What is ISO 42001 and does my organisation need it?

ISO/IEC 42001:2023 is the international management-system standard for AI — think ISO 27001, but for AI systems rather than information security. It covers policy, risk, lifecycle controls, monitoring and continual improvement. Formal certification isn't mandatory for UK SMEs or councils, but the controls it requires are exactly what regulators, insurers and procurement teams are already asking for. I implement against ISO 42001 so that if you later decide to pursue formal certification, the substantive work is already done — you're not starting from scratch.

Which UK regulations actually apply to my AI use?

The honest answer: it depends what your AI is actually doing. If it touches personal data — which most business AI does — UK GDPR applies, including Article 22 if it makes or substantially influences decisions about people. If it affects hiring, benefits, casework or lending decisions, the Equality Act 2010 and Public Sector Equality Duty come into scope. The ICO's AI guidance isn't technically law, but ICO investigators treat it as if it is. Regulated sectors — financial services, healthcare, legal — carry additional obligations on top. Part of what I do in a governance review is map your specific tools to the obligations that actually apply, rather than listing everything and leaving you to work out what matters.

Does the EU AI Act apply to UK organisations after Brexit?

Yes, and it catches more organisations than expect it. If your AI outputs are used inside the EU, if you supply an AI system to an EU-based customer, or if you process data about EU residents, the Act applies to you regardless of where you're headquartered. The penalty exposure for high-risk AI — employment decisions, credit assessment, essential services — reaches 7% of global annual turnover. I include an EU AI Act applicability check in every governance engagement precisely because most UK organisations haven't thought to ask the question yet.

How do I know if my AI use is already GDPR-compliant?

Start with three questions. Does the AI process personal data? If yes, what's the documented lawful basis — and is it written down somewhere you could hand to an ICO investigator? Does it make or substantially influence decisions about individuals? If so, there's an Article 22 obligation: DPIA completed, human-review path installed, transparency notice in place. Most organisations can answer the first question without much trouble. Very few have documented answers to the second and third. That gap is exactly what a governance review closes — without requiring you to stop using the tools you already have.

What happens during an ICO investigation into AI use?

The ICO's first move is a formal information notice. They'll ask for a list of your AI systems and what they do, the lawful basis for each one that touches personal data, completed DPIAs for high-risk processing, evidence of meaningful human review for automated decisions, and staff training records. If you can't produce those documents quickly, the ICO treats the absence as evidence of inadequate governance — not just an administrative gap. Organisations with documented governance, even imperfect governance, are treated materially differently to those with nothing at all. That distinction matters when they're deciding whether to fine, and how much.

How long does a governance framework take to implement?

It depends on what's already in place and how many AI tools are in scope. For a typical SME with one or two use cases, the full framework — register, policies, ISO 42001 alignment, board reporting and incident response — is done in 8 to 12 weeks. Larger organisations and councils with multiple departmental deployments usually need 14 to 20 weeks. Either way, the quick wins land early: acceptable-use policy, basic AI register and staff awareness within the first two or three weeks, so you're not exposed while the rest of the work is in progress. I scope every engagement against your actual situation — not a standard package — so the timeline reflects what you genuinely need.

AI Governance & Risk Management

AI Governance and Risk Management for UK Organisations

AI Governance UK: What Every Board Needs in Place Right Now

Most UK organisations using AI have at least one governance gap they're not aware of — an undocumented Article 22 obligation, a vendor contract that lets the provider train on your data, or a staff workflow that's drifted beyond what the board approved. I've found all three in engagements where the client believed they were compliant. Birmingham-based. UK-wide.

See service tiers & pricing Read governance case studies

Why it matters now

Why Governance Comes First

There's a sequence I've seen often enough to recognise it before the second meeting. The tool goes live. A few days later someone discovers a prompt that produces output nobody planned for. IT finds out about the deployment because a support ticket comes in — not from the project lead, because nobody told IT the tool was processing customer data. Legal pulls the vendor contract at that point and finds the data can be used to retrain the model. The tool goes off. What that costs is the licence, the integration time, and the board's willingness to approve the next AI proposal — which is the part that takes longest to rebuild.

What I find in the first week of every engagement is a version of the same thing: a vendor contract nobody read to page 14, where the data-training opt-out is buried. Or a DPIA that was started but never completed because the tool got deployed before legal finished reviewing it. Neither one is a crisis on its own, but you want to find them in week one rather than week six — before the system is live and the board has already counted on the results. Finding them through an incident is a different conversation entirely.

