Which regulator governs AI in the UK?

No single one. The UK deliberately gave the job to existing regulators, each applying five cross-cutting principles within its remit: the ICO wherever personal data is processed, the FCA and PRA in financial services, the RSH in social housing, the Charity Commission for trustees, the OfS in higher education, and so on.

Do supplier systems count as our AI?

Yes. Accountability stays with the organisation that deploys the system, even where the AI sits inside a vendor product the board cannot independently test. The Regulator of Social Housing holds the board rather than the vendor accountable for outcomes, and the Public Sector Equality Duty cannot be discharged by a supplier.

Where can I see every duty in one place?

The UK AI Regulation Tracker on this site lists the instruments, regulators and duties that bear on AI for each of the six sectors we cover, with what each requires, its status where settled, the date each entry was last reviewed and a link to the official source.

Topic

Sector playbooks

AI governance is not generic. The duties that bind an AI system depend on who deploys it: the same model that is routine in one sector is a regulated decision in another. Each playbook here works through a specific UK sector, grounded in the regulators and rules that actually apply.

Why is AI governance different in each sector?

Because the UK chose regulators over a statute. There is no single AI Act; five cross-cutting principles are applied by each sector's existing regulators within their remits. So what an AI system must evidence depends on whether its deployer answers to the FCA, the Regulator of Social Housing, the Charity Commission or the Office for Students.

The consequences are concrete. An arrears-triage model inside a housing association engages the consumer standards and a regulator that can downgrade a governance grade. The same class of model inside a bank engages Consumer Duty and the Senior Managers and Certification Regime, where a named individual carries the accountability. In a council the identical tool becomes a public act, exposed to judicial review and the equality duty. A generic AI policy cannot anticipate any of this. That is why we write sector playbooks rather than one framework with the sector name changed, and why each one starts from the duties, not the technology.

What do regulated sectors have in common?

Three constants. Accountability stays with the deployer, never the vendor or the model. Wherever personal data is processed, the ICO is lead regulator under UK GDPR. And significant automated decisions now carry rights to notice, human review and contestability under the Data (Use and Access) Act 2025.

Every sector page we publish repeats those three in its own vocabulary, because every sector regulator does. The Regulator of Social Housing holds the board, not the supplier, accountable for AI outcomes. The Public Sector Equality Duty sits with the council as decision-maker and cannot be discharged by a vendor. The SRA confirms solicitors stay personally accountable for AI outputs. The same shape, different rulebooks, and all of them are collected, dated and sourced in the UK AI Regulation Tracker.

Which duties bind AI in your sector?

Each sector has its own stack. In financial services it is Consumer Duty, SM&CR and PRA SS1/23. In the public sector it is the equality duty, the Algorithmic Transparency Recording Standard and the ICO. In the professions it is conduct rules that keep a named professional responsible for the output.

The playbooks below work through each stack in detail:

Financial services: the FCA's outcomes-based Principles, Consumer Duty, SM&CR ownership and SS1/23 model risk expectations, where a named senior manager answers for every AI decision. Our post on how existing FCA and PRA rules already bind AI sets out why no AI rulebook is coming to the rescue.
Local authorities: the Public Sector Equality Duty, ATRS records and DPIAs, because an automated decision about a resident is a public act that must be defensible to a court. We list the five artefacts a combined authority demands before AI goes live.
Professional services: SRA, ICAEW and RICS duties, privilege, confidentiality and disclosure, where the named professional remains personally liable for what the AI drafts. The anatomy of a computed AI disclosure shows what the RICS standard looks like done properly.
Housing associations: the Governance and Financial Viability Standard and the consumer standards, applied to AI in arrears, repairs and allocations decisions tenants cannot opt out of.
Charities: trustee duties under the Charities Act 2011, the Charity Governance Code's recommendation of an AI policy, and the Fundraising Regulator's AI guidance, which reaches third parties fundraising in the charity's name.
Universities and colleges: OfS registration conditions, the UK Quality Code and safeguarding duties, with the governing body owning the credibility of every qualification AI touches.

