AI governance
AI Governance and Readiness: A Practical Framework for UK Business Leaders
AI governance is the set of policies, accountability structures, and oversight processes that ensure your organisation’s use of artificial intelligence is safe, legal, compliant, and aligned with your values. For most mid-market businesses, the starting point is not grand strategy. It is the employees already using ChatGPT and other AI tools without oversight, the customer data being processed by tools whose privacy policies nobody has read, and the decisions being shaped by AI outputs that nobody is checking. This guide explains the regulatory reality and the practical framework.
Why AI Governance Has Become Urgent for UK Businesses
The urgency has three drivers, operating simultaneously:
1. Shadow AI is already here. IBM research finds 80% of business leaders cite AI explainability, ethics, bias, and trust as major roadblocks to generative AI adoption. Yet in practice, employees across every function are already using AI tools: writing emails, summarising documents, analysing data, and generating content. The gap between official policy and actual behaviour is where the compliance and reputational risk lives.
2. The EU AI Act is in force. The EU AI Act applies to UK organisations that operate in the EU or whose AI outputs affect EU citizens. Prohibited practices have been banned since February 2025. GPAI (General Purpose AI) model obligations apply from August 2025. High-risk AI compliance obligations cover employment, credit scoring, and recruitment. Fines reach EUR 35m or 7% of global turnover for the most serious violations.
3. UK regulators are acting. The ICO has issued guidance and enforcement actions on AI use. The UK Government’s AI Opportunities Action Plan (January 2025) sets out the direction of UK AI policy. The DSIT AI regulation framework is evolving. Organisations that wait for a final regulatory framework before implementing governance will be late.
The EU AI Act: Risk Tiers and Obligations for UK Organisations
The EU AI Act classifies AI systems by risk level. UK organisations operating in the EU or processing EU citizen data need to understand which tier their AI use cases fall into.
| Risk tier | Definition | Examples | Obligations | Fines for non-compliance |
|---|---|---|---|---|
| Unacceptable risk (Prohibited) | AI systems that pose a clear threat to fundamental rights | Social scoring by public authorities; real-time biometric surveillance in public spaces | Banned since February 2025 | Up to EUR 35m or 7% of global turnover |
| High risk | AI in critical infrastructure or high-impact decisions | AI in recruitment and employment decisions; credit scoring; access to essential services | Conformity assessment, data governance, human oversight, registration in EU database | Up to EUR 15m or 3% of global turnover |
| Limited risk | AI systems with specific transparency obligations | Chatbots, AI-generated content, deepfake detection | Transparency requirements: users must be informed they are interacting with AI | Up to EUR 7.5m or 1.5% of global turnover |
| Minimal risk | All other AI systems | AI-powered spam filters, basic recommendation engines, productivity tools | No mandatory obligations; voluntary codes of conduct encouraged | None specified |
UK Regulatory Context: ICO, DSIT, and the Sectoral Regulators
UK organisations are not directly subject to the EU AI Act unless they operate in the EU. The UK regulatory picture is:
- ICO: The Information Commissioner’s Office has issued guidance on AI and data protection. UK GDPR applies to AI systems that process personal data, which includes most commercial AI use cases. The ICO’s AI and data protection risk toolkit provides a practical framework for compliance.
- DSIT: The Department for Science, Innovation and Technology’s pro-innovation approach to AI regulation relies on existing regulators (FCA, CQC, ICO, Ofcom) applying their existing powers to AI in their sectors, rather than a single AI regulator.
- Sectoral regulators: FCA-regulated firms face specific obligations around AI use in customer-facing decisions. CQC applies similar scrutiny to AI in care settings. Each sector’s regulator is developing its own AI-specific guidance.
Building Your AI Governance Framework: The Five-Component Structure
Starkhorn’s AI governance framework covers five components that give boards and senior leadership the oversight they need without building a bureaucracy that impedes innovation.
| # | Component | What it covers | Output |
|---|---|---|---|
| 1 | AI inventory and use-case register | All AI tools in use across the organisation, including shadow AI; use-case classification against EU AI Act risk tiers | Approved AI register; risk classification matrix |
| 2 | Risk classification | Each AI use case assessed against EU AI Act tiers, ICO guidance, and sector-specific obligations | Risk register with compliance obligations mapped to each use case |
| 3 | Policy suite | Acceptable use policy; AI data processing policy; human oversight requirements; vendor AI assessment process | Board-approved policy suite, proportionate to organisation size |
| 4 | Board reporting pack | Regular board reporting on AI use, risk, and governance; aligned to ICO and DSIT expectations | Quarterly AI governance report template; board briefing |
| 5 | Ongoing monitoring cadence | Process for reviewing new AI tools, updating the register, and responding to regulatory developments | Governance calendar; designated AI governance owner |
The Board Conversation: What Directors Are Being Asked
Boards and audit committees are increasingly facing AI governance questions from investors, regulators, customers, and non-executive directors. The questions they need to be able to answer are:
- Do we have a policy governing how AI is used in this organisation?
