The UK has no single AI Act. What your board governs instead

A director asks the obvious question in the board meeting: "Which AI law are we complying with?" The honest answer is that there isn't one. The UK has no single AI Act, no statute that says what an AI system may or may not do, and no regulator whose sole job is AI. That absence is not an oversight. It is the deliberate design of the UK's approach, and it changes what your board is actually accountable for.

The mistake is to read "no AI law" as "no obligation." The opposite is true. Without a single rulebook to point at, the burden sits with your board to show that your existing duties already cover how you build and use AND govern AI. This post sets out what those duties are, who applies them, and why voluntary frameworks have become the practical way to evidence compliance.

Key takeaways

• The UK has no single AI Act; its approach is principles-based and cross-sector, set out in the March 2023 White Paper and confirmed in the government response of 6 February 2024.
• Existing regulators — the ICO, FCA, CMA, Ofcom, MHRA and others — apply five voluntary cross-cutting principles within their remits, rather than a new AI law or AI regulator.
• "No AI law" does not mean "no binding law": UK GDPR and the Data Protection Act 2018 bind you now, and the EU AI Act can catch UK firms extraterritorially through their EU footprint.
• Voluntary frameworks are the practical evidence of compliance — ISO/IEC 42001 for an auditable AIMS, NIST AI RMF's Govern-Map-Measure-Manage for risk structure.
• The board's job is to map each of the five principles to a control it can show and a named person accountable, then keep the AI risk register live, dated and owned.

The UK chose principles over a statute, on purpose

The UK's domestic approach is principles-based, non-statutory and cross-sector. It was set out in the March 2023 White Paper, A pro-innovation approach to AI regulation, and confirmed in the government response of 6 February 2024, led by the Department for Science, Innovation and Technology (DSIT).

Rather than create a new AI regulator or a new AI law, the UK asked the regulators you already answer to — the ICO, the FCA, the CMA, Ofcom, the MHRA and others — to apply five cross-cutting principles within their existing remits. The principles are these:

1. Safety, security and robustness
2. Appropriate transparency and explainability
3. Fairness
4. Accountability and governance
5. Contestability and redress

Two things about that list matter to a board. First, the principles are voluntary, applied at each regulator's discretion. They are not, in themselves, legally binding. Second, they are deliberately abstract. They tell you the outcomes a regulator will look for, not the controls you must implement to get there. The gap between the principle and the control is exactly the space your board has to fill.

As of May 2026 there is still no comprehensive statutory "UK AI Act". A Private Member's Artificial Intelligence (Regulation) Bill [HL] was reintroduced in the Lords on 4 March 2025 but has no government backing, and any government Bill that does land is expected to be narrow. The AI Safety Institute was renamed the AI Security Institute in February 2025, within DSIT, signalling a focus on national-security and misuse risk rather than a broad licensing regime. The direction of travel is sector reform and regulatory sandboxes, not a single omnibus law.

"No AI law" does not mean "no binding law"

Here is the distinction that boards repeatedly get wrong. The five UK principles are voluntary. The regimes that already apply to your AI are not. Two of them bind you today, whatever the AI-specific picture looks like.

UK data protection law already governs most commercial AI. Wherever your AI processes personal data, the Information Commissioner's Office is your lead regulator, under the UK GDPR and the Data Protection Act 2018. This is binding now. It is also moving: the Data (Use and Access) Act 2025 reshaped the rules on automated decision-making, and its section 80 came into force on 5 February 2026, repealing the old Article 22 and replacing it with new Articles 22A to 22D. The effect is to relax the previous near-prohibition on solely automated decisions where no special-category data is involved, while keeping the right to human review where decisions are significant. The ICO's updated guidance on automated decision-making and profiling is still in draft — its consultation closed on 29 May 2026, with final guidance expected in summer 2026 — so treat that detail as provisional and do not build a control regime around wording that has not been finalised.

The EU AI Act may bind you even though the UK is outside it. The EU AI Act (Regulation (EU) 2024/1689) is binding, risk-based and extraterritorial. It catches UK organisations that place AI systems on the EU market or whose AI output is used in the EU, regardless of where you are established. Post-Brexit the UK is not bound by it, but many UK firms are in scope through their EU footprint. The high-risk application dates were pushed back under the 2026 "Digital Omnibus on AI" to 2 December 2027 for stand-alone high-risk systems and 2 August 2028 for high-risk systems embedded in regulated products — but those amendments were still completing the EU legislative process as of late May 2026, so confirm final adoption before relying on the dates.