How should a board use a sector playbook?

As a working brief, not background reading. Take your sector's playbook into the next board meeting, ask the questions it sets out, and test which of the duties your organisation could evidence today. The gap between "we have a policy" and "we could show an inspector" is where the work is.

Each sector page carries the six questions we would put to that board: where AI already operates, what crosses the automated decision-making threshold, how bias has been tested, whether a decision can be explained to the person it affected, and who owns the answer at board level. A print-ready board pack version exists for every sector for exactly that meeting, one page, no sign-up. If you want a structured read of where you stand first, the Board AI Scorecard takes about two minutes and maps your answers to the five areas every regulator's expectations fall into. The articles below go deeper, sector by sector.

Articles in this topic.

Slender violet arcs forming a sheltering ring around a small circle on a near-white field, suggesting a board holding a line around beneficiaries

Sector playbooks

AI governance for charity trustees: what changed

The 2025 Charity Governance Code now names a technology and AI policy as evidence of good governance. What trustees must do, sized for small charities.

ArticleDr Karl George MBE12 June 20268 min read

Repeating violet rooflines across a near-white field with one home outlined in deeper violet, suggesting oversight that reaches every tenancy

Sector playbooks

AI governance for housing association boards

Repairs triage, arrears scoring and complaint handling are going algorithmic. What housing association boards must evidence — and to whom.

ArticleDr Karl George MBE12 June 20268 min read

Abstract violet lattice of fine grid lines on a near-white field, with one cell ringed in deeper violet, suggesting board oversight of classroom AI

Sector playbooks

AI governance for school governors and MAT boards

What school governors and MAT trustees actually oversee on AI: DfE expectations, safeguarding, assessment integrity and the questions to ask.

ArticleDr Karl George MBE12 June 20268 min read

A navy grid of framed openings with one filled in violet, representing a published algorithmic transparency record

Sector playbooks

What a combined authority asks for before AI goes live

The pre-go-live checklist a UK combined authority demands of an AI tool: ATRS record, DPIA and Article 30, NCSC's 14 principles, advisory-only design and chunk-level citations.

ArticleGovernance AI7 May 20268 min read

A violet signature underline beneath a blank framed area, representing a named professional taking responsibility for AI-assisted output

Sector playbooks

What a RICS AI disclosure teaches every regulated profession

A surveying build generated its AI disclosure from real decision records. Here is how to turn that into a disclosure template for any regulated profession.

ArticleGovernance AI16 April 20267 min read

Interlocking navy ring segments enclosing a centre with one violet segment, showing existing rules already binding AI

Sector playbooks

No AI rulebook, but your AI is already bound

There is no FCA AI rulebook. Consumer Duty, SM&CR, SS1/23 and UK GDPR's new Articles 22A-22D already govern AI in financial services today.

ArticleGovernance AI26 March 20268 min read

Questions directors ask.

Which regulator governs AI in the UK?: No single one. The UK deliberately gave the job to existing regulators, each applying five cross-cutting principles within its remit: the ICO wherever personal data is processed, the FCA and PRA in financial services, the RSH in social housing, the Charity Commission for trustees, the OfS in higher education, and so on.
Do supplier systems count as our AI?: Yes. Accountability stays with the organisation that deploys the system, even where the AI sits inside a vendor product the board cannot independently test. The Regulator of Social Housing holds the board rather than the vendor accountable for outcomes, and the Public Sector Equality Duty cannot be discharged by a supplier.
Where can I see every duty in one place?: The UK AI Regulation Tracker on this site lists the instruments, regulators and duties that bear on AI for each of the six sectors we cover, with what each requires, its status where settled, the date each entry was last reviewed and a link to the official source.

Find out where your AI exposure sits.

We'll tell you plainly what's worth doing, what isn't, and what a board or regulator will expect to see. No pitch deck.

Book a 15-minute call See what we've built

No obligation · no pitch.