ICO enforcement action

The ICO published its AI enforcement guidance and the position it takes is unambiguous. Undocumented automated decision-making is a compliance gap — not a grey area, not something they're still working out how to approach. Fines for GDPR breaches involving AI have gone past £20M. The question for your organisation isn't whether this applies to you. It's whether your lawful bases and DPIAs are documented somewhere an investigator can actually find them.

EU AI Act fines

The EU AI Act was a surprise for a lot of UK organisations. Simon has sat in board meetings where nobody in the room could say with confidence whether they were in scope. UK incorporation doesn't settle it — if your services reach EU residents through any route, you're subject to the regulation regardless. The enforcement window opened in August 2025, and Article 99 puts the ceiling for high-risk violations at 7% of global annual turnover.

Sunk costs from failed pilots

When an AI pilot fails, the conversation opens with the technology. I've sat in those debriefs. The technology was usually fine. The pilot was approved on a vendor demo, deployed before the DPIA was completed, and nobody had documented what the response procedure was if the system produced the wrong output. The licence fee is the recoverable part. The board's appetite for the next proposal is harder to get back.

Bias and reputational exposure

An employment tribunal case built on six months of unaudited AI-assisted candidate filtering is not a hypothetical — it's a case type I've seen. The Equality Act 2010 and the Public Sector Equality Duty apply to AI-influenced decisions the same way they apply to human ones. The difference is that AI failures tend to happen at scale, quietly, before anyone notices the pattern.

AI-generated content liability

A legal brief citing invented case law, a financial report with hallucinated figures, a regulatory submission with an error nobody caught — all of these have happened, in the UK, in regulated firms. The liability is real. An acceptable-use policy and a mandatory human-review step stop AI errors becoming client errors.

The framework

What a Governance Framework Covers

Ten controls, each tied to a specific legal obligation, audit requirement, or operational risk. When a regulator or insurer asks three questions — What AI are you using? Who approved it? Where's the evidence? — you want documented answers, not a scramble. That's what this framework produces.

AI Register

When an ICO investigator arrives, the first thing they ask for is a list of your AI systems. The AI Register is that list — every tool in use across the organisation, the data it touches, who owns it, and what decisions it influences. Most organisations don't have one until they need it.

ISO 42001 Alignment

ISO/IEC 42001 is the international management-system standard for AI — the AI equivalent of ISO 27001 for information security. Implementation covers scope, policy, risk register, and operational controls. If you later decide to pursue formal certification, you are not starting from scratch.

UK GDPR for Automated Processing

Article 22 applies when AI substantially influences a decision about an individual. Most UK organisations haven't documented which of their tools cross that line. Simon runs the check for every use case in scope. Where Article 22 applies, the lawful basis gets recorded and a human-review path gets installed.

Algorithmic Bias Auditing

An HR tool that filtered candidates based on inferred characteristics for six months without anyone noticing is not a hypothetical — it's a case type that reaches employment tribunal. Bias auditing tests AI systems used in consequential decisions against protected characteristics before that kind of failure can take root.

Prompt Injection Prevention

Any AI system that accepts user input — a chatbot, a document processor, a web form — can be manipulated through crafted prompts. Simon tests for injection vulnerabilities before any externally accessible system goes live. Most client teams haven't encountered this risk before their first engagement.

Vendor Contract Review

AI vendor contracts are drafted by the vendor's legal team to serve the vendor's interests. Data-training opt-outs buried on page 14, uncapped annual price increases, IP clauses that assign outputs to the vendor — these appear in standard terms. Simon goes through the contract before you sign.

Board Reporting

A quarterly report covering what AI systems are running, how they perform against the original business case, what incidents occurred, and how the regulatory picture has shifted. The goal is a board that can answer the auditor's questions without an outside consultant in the room.

Incident Response

When an AI system fails in a way that affects individuals or triggers a regulatory notification, the response plan should already exist. Who gets notified, what evidence is preserved, when the ICO call goes in — these decisions are harder to make well under pressure than they are to document in advance.

FOI Defensibility

Councils and public-sector bodies face a specific challenge: AI decisions must be explainable under Freedom of Information and Subject Access Requests. Simon structures the decision audit trail so any AI-influenced outcome can be reconstructed — without exposing individuals in the process.

Staff Acceptable Use Policy

Staff are already using AI whether a policy exists or not. The question is whether they're doing it in ways the organisation can defend. A signed, role-specific policy sets the boundary: what tools, what data, what review is required. Most of the governance risk in a typical organisation sits in the gap this closes.