So the picture your board actually governs is layered: a voluntary UK principles framework on top, and binding data-protection and (for many) EU obligations underneath. The principles do not replace the binding law. They sit above it as the lens your sector regulator will use.

What this means for your board, in practice

If there is no statute to comply with, what does a board point to when it is asked how it governs AI? You point to your governance process and to a recognised framework that gives that process structure. Voluntary frameworks are not a nice-to-have here. In the absence of a UK statute, they are the most concrete, auditable evidence you can produce.

The two that matter most:

Framework	Binding?	What it gives your board
ISO/IEC 42001:2023	Voluntary, certifiable	An AI management system: policies, roles, risk registers, impact assessments and continual-improvement evidence
NIST AI RMF 1.0	Voluntary, not a law	A risk structure — Govern, Map, Measure, Manage — that maps onto the UK accountability principle

ISO/IEC 42001 is the first international AI management system standard, published in December 2023. It is built on the same Plan-Do-Check-Act structure as ISO 27001, and it produces exactly the artefacts a regulator, a procurement team or an auditor wants to see. It maps cleanly onto the UK's five principles, which is why it tends to be the operational backbone we recommend a board build its AIMS around. We cover what an AIMS actually requires of a board in a companion post on ISO/IEC 42001. A note on language: only a UKAS-accredited certification body, such as BSI, can certify you to ISO/IEC 42001. A consultancy helps you align to it and prepare for that certification — it cannot issue it.

NIST's AI RMF 1.0, published in January 2023, is voluntary and US in origin, but it has become the common language for AI risk between UK, EU and US teams. Its Govern-Map-Measure-Manage structure sits comfortably inside an ISO 42001 AIMS and gives your board a defensible way to articulate how risk is identified and managed across the AI lifecycle.

Frameworks give you the shape. The evidence has to be live. A board's AI risk register that is updated once a year is not evidence of governance; it is a record that governance once happened. We make the case for treating the register as living evidence rather than a spreadsheet in a separate piece.

Map the principle to a control you can show

The work that closes the gap between an abstract principle and a defensible position is mapping each principle to a control that actually operates. This is where governance stops being a policy document and becomes something a board can answer for. From the systems we have built, a few concrete examples:

• Accountability and governance. A named person decides, and you can prove who decided and when. In a public-sector evidence and reporting workspace we built, the AI is advisory-only by hard constraint in its system prompt — no scoring, no automated decisions — and every output is traceable to the exact source passage through chunk-level citations.
• Transparency and explainability. A claim the model makes should be checkable. In an insolvency intelligence engine, every AI-extracted quote must be a literal substring of the source document, or the extraction fails and is not published.
• Safety, security and robustness. Constrain what the system can do, not just what you ask it to do. In an AI operations system for a property manager, the analytics layer is read-only by construction: the database itself rejects any write the model attempts, so the control does not depend on the model behaving.
• Contestability and redress. A decision a person disagrees with must be reviewable and reversible by a human, which the new Articles 22A to 22D reinforce where decisions are significant.

None of these controls is mandated by a UK AI law, because there isn't one. Each is the practical answer to a principle a regulator will apply. That is the shift a board has to internalise: you are not waiting for a rulebook, you are building the evidence that your existing duties are met.

A short checklist for the next board meeting

• Confirm which binding regimes already apply to your AI: UK GDPR and the ICO in almost all cases; the EU AI Act if you have EU exposure; sector rules (for financial services, Consumer Duty, SM&CR and SS1/23) where relevant.
• Decide which voluntary framework gives your governance structure — ISO/IEC 42001 is the usual answer for an auditable AIMS.
• For each of the five UK principles, name the control that evidences it and the person accountable for it.
• Treat the ICO's automated decision-making guidance as draft until final guidance is published in summer 2026.
• Keep your AI risk register live, dated and owned, not annual.

The UK's decision not to legislate a single AI Act does not lighten the board's load. It moves the load onto you to demonstrate, against principles a regulator will apply and binding law that already exists, that your AI is governed. Voluntary frameworks are how you make that demonstration concrete.

Last reviewed: 29 May 2026.

---

If your board is working out what it actually governs and what it needs to evidence, that is the conversation we have. See how we approach it, or read the controls we build into our own systems.