FRAMEWORK

UK AI principles, evidenced through the regulators that bind you.

The UK has not enacted a horizontal AI Act. It has a principles-based, sector-regulator-led approach: five cross-sectoral principles, each enforced through the existing powers of the regulator that already governs your sector — the ICO, FCA, PRA, MHRA, CMA, Ofcom and others.

Request a demo See coverage

Coverage updated2 min ago

Coverage · UK AI principles

Framework coverage

89%

Coverage

Obligations mapped

+4% wk

Files on record

Live · synced 2 min ago · 7-day trend

Recent activity

Annex IV v4Approved

FRIA v2Approved

Monitoring plan v1Draft

THE OBLIGATION

There is no UK AI statute imposing one set of obligations. The duties bite through the regulators that already govern your sector — and they have all issued AI-specific guidance you must hold evidence against.

The March 2023 White Paper, A pro-innovation approach to AI regulation, set five cross-sectoral principles — Safety, security and robustness; Appropriate transparency and explainability; Fairness; Accountability and governance; Contestability and redress — and tasked existing regulators with applying them within their statutory remit. The 2024 Government response confirmed the approach and committed to non-statutory regulator coordination plus future targeted legislation for the most powerful general-purpose models.

The ICO's AI and data protection guidance — and ICO/Alan Turing Institute Explaining decisions made with AI — operationalise UK GDPR and the Data Protection Act 2018 for AI. AI processing personal data must satisfy the GDPR principles, complete a DPIA where high-risk, and respect Article 22 rights on solely automated decisions with legal or similar significant effect. ICO fines reach £17.5m or 4% of global turnover.

Sectoral regulators have moved in step. The FCA and PRA published their joint feedback statement on AI in financial services (FS2/24) and apply the Senior Managers and Certification Regime, Consumer Duty, operational-resilience and outsourcing rules to AI use; the MHRA regulates Software as a Medical Device and AI-as-a-Medical-Device; the CMA's AI Foundation Models update applies competition powers; Ofcom enforces the Online Safety Act on AI-generated content and risk assessments.

The UK AI Safety Institute (AISI) leads frontier-model safety testing under voluntary commitments from the major model providers, and the Government's AI Opportunities Action Plan (January 2025) sets the broader policy direction. An AI (Regulation) Bill has been re-introduced and continues through Parliament; the principles regime remains the operative framework in the meantime.

At a glance

Applies toAny organisation developing or deploying AI in the UK — sector and use-case drives which regulator(s) apply

Your likely roleController / authorised person / responsible party under the sector regulator(s) that govern your activity — multiple regulators frequently apply at once

Key deadlinePrinciples regime operative. ICO AI guidance current. FCA / PRA FS2/24 published. Online Safety Act in force. AI (Regulation) Bill not yet enacted.

Penalty exposureNo horizontal statutory cap. Sector caps apply: ICO up to £17.5m or 4%; FCA unlimited fines for serious misconduct; Ofcom up to £18m or 10% under the Online Safety Act; MHRA enforcement powers under the Medical Devices Regulations.

ARTEFACTS

The files this framework actually requires.

A UK AI compliance pack is the evidence that each principle is operating in your specific regulatory environment. Hael generates the artefacts each UK regulator opens.

Files · Evidence pack

PDFUK Principles Mapping (5-Principle Trace per System)v2updated 2 min agoApproved

PDFICO AI DPIA & Art. 22 Logic Notev3updated 14 MayApproved

PDFFCA Senior Manager Accountability Record (AI)v2updated 11 MayApproved

PDFOperational Resilience & Third-Party AI Registerv1updated 04 MayDraft

PDFOnline Safety Act AI-Content Risk Assessmentv1updated 02 MayDraft

GRC tools tell you these are missing. Hael generates them — from each system's real configuration.

THE DIFFERENCE

A checklist tells you what's missing. Hael puts it on record.

The UK does not ask for a single document. It asks each regulator's question in its own language. Hael generates the answer in each.

Typical GRC tool

UK Principles Mapping (5-Principle Trace per System)upload required

ICO AI DPIA & Art. 22 Logic Noteupload required

FCA Senior Manager Accountability Record (AI)upload required

Operational Resilience & Third-Party AI Registerupload required

Online Safety Act AI-Content Risk Assessmentupload required

Tracks the gap. You still author every document.

Hael

UK Principles Mapping (5-Principle Trace per System)v2Generated 2 min agoview

ICO AI DPIA & Art. 22 Logic Notev3Generated · Approvedview

FCA Senior Manager Accountability Record (AI)v2Generated · Approvedview

Operational Resilience & Third-Party AI Registerv1Generated · Draftview

Online Safety Act AI-Content Risk Assessmentv1Generated · Draftview

Generated from each system's real configuration, versioned, and kept current as it changes.

HOW HAEL WORKS

Discover, classify, produce — for UK AI principles.

01DISCOVER

Find the systems in UK AI principles scope, including embedded third-party AI.

Inventory · 14 systems

Credit scoring enginehigh

HR screening bothigh

Salesforce Einsteinlimited

02CLASSIFY

Assess each against UK AI principles's risk tiers and obligations.

Risk tier

Prohib.HighLimitedMin.

Role: ProviderArt. 9 · 11 · 14

03PRODUCE

Generate the UK AI principles records, versioned and current.

Generated files

Annex IV v4Approved

FRIA v2Approved

Monitoring v1Draft

COVERAGE

Every obligation, mapped to the control that satisfies it.

Rows are the framework's clauses.

Columns are the controls and files that satisfy them.

Cells update as the underlying configuration changes.

Explore the platform

Coverage Map

Obligation → Control

6 obligations · 5 controls

89%

covered

Mapping

DPIA

SM Record

Op. Res.

OSA Asst.

Safety, security & robustness

✓

—

✓

—

Transparency & explainability

✓

—

Fairness

✓

—

Accountability & governance

✓

—

✓

—

Contestability & redress

✓

—

Sector regulator overlay

—

✓

Safety, security & robustness

Mapping

v3 · sealed

Approvedopen file →

MAPPING

Clause by clause.

Obligation
What it requires
Hael control / file
Status

Principle 1Safety, security and robustness across the lifecyclePrinciples Mapping + TEVVApproved

Principle 2Appropriate transparency and explainabilityICO Explanation PackApproved

Principle 3Fairness — bias testing and equality-law complianceDisparate-Impact TestingApproved

Principle 4Accountability and governance — named accountable individualsSMCR Accountability RecordApproved

Principle 5Contestability and redress for affected personsArt. 22 / Redress ProcedureApproved

Sector overlayICO / FCA / MHRA / CMA / Ofcom sectoral compliance for the specific useSector Compliance PackIn progress

REUSE

Author once. Satisfy many.

The UK principles trace is built on the same operational evidence as the EU AI Act Article 9 risk file, a NIST AI RMF Profile and the GDPR DPIA — re-rendered against five principles instead of an article tree. The ICO's Article 22 logic note is the same artefact GDPR demands. One set of facts, five UK regulators served.

→ shared evidenceGDPREU AI ActNIST AI RMFISO/IEC 42001

Trust & Security

SOC 2 Type IIISO/IEC 27001EU & US data residencySSO / SCIMEncryption in transit & at restAudit logging

Hold the evidence each UK regulator opens.

Bring an AI system operating in the UK. We'll register it on the call, map it against the five cross-sectoral principles, identify the sector regulators that apply, and show the artefacts Hael would generate for each.

Request a demo Explore the platform