AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs · AI GOVERNANCE & COMPLIANCE · SERVICENOW AI CONTROL TOWER · IRM / GRC · ENTERPRISE SERVICE MANAGEMENT · PROCESS RE-ENGINEERING · EU AI ACT · ISO/IEC 42001 · UK GDPR & DPIAs ·
AI Compliance · Consulting

AI Compliance Consulting for UK Businesses

By Duncan Docherty, Founder, Nimble AI

Every UK business using AI eventually hits the same question: which rules actually apply to us? Not the headlines, not the vendor scare stories: the specific legal obligations that bind your business, this year, given what your AI actually does.

That is the question our AI compliance consulting answers. We map how your business uses AI against the rules that bind it, split what UK law requires from what is voluntary best practice, put both in writing, then help you close the gaps and prove you have closed them.

One distinction up front. Compliance is meeting the specific legal obligations that apply to your business. Governance is how you run AI responsibly day to day: the registers, policies, oversight and board accountability that sit underneath compliance. This page covers the compliance side. If your more pressing problem is that nobody has written down what is allowed and who is accountable, start with our AI governance consultancy page instead. Most businesses end up needing both.

Not sure which rules apply to you?

The free AI Readiness Scorecard takes ten minutes and gives you a RAG-rated score, a plain-English summary of which UK rules and benchmarks are likely to apply to your business, and a recommended next step.

UK regulatory landscape

Which AI Rules Actually Apply to Your Business?

The UK has no AI-specific statute. AI is regulated through existing law and through your sector regulator, which means your obligations depend on what your AI does, whose data it processes, and where its output is used. These are the rules we assess against.

UK GDPR and the DPA 2018.

If your AI processes personal data, UK GDPR applies to it: the most universal hook for UK businesses. Processing that is likely to result in a high risk to individuals requires a Data Protection Impact Assessment, and many AI uses of personal data fall into that category. An assessment establishes which systems need a DPIA and whether the ones you have would stand up to ICO scrutiny.

The reformed Article 22 rules.

The Data (Use and Access) Act 2025 reformed the UK GDPR rules on automated decisions with legal or similarly significant effects on people, and the data-protection provisions commenced on 5 February 2026. These rules are in force now, and they bite on hiring, credit, insurance and pricing. If software decides something about a person in your business, this is the rule to take seriously first. Our Article 22 explainer covers it in depth.

The Equality Act 2010.

Algorithmic bias in recruitment, pricing or service delivery can create discrimination liability under the Equality Act 2010, even where the bias is unintended. A compliance assessment stress-tests the decisions your AI makes against protected characteristics, before a claimant does.

Your sector regulator.

Financial services firms face supervisory expectations of their own: PRA SS1/23 sets model risk management principles for banks, effective since 17 May 2024. In healthcare, AI in medical devices is regulated separately by the MHRA. An assessment establishes what your regulator expects of AI, not just what general law requires.

Where the ICO is heading.

The ICO consulted on draft updated automated decision-making and profiling guidance between 31 March and 29 May 2026, with final guidance expected in Summer 2026. Its recruitment work found employers using automated decision-making without realising it: exactly the kind of exposure an audit surfaces. A statutory code of practice on AI and automated decision-making is also on the horizon. The direction of travel is more explicit expectations, not fewer. We track every date that matters on our live AI regulation tracker.

The EU AI Act, if your AI touches the EU market.

The EU AI Act applies to any organisation whose AI systems are used within the EU, which includes UK businesses serving EU users or exporting into the EU. The high-risk compliance deadline was deferred to 2 December 2027, but the transparency duties still apply from 2 August 2026. Read our EU AI Act overview for the full timeline and obligations, and UK vs EU AI rules for how the two regimes compare. For purely domestic UK firms the Act is a voluntary benchmark, not a duty, and we will tell you so.

Stated once, factually

Penalty Exposure, Stated Once

We do not lead with fear, so here are the numbers once, factually. EU AI Act penalties reach up to EUR 35 million or 7% of global annual turnover for prohibited practices, and up to EUR 15 million or 3% for other breaches, including the high-risk obligations. Those figures apply only if the Act binds you in the first place. In the UK, enforcement runs through the existing regulators: the ICO for data protection, and your sector regulator for the rest.

For most businesses the practical risk is not a headline fine. It is being unable to evidence compliance when a regulator, an insurer or an enterprise customer asks. That is the gap an audit closes.

Services

What an AI Compliance Audit Delivers

An audit answers three questions in writing: what AI you are actually running, which obligations attach to each system, and what to fix, in what order. Every service below is fixed-price and time-bound, with a written deliverable you can put in front of a regulator, an insurer, a board or an enterprise procurement team. No open-ended day rates.

02 1 to 2 weeks · fixed price

AI Governance Health Check

The baseline assessment: a structured maturity review across ten governance dimensions, the right starting point when you need a full picture before committing to a deeper audit. You receive a maturity heatmap, a prioritised action plan with effort estimates, and a board-ready summary.

View on the Services page →
03 2 to 3 weeks · fixed price

EU AI Act Rapid Audit

For UK firms whose AI touches the EU market. We inventory your AI systems, classify each one against the Act's risk tiers, gap-test against the high-risk obligations, and deliver a written audit report with prioritised actions mapped to the current enforcement timeline, plus an executive summary suitable for board or legal review.

View on the Services page →
04 2 to 3 weeks · fixed price

Automated Decision-Making Audit

A focused audit of every automated decision your AI makes about a person. We map the decision flows, identify where the Article 22 conditions apply, assess your safeguards, and stress-test for bias against the Equality Act's protected characteristics. Deliverables include a DPIA template and ICO-aligned documentation.

