In February 2024, the government’s response to the Pro-Innovation Approach to AI Regulation white paper set out the UK’s direction: no horizontal AI law, five cross-cutting principles, delegation to existing regulators. Through 2024 and 2025, that gave boards a comfortable answer — regulators were “still developing their approaches”, and the path was to wait.
That answer has run out. The May 2026 King’s Speech confirmed Labour’s intent to legislate for frontier-model providers, but no AI Bill has been introduced. In the meantime, every regulator that matters to a UK mid-market firm — ICO, FCA, PRA, MHRA and SRA — has moved from principles to specific, supervisable expectations. The compliance map is real. It runs regulator-by-regulator, and most firms have not yet drawn it.
ICO — statutory ADM code under DUAA s.80
The ICO holds the broadest reach, because UK GDPR applies wherever personal data is processed. Under section 80 of the Data (Use and Access) Act 2025, the ICO must prepare a binding statutory Code on automated decision-making. Once in force, that Code will be enforceable, not guidance.
On 31 March 2026 the ICO published draft updated guidance on automated decision-making and profiling, alongside a Recruitment Report drawn from more than thirty employers. The consultation closes on 29 May 2026 — the practical deadline for boards to understand what the supervisor is locking in.
The expectations consolidating across ICO materials are consistent: transparency on solely-automated decisions; meaningful human review for decisions with legal or similarly significant effects; and active bias monitoring with documented models. UK GDPR enforcement actions have already cited inadequate controls around AI processing as breaches of Article 5(1)(f). A firm running AI on personal data without a DPIA, a lawful basis for training, and Article 22A safeguards is exposed today, not in some future regime.
FCA — Mills Review and supervisory dialogue
The FCA remains technology-neutral, working through Consumer Duty, the Senior Managers and Certification Regime, and operational resilience rules. There is no AI rulebook. What has changed is supervisory intensity.
On 27 January 2026 the FCA launched the Mills Review of AI in retail financial services, with recommendations due to the Board in summer 2026. The Treasury Select Committee has asked the FCA to publish comprehensive AI guidance — covering consumer protection and Senior Manager accountability — by the end of 2026.
Supervisory letters now ask firms to evidence three themes: how AI is used in customer-facing decisions and how outcomes are monitored under Consumer Duty; how model risk is governed, including vendor models; and how operational resilience applies to AI in critical business services. Senior Managers should expect to be asked, by name, who is accountable for AI deployment.
PRA — supervisory priorities for AI in prudentially-regulated firms
The PRA has placed AI within its 2026 supervisory priorities. The November 2025 Model Risk Management roundtable and the February 2026 AI roundtable summary published by the Bank of England signal the same direction: no AI-specific rules near-term, but firm expectations under existing frameworks — principally SS1/23 Model Risk Management — that AI models are treated, governed and validated as models.
Two themes deserve board attention. First, integration of AI use cases — including third-party large language models — into the firm’s model inventory with proportionate validation and tiering. Second, concentration risk: how exposed firms are to a small number of third-party AI and cloud providers, and whether operational resilience implications have been tested.
MHRA — AI-as-Medical-Device framework due 2026
For health-facing AI, the architecture is multi-handed: MHRA for medical devices, NHS England and the HRA for service deployment, CQC for provider regulation, ICO for personal data. The HRA-led “one-stop-shop” has consolidated the navigation, but the underlying obligations remain.
MHRA’s call-for-evidence closed on 2 February 2026, and the National Commission into the Regulation of AI in Healthcare reports in summer 2026. The new AI-as-Medical-Device framework, due in 2026 under the Life Sciences Sector Plan, is expected to place cybersecurity at the centre of conformity, with the International Reliance Framework targeted for autumn 2026.
For any NHS-facing or clinician-facing AI deployment today: classify the product against the Software-as-a-Medical-Device definition; ensure DCB0129 conformance from the supplier and DCB0160 hazard logs from the trust; appoint a Clinical Safety Officer; and demonstrate post-market surveillance. UK GDPR special-category-data protections sit on top.
SRA — AI policy direction for law firms
The SRA has been explicit: it regulates firms’ use of AI, through the existing Code of Conduct for Firms. The 4 February 2026 SRA webinar reinforced the four pillars — governance, controls, competence, recordkeeping — and SRA-commissioned research in April 2026 found roughly a third of the public have already used generative AI to identify legal issues.
For a UK law firm, the expectations are concrete. Client confidentiality and privilege must be preserved when AI tools touch matter content. Professional negligence exposure attaches to AI-assisted work product just as it does to human work product. Recent court rulings on attorney use of generative AI — and the disciplinary consequences of fabricated citations — sit in the backdrop the SRA now references. Supervision must cover AI-assisted output; partners cannot delegate accountability to a tool.
What this means for a regulated UK firm in 2026
There is no single statute to point at, and that is the difficulty. A financial-services firm using AI in onboarding faces overlapping FCA, PRA and ICO expectations. A law firm using AI in document review faces SRA and ICO obligations. A healthcare provider faces five regulators reading off different scripts.
The practical answer is not to wait for a horizontal Act that may not arrive. Build three things now: a defensible AI inventory; a sector-specific overlay mapping each use case to the relevant regulators; and documentation framed in each regulator’s own language — DPIAs and Article 22A for the ICO, Consumer Duty and SM&CR for the FCA, SS1/23 for the PRA, DCB0129/DCB0160 for healthcare, the Code of Conduct for the SRA.
How Rhentech helps
Our senior-led AI governance engagements begin with an AI Usage Audit — a structured discovery of where AI is in use, who owns each deployment, and what data flows through it. We then map that inventory against the regulators that apply to you, and produce a single, defensible posture: one document that answers the ICO, FCA and sector-specific questions in their own language.
If your firm is regulated by any of the bodies above and you do not yet have a current AI inventory and a regulator-by-regulator mapping, the supervisory clock is running. Book a free initial consultation and we will walk through where you are exposed.