment, monitoring and change control? | AI policy, tool register, risk assessment, owners, lifecycle controls and review cadence |
The Best Value link is not decorative. The statutory guide for best value authorities says local authorities must make arrangements to secure continuous improvement with regard to economy, efficiency and effectiveness, and must demonstrate good governance and effective risk management across all functions (Best Value statutory guide). If an AI tool changes how adult social care referrals, benefits advice or enforcement priorities operate, it sits inside that governance and risk evidence.
For the wider comparison of ISO 42001, NIST AI RMF and UK governance expectations, use our UK AI governance framework guide. For public-sector go-live artefacts, the closest companion piece is the checklist on ATRS, DPIA and NCSC evidence before AI goes live.
Common failure modes
The first failure is treating a supplier feature as if it is not the council's AI. The resident does not care whether the recommendation came from an in-house model, a module inside a case-management platform or a third-party chatbot. If it affects a public function, the council needs the register entry, the risk assessment and the authority to challenge the supplier.
The second is confusing human presence with human judgement. The Government's AI Playbook says services using AI that affect legal status or rights must use AI only to support decisions made by a human decision-maker, and that human input must be meaningful (AI Playbook for the UK Government). A button marked "approve" is not meaningful review if the officer lacks reasons, time, authority or an override route.
The third is starting with the model, then trying to write the DPIA afterwards. The ICO's AI and data protection guidance covers accountability, transparency, accuracy, fairness and automated decision-making safeguards, and the Data and AI Ethics Framework says high-impact contexts such as social care may need a higher level of explainability before technical choices are made (ICO guidance on AI and data protection). The order matters: decide the explainability and rights requirements first, then choose a system capable of meeting them.
The fourth is underplaying cyber and resilience. The NCSC cloud security principles start with data in transit protection, asset protection, separation between customers and governance framework, and ask buyers to consider what evidence gives enough confidence in a provider's claims (NCSC cloud security principles). For a council, that is not a technical appendix. It is part of the go-live decision.
Next step
Ask for three documents before the next cabinet or audit committee discussion: the AI register, one worked DPIA or EqIA for the highest-risk use, and the draft ATRS record for any resident-facing tool. If those documents do not exist, the authority is still discovering its exposure.
The free Board AI Scorecard gives cabinets, audit committees and senior officers a quick baseline across oversight, data, accountability and evidence. For a fuller outside review, our AI governance diagnostic maps live AI use against public-sector duties, procurement evidence, ATRS readiness and the controls above.
Last reviewed: 18 June 2026.
Sources: LGA state of the sector: Artificial intelligence, 2025 update · LGA responsible buying AI guide · GOV.UK ATRS guidance for public-sector bodies · GOV.UK Data and AI Ethics Framework · GOV.UK AI Playbook · ICO guidance on AI and data protection · GOV.UK Best Value statutory guide · NCSC cloud security principles
