Does my UK business legally need an AI policy?

There is currently no UK law that mandates a specific AI policy for most businesses. However, existing legal obligations — under UK GDPR, data protection law, and sector-specific regulations — create practical requirements that an AI policy helps satisfy. For regulated businesses (law, finance, healthcare), the lack of a documented AI governance framework creates regulatory exposure. For all businesses, an AI policy reduces the risk of misuse, data incidents, and compliance failures.

What should an AI policy include?

At minimum: a list of approved and prohibited AI tools, clear rules on what data can be processed by AI, the requirement for human review of AI outputs, how AI use is documented, the supervision and sign-off process, what to do when something goes wrong, and how the policy is updated. For regulated businesses, add: client consent requirements, sector-specific compliance considerations, and how the policy interacts with existing data governance frameworks.

How often should an AI policy be updated?

At minimum annually, and whenever there is a significant change in: the AI tools your organisation uses, the regulatory environment (new guidance from the ICO, FCA, SRA, or CQC), the nature of data being processed by AI, or following any AI-related incident or near-miss. The AI landscape is moving quickly enough that a policy written in 2024 may already be materially out of date.

Does an AI policy need sign-off from a lawyer?

For most businesses, an AI policy is an internal governance document rather than a legal instrument. It does not need to be drafted or approved by a lawyer, though legal input is advisable for regulated businesses or where the policy interacts with contractual obligations to clients. More important than legal sign-off is practical sign-off: the policy should be reviewed by compliance, IT, and senior leadership, and communicated to everyone it affects.

AI Policy Template for UK Businesses

Most UK businesses now have staff using AI tools — often tools that leadership has not formally approved, assessed for data risks, or included in any governance framework. An AI policy closes that gap. This article explains what an effective AI policy needs to cover, what the most common mistakes are, and provides a framework you can adapt for your organisation.

An AI policy is not a legal document. It is a governance tool — a clear statement of how your organisation uses AI, what is and is not permitted, and who is responsible for what. Its value is practical: it creates consistent behaviour, reduces data incidents, and gives you something to point to when a regulator or client asks how you manage AI use.

Why You Need One Now

In 2022, most organisations could afford to be vague about AI use because AI was not yet a day-to-day tool. In 2026, staff in most professional services firms are using AI tools for drafting, research, analysis, and communication as a matter of routine. The policy question is not whether to address AI — it is whether you address it deliberately or inherit the consequences of not having done so.

The consequences of no policy include: staff using unapproved tools that create data governance exposure; different teams taking completely different approaches to the same AI risks; no documented evidence of AI governance if a regulator asks; and no clear process when something goes wrong.

For regulated businesses — law firms, FCA-regulated financial services, NHS contractors, healthcare providers — the stakes are higher. The SRA, FCA, and ICO all expect regulated businesses to be able to demonstrate how they manage AI-related risks. "We don't have a policy" is not an acceptable answer to that question.

The Eight Essential Sections

An effective AI policy covers eight areas. The following provides the content framework for each.

Section 1

Purpose and Scope

What this policy covers, who it applies to (all staff, contractors, third parties accessing your systems), and what it is intended to achieve. Keep this short and direct. The purpose is to enable responsible AI use, not to prohibit it.

Include a definition of "AI tools" that is practical for your context — typically: any software that uses machine learning or large language models to generate, analyse, summarise, or process content, including but not limited to [list your main tools].

Section 2

Approved and Prohibited Tools

A maintained list of approved AI tools with their approved use cases. For each tool, specify: what it may be used for, what data may be processed using it, and whether client/patient/regulated data is permitted.

A list of explicitly prohibited tools or tool categories. Common prohibitions: consumer-tier AI tools for client data processing, AI tools without UK GDPR-compliant data processing agreements, and AI tools where the vendor uses inputs for model training without opt-out.

A process for requesting approval of a new tool — preventing shadow AI adoption while enabling legitimate evaluation.

Section 3

Data Classification and AI Use

Map your data classification levels to what AI processing is permitted. For example: public data — any approved tool; internal data — approved tools with appropriate DPAs; client/confidential data — on-premises tools only, or approved cloud tools with explicit client consent; restricted/sensitive data — no AI processing without specific approval.

For regulated businesses: add sector-specific data categories (privileged legal material, patient data, FCA-regulated client data) with explicit rules for each.

Section 4

Human Oversight and Review

AI outputs must be reviewed by a competent human before being relied upon, submitted to a client, or used in a decision. This is not optional. Specify: who reviews AI outputs in different contexts, what "review" means in practice (not just skimming), and how AI contributions are documented.

For regulated businesses: specify the supervision chain for AI-assisted work product. Who has authority to approve AI-generated advice, analysis, or documents?

Section 5

Client and Third-Party Disclosure

Whether and how you disclose AI use to clients. For professional services businesses, this section should address: what information clients are given about AI use in their matters, how consent is obtained where required, and how client preferences not to use AI are recorded and honoured.

The minimum position: clients should know AI is used in your business. For regulated businesses: consider whether explicit consent is required for specific uses.

Section 6

Accuracy, Bias, and Quality

Staff must understand that AI outputs are not inherently accurate and may contain errors, outdated information, or biased content. The policy should specify: the obligation to verify AI outputs against primary sources where accuracy matters; prohibited uses of AI where accuracy is critical and verification is not feasible; and the process for raising concerns about AI accuracy or bias.

Section 7

Incident Reporting

What to do when something goes wrong. Specify: what constitutes an AI-related incident (data submitted to an unapproved tool; AI output relied upon without review that caused an error; suspected data breach via AI channel), how to report it, and the response process. Align with your existing data breach and incident response procedures.

Section 8

Review and Updates

When the policy is reviewed (at minimum annually), who owns it, and what triggers an out-of-cycle review (new tools adopted, regulatory guidance published, incident occurred). Assign ownership clearly — typically to whoever owns data governance and risk in your organisation.

The Three Most Common Mistakes

Mistake 1: Writing a policy that prohibits everything

Blanket AI bans are not enforceable and not desirable. They drive AI use underground — to personal devices and personal accounts outside any oversight whatsoever — rather than eliminating it. An effective policy enables responsible use and manages the risks, not prevents all use.

Mistake 2: Writing a policy nobody reads

A policy filed in a SharePoint folder is not a governance control. An AI policy needs to be: communicated to all staff it applies to, included in induction for new joiners, referenced in relevant training, and available where people make AI decisions (not just HR documentation repositories).

Mistake 3: Not updating it

An AI policy written in 2024 approved a specific list of tools and addressed specific risks. The tools have changed, the regulatory guidance has developed, and the risks have evolved. A policy that does not keep pace with the environment it governs becomes a liability rather than a protection.

Quick Self-Assessment Checklist

If you already have an AI policy, use the following to identify gaps:

Do we have a list of approved AI tools with clear use parameters?
Do we have a list of prohibited tools or tool categories?
Do we specify which data types can be processed by which tools?
Do we require human review of all AI outputs before reliance?
Do we address client/third-party disclosure of AI use?
Do we specify a supervision chain for AI-assisted work?
Do we have an AI-related incident reporting process?
Do we have a defined review schedule for the policy?
Has the policy been communicated to all staff it covers?
Has the policy been reviewed in the last 12 months?

AI Policy Template for UK Businesses: What to Include and Why