Real consequences

What Happens Without Governance

These are composite examples drawn from published enforcement actions, tribunal decisions and sector-body guidance. They reflect the types of incident that occur when AI is deployed without the controls described above.

Organisation type

UK Metropolitan Council

What went wrong

The council's benefits-assessment team began using a third-party AI tool to triage housing benefit claims, reducing average processing time by 40%. No DPIA was completed, no Article 22 check was done, and staff were not told the tool influenced decisions. A resident's solicitor requested the decision-making record under GDPR Subject Access Request.

Financial / legal consequence

The council could not produce evidence of meaningful human review. The ICO opened an investigation. The tool was suspended, 14 months of decisions were audited manually, and external legal costs exceeded £85,000. The council also faced a judicial review application from the affected resident.

What governance would have prevented

A governance framework would have caught the Article 22 obligation at the tool-approval stage. The DPIA, the human-review protocol, and the transparency notice would have been installed before deployment, eliminating the legal exposure entirely.

Organisation type

Regional Professional Services Firm

What went wrong

A 180-person firm adopted a generative AI assistant for client-facing document drafting. Staff were not trained on hallucination risk or confidentiality. A junior associate submitted an AI-generated legal brief citing three non-existent case precedents. The brief was sent to opposing counsel before a partner review caught the error.

Financial / legal consequence

The firm's professional indemnity insurer was notified. The regulator was notified. The client terminated the engagement and demanded a fee refund of £47,000. The episode featured in a legal trade publication, referenced without attribution but recognised internally.

What governance would have prevented

An acceptable-use policy, human-review step, and output-verification training would have prevented the brief reaching the client. A governance framework does not stop AI being used. It stops AI failures reaching the outside world.

Organisation type

Manufacturing SME

What went wrong

A 90-person manufacturer adopted three separate AI tools across operations, procurement, and HR. Purchased by different departments, on different contracts, with no central oversight. When an HR tool began filtering CVs based on inferred characteristics, no-one noticed for six months.

Financial / legal consequence

When the issue was identified during a routine IT audit, the firm's legal team concluded that up to 340 job applications may have been affected. Remediation, including re-running shortlisting, legal advice, and staff training, cost £38,000. Two senior candidates filed employment tribunal pre-claim letters.

What governance would have prevented

An AI register and a use-case approval workflow would have flagged the HR tool before deployment. The bias audit would have identified the filtering pattern in week two rather than month six.

Read anonymised AI case studies from real UK engagements

What you receive

What You Get from AI-Si.com

Five named deliverables. Each is a working document your board, your auditor, and your insurer can actually use. Not a template, not a slide deck. Built to your organisation, built to last.

AI Register

A structured inventory of every AI tool in use — who owns it, what data it processes, what decisions it influences, and when it was last reviewed. Updated quarterly. Auditors, insurers, and ICO investigators all ask for this in the first conversation. Most organisations can't produce one.

Governance Policy Suite

Four documents: the board-level AI policy, the staff acceptable-use policy, the vendor evaluation criteria, and the prompt standards. Written to your organisation's voice and signed off by leadership — not lifted from a template and filed. Each one is reviewed annually rather than forgotten.

ISO 42001 Alignment

Every required element of ISO/IEC 42001 implemented: scope statement, leadership commitment, risk assessment, operational controls, performance measurement, and continual improvement cycle. If you later pursue formal certification, the substantive work is already done.

Board Reporting Dashboard

A quarterly pack covering AI system status, risk indicators, spend against value, incidents logged, and the regulatory changes that happened in the period. The first cycle comes pre-populated. Every subsequent quarter your team fills in the template — Simon is not needed each time.

Incident Response Framework

A step-by-step response plan for AI failures — covering who gets called, what gets preserved, when the ICO notification goes in, and how the post-incident review feeds back into controls. Tested against your actual use cases, not a generic document that looks good in a folder and fails under pressure.

See how deliverables fit the three service tiers

Common questions

AI Governance Questions Answered

Straightforward answers to the questions UK board members and council directors ask most often about AI governance, regulation and implementation.

Most Organisations Have Governance Gaps They Are Not Aware Of

A 30-minute governance review identifies the specific risks your organisation is carrying: ICO exposure, EU AI Act applicability, Article 22 obligations, and gaps in your current controls. Book a free governance consultation with Simon.

07973 210 895