- Have we identified our high-risk AI use cases and assessed compliance with the EU AI Act?
- What data protection obligations arise from our AI use, and are they being met?
- Who is accountable for AI governance, and to whom do they report?
- Are employees using AI tools that the organisation has not approved or assessed?
- What is our exposure if an AI system produces a discriminatory or harmful output?
Starkhorn designs AI governance frameworks that give boards credible, evidenced answers to all six questions. The framework has been developed through fractional CIO and CISO engagements with UK mid-market and PE-backed businesses, including FCA-regulated organisations where AI governance intersects with existing financial services obligations and regulated sectors where ICO guidance and sector-specific regulator expectations apply. Engagements are led by Daniel Jacobs, with 20+ years in technology and security, 15+ of them in leadership roles across PE-backed transactions and major UK organisations.
AI Governance for PE-Backed Businesses
PE investors are increasingly including AI governance as a due diligence item, particularly for portfolio companies where AI is embedded in customer-facing processes, recruitment, or financial decision-making. The questions are similar to the board conversation above, but with additional focus on:
- Whether AI use creates regulatory exposure that affects valuation or deal conditions
- Whether AI governance maturity supports the value creation plan’s AI-enabled efficiency assumptions
- Whether the portfolio company’s AI policies are consistent with the investor’s own ESG and responsible AI commitments
Frequently Asked Questions
Does the EU AI Act apply to UK businesses?
Yes, if the UK organisation deploys AI systems in the EU or its AI outputs affect EU citizens. This applies to most UK businesses with EU customers, EU operations, or EU employee data. Post-Brexit, the UK is not automatically bound by EU regulations, but UK businesses in scope must comply with EU AI Act obligations as a condition of market access.
What is shadow AI and why does it matter for governance?
Shadow AI refers to AI tools being used by employees without organisational approval, oversight, or policy. Employees using ChatGPT to summarise confidential documents, generate client communications, or analyse personal data are creating real compliance and data protection risks without anyone in the organisation knowing. The AI governance framework starts with the AI inventory: finding out what is actually in use before writing policy.
What is the difference between AI governance and AI policy?
An AI policy is a document. AI governance is the system of accountability, oversight, and process that makes the policy real. Most organisations have, or can quickly produce, an AI acceptable use policy. What most lack is the governance infrastructure: the AI inventory, the risk classification, the board reporting cadence, and the designated owner accountable for AI compliance. The policy without the governance is compliance theatre.
How do I identify which EU AI Act risk tier applies to our AI use cases?
Start with the EU AI Act Annex III, which lists the high-risk AI applications explicitly: recruitment, employment, credit scoring, access to essential services, and critical infrastructure. If your AI use case is not in Annex III, assess it against the prohibited practices list and the transparency obligations for limited-risk systems. Most UK mid-market businesses will find their AI use cases fall into the minimal or limited risk tiers, with one or two high-risk use cases requiring more careful management.
What does the ICO expect from organisations using AI?
The ICO expects organisations using AI to process personal data to be able to demonstrate compliance with UK GDPR principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and security. The ICO has published specific guidance on AI and data protection, including a risk toolkit. In practice, the ICO expects a documented lawful basis for each AI use case involving personal data, a DPIA for high-risk processing, and transparency to data subjects about AI-assisted decisions.
How long does an AI governance framework take to build?
A proportionate AI governance framework for a 100-to-2,000 employee organisation takes six to twelve weeks: two to three weeks for the AI inventory and risk classification, two to four weeks for the policy suite, and two to four weeks for the board reporting framework and governance owner handover. The timeline extends if high-risk AI use cases requiring conformity assessment are identified. Starkhorn can lead the full framework build as part of a fractional CIO engagement.
Is AI governance the same as AI ethics?
They are related but distinct. AI ethics is the philosophical framework: what principles should govern the design and use of AI (fairness, transparency, accountability, beneficence). AI governance is the practical implementation: the policies, processes, accountability structures, and oversight mechanisms that make those principles real in an organisation. Most UK mid-market businesses do not need a detailed AI ethics framework. They need governance: someone accountable, an inventory, a policy, and a board report.
What is the AI Readiness Check and how does it relate to AI governance?
The Starkhorn AI Readiness Check is a free twelve-minute assessment that scores your organisation’s AI readiness across five dimensions: strategy, data, governance, capabilities, and risk. It tells you whether your current exposure is manageable, significant, or urgent, and where to focus first. Use it before commissioning a full governance framework build to understand where the priorities are.
First step
Is your AI exposure manageable, significant, or urgent?
The AI Readiness Check takes twelve minutes and tells you where your current AI governance gaps sit before you commit to a full framework build.