The rules that already bind your AI
No UK regulator is waiting for an AI Act before holding you to account. The UK's approach is deliberately principles-based: five cross-cutting principles, applied by each sector's existing regulators within their existing remits. The practical effect is that the rules binding your AI are the rules you already answer to, applied to a technology they never mention by name. This guide works through what that means in three regulated settings.
Financial services: outcomes, named owners and model risk
The FCA and PRA have deliberately declined to write AI-specific rules. Their stance is technology-neutral and outcomes-focused, reaffirmed in April 2026, which means the existing rulebook reaches the AI in full.
Consumer Duty does not care how an unfair outcome was produced. If a pricing or eligibility model produces a worse outcome for a vulnerable customer, the Duty is engaged whether the model is a logistic regression or a large language model, and "the model did it" is an admission that you cannot evidence the outcome. The Senior Managers and Certification Regime attaches a named senior manager to AI risk through their Statement of Responsibilities: when AI takes over a function a person used to perform, the accountability does not evaporate into the model. And PRA SS1/23 brings AI and machine-learning models inside formal model risk management: inventory, independent validation, monitoring and governed change.
The board test in this sector is reconstruction. For any AI-influenced decision, can you show its inputs, the model's output, and the human who signed it off, after the fact and under challenge?
The public sector: a decision about a resident is a public act
A council or combined authority exercising statutory power answers to a different stack. The Public Sector Equality Duty, under section 149 of the Equality Act 2010, requires documented due regard to eliminating discrimination before an AI tool touches casework or eligibility, and the duty cannot be discharged by a supplier. The Algorithmic Transparency Recording Standard expects public bodies to publish what each algorithmic tool does, the data it uses and who is accountable; it has been mandatory for central government since 2024 and is the de facto expectation everywhere else. A Data Protection Impact Assessment and an Article 30 record are separate artefacts, and a data protection officer will ask for both. Security review runs through the NCSC's 14 Cloud Security Principles, the vocabulary a Senior Information Risk Owner recognises.
The cleanest design answer we have found for this stack is advisory-only AI: the system assists, a named officer decides, and the constraint is enforced in the system itself. A tool that genuinely cannot make a decision about a person is a tool whose transparency record can be written honestly.
The professions: the named human stays responsible
For solicitors, accountants and surveyors, AI lands on conduct rules that bind individuals, not just firms. The SRA's Codes of Conduct impose competence, confidentiality and supervision duties on AI-assisted legal work, and its Risk Outlook confirms the solicitor stays personally accountable for AI outputs. The ICAEW Code of Ethics requires a member to judge whether an AI tool and its data are sufficient before relying on the output. RICS, in its responsible AI standard published in September 2025, requires human oversight, professional scepticism and written disclosure of AI use to clients.
Disclosure is where most firms get this wrong. A sentence at the foot of a report saying it was "produced with the assistance of AI tools" cannot answer which parts, which model and who checked them. A disclosure is only as good as the record behind it: the firms doing this properly generate the disclosure from an actual ledger of what the named professional accepted, modified or rejected.
Automated decisions under UK GDPR: Articles 22A to 22D
One change cuts across all three settings. The Data (Use and Access) Act 2025 repealed the old Article 22 of UK GDPR and replaced it with Articles 22A to 22D, in force since 5 February 2026. The reform relaxes the previous near-prohibition on solely automated decisions where no special category data is involved, while preserving the rights that matter where a decision is significant: the person must be told, can make representations, can obtain human intervention and can contest the outcome. Eligibility, pricing, benefits and fraud decisions are exactly the territory this is written for. Note that the ICO's detailed guidance on automated decision-making remained in draft as of mid-2026, so treat the fine detail as provisional and date the assumptions in your impact assessments.
Across every sector the question underneath is the same one: who is accountable for what the AI did? If your organisation can answer with a name, a record and a control that operates, you are governing. If it cannot, the gap is now, not when an AI Act arrives.