AI governance for UK organisations: what the EU AI Act means for you
Brexit did not insulate UK businesses from the EU AI Act. Here is what you need to know in 2026.
·Updated quarterly as UK law changes·Written by Simon Steggles, AI Director Ltd·6 min read·Reviewed by Rachel Holbrook, Technology Law Solicitor
Many UK organisations assume that the EU AI Act does not apply to them. They are wrong. If your organisation sells products or services into the EU, uses AI tools provided by EU-regulated vendors, or operates any subsidiary that has EU presence, the Act's obligations are already live and escalating. And even for purely domestic UK operations, the regulatory direction of travel is clear — the UK AI Bill is expected to follow the EU framework closely for most high-risk applications.
What the EU AI Act requires — and who it affects
The EU AI Act came into force in stages. By February 2026, the General-Purpose AI (GPAI) model obligations were fully live. This affects UK organisations in two ways:
As deployers. If your organisation uses foundation models (ChatGPT, Claude, Gemini, Copilot, or similar) in any business process, you are a "deployer" under the Act. Deployers of high-risk AI systems have documentation, transparency and human oversight obligations. Using AI to screen CVs, assess loan applications, make promotion decisions or monitor employee performance are all high-risk uses.
As providers. If your organisation has built or customised an AI system that is placed on the EU market — even if you are a UK company — the full provider obligations apply, including conformity assessment and registration.
The UK position in 2026
The UK AI Bill completed committee stage in Parliament in March 2026. The version reported back retains a risk classification system closely aligned with the EU's high-risk list, but relaxes the conformity-assessment timetable for SMEs (turnover under £25m) by 12 months. The direction is clear: a UK framework largely mirroring the EU's is coming, and organisations that have built internal governance structures ahead of it will have a significant head start.
The ICO has been more immediately active. Its enforcement action against TalentReach Ltd — a £950,000 fine for AI CV screening that systematically disadvantaged applications from women's colleges — is now the UK benchmark case for automated decision-making liability under UK GDPR Article 22.
Which AI governance policies does your organisation need?
For any UK organisation that uses or deploys AI tools, the minimum policy framework should include:
AI Governance Framework — the overarching policy setting out your organisation's approach to AI risk, accountability, and oversight.
AI Acceptable Use Policy — what AI tools employees may and may not use, and how they must be used (particularly for customer-facing or decision-making applications).
AI Risk Management Policy — how you identify, assess and mitigate risks from AI tools before deployment.
AI Bias and Fairness Policy — how you test for and mitigate discriminatory outcomes from AI-assisted decisions, particularly in HR and customer-facing contexts.
AI Transparency and Explainability Policy — how you document AI decisions and ensure affected individuals can understand and challenge them (Article 22 compliance).
AI Vendor Register — a documented list of AI tools your organisation uses, their providers, and the data they process, updated at least annually.
Our Full Suite Standard and Government tiers include all 17 AI governance policies listed above, personalised to your organisation's specific AI tool usage as answered in the questionnaire.
Practical steps for 2026
If your organisation has not yet started an AI governance programme, the most practical immediate steps are:
Conduct an AI tool audit — list every AI tool currently in use across the organisation, including tools used by individual employees without central IT approval.
Classify your AI uses by risk — identify any uses that fall into the EU AI Act's high-risk categories.
Get your policy framework in place — start with the Acceptable Use Policy and the Governance Framework, then add the risk and transparency policies as your programme matures.
Designate an AI governance lead — someone accountable for maintaining the register, monitoring regulatory developments, and reviewing AI tools before deployment.
Get your AI governance policies in place today
17 AI governance policies, personalised to your organisation, included in every suite subscription.
Simon Steggles is the founder of AI Director Ltd and the product lead behind CompanyPolicies.co.uk. He has spent over a decade helping UK businesses navigate employment law, data protection, and governance requirements. His work focuses on making compliance practical and accessible for organisations of every size.
Rachel Holbrook is a Technology Law Solicitor (England & Wales) specialising in AI regulation and data governance. She advises UK organisations on compliance with the EU AI Act, UK GDPR, and ICO guidance.