View on the Services page →
07 3 to 4 weeks · fixed price

AI Controls and Security Assessment

A security and controls assessment of your AI estate, aligned to NCSC AI cyber-security guidance: full estate discovery and mapping, data-handling and privacy risk analysis, a controls gap analysis, and a prioritised remediation roadmap.

View on the Services page →

See the full description of each service at /services/.

Which do you need first?

Compliance or Governance: Which Do You Need First?

If you have a known obligation or a hard deadline, start with an audit from this page: it tells you exactly where you stand against the rules that bind you. If your problem is the operating model, the registers, policies, human oversight and board reporting that keep you compliant as your AI use grows, start with our AI governance consultancy service. For most businesses the honest answer is an audit first, then the governance framework to act on what it finds.

Audiences

Who This Is For

Compliance help is most urgent where AI makes or shapes decisions about people, or where your AI touches the EU market:

Financial services.

Lenders, insurers and credit teams sit squarely in scope of the reformed Article 22 rules, with SS1/23 model risk expectations on top for banks.

Healthcare.

Firms whose AI sits near patient data face UK GDPR and DPIA duties; AI in medical devices brings the MHRA into the picture.

Manufacturing.

Exporters whose products or AI systems reach the EU market need to know their EU AI Act position, not guess it.

Logistics.

Operators using AI for scheduling, routing and workforce decisions are making automated decisions about people more often than they realise.

Legal services.

Firms adopting AI on confidential client matters, where data protection duties leave little room for error.

HR and recruitment, in any sector.

Teams using CV screening or candidate ranking: exactly what the reformed Article 22 rules were written for.

See how we work across industries at /sectors/.

About us

Why Nimble AI

Nimble AI is a specialist AI governance and compliance consultancy for UK businesses. We are not generalist IT consultants with a compliance side-line: AI governance and compliance is the focus of our practice, and we are fluent in the whole UK stack, from UK GDPR and the DUAA 2025 to sector regulators and ICO guidance.

Behind the firm is more than 30 years in enterprise technology, service management and transformation, including building and leading award-winning teams and businesses. We've delivered ServiceNow, enterprise service management and large-scale process change in the real world: we have run the operations we now help you govern. That is why our audits produce action plans your team can actually execute, not shelfware.

And we tell you honestly what compliance requires and what it does not: if a rule does not apply to you, we say so, in writing. Learn more about our approach at /about/.

Specialist, not generalist

AI governance and compliance is not a side-line for us. It is the whole practice.

Practical depth

We have run the operations we now help you govern. Our audits produce action plans your team can actually execute, not shelfware.

Enablement, not fear

If a rule does not apply to you, we say so, in writing.

Fixed price. No surprises.

Every paid service is fixed-price and time-bound. No open-ended day rates.

Process

How an Engagement Runs

01

We scope before we sell.

A short conversation to establish which rules plausibly apply to you. If the honest answer is "fewer than you feared", you will hear that.

02

We audit against the rules that bind you.

Not a generic checklist: a gap assessment against the specific obligations your AI use triggers, with evidence gathered as we go.

03

We deliver an evidence pack, not a lecture.

Systems inventory, risk classification, gap analysis, prioritised action plan, executive summary: written deliverables you can show a regulator or customer.

04

We help you remediate at your pace.

Some clients have a hard deadline; others close gaps steadily over a quarter. We design the remediation plan around your timeline and resources.

Questions

Frequently Asked Questions

Is AI compliance a legal requirement in the UK?

The UK has no AI-specific act: AI is regulated through existing law and sector regulators. But the obligations that already apply are real and in force. UK GDPR requires a DPIA for high-risk AI processing of personal data. The reformed Article 22 rules under the Data (Use and Access) Act 2025 govern automated decisions about people. The Equality Act 2010 creates liability for biased outcomes. Which of these binds you depends on what your AI does: that is what a compliance assessment establishes.

Does the EU AI Act apply to UK companies?

Only if your AI touches the EU market. The Act applies to any organisation whose AI systems are used within the EU, so UK firms serving EU users or exporting into the EU are in scope regardless of where they are based. The high-risk deadline was deferred to 2 December 2027; transparency duties still apply from 2 August 2026. For purely domestic UK firms it is a voluntary benchmark, not a duty. Our EU AI Act overview has the full timeline.

What is an AI compliance audit?

A fixed-scope assessment that establishes which AI systems you are running, which legal obligations attach to each one, where you fall short, and what to fix first. The written deliverables typically include an AI systems inventory, a risk classification for each system, a gap analysis, a prioritised action plan and an executive summary: an evidence pack you can show a regulator, insurer or enterprise customer. Ours are fixed-price and run over 1 to 4 weeks depending on scope.

What is the difference between AI compliance and AI governance?

Compliance is meeting the specific legal obligations that bind your business: knowing which rules apply, closing the gaps, and being able to evidence it. Governance is the operating model you run AI within: registers, policies, human oversight and board accountability. Compliance tells you what you must meet; governance is how you keep meeting it as your AI use grows. This page covers compliance; our AI governance consultancy page covers the governance side. Most businesses need both eventually.

How long does an AI compliance audit take?

The AI Governance Health Check runs over 1 to 2 weeks. The EU AI Act Rapid Audit and the Automated Decision-Making Audit each run over 2 to 3 weeks from engagement. The AI Controls and Security Assessment takes 3 to 4 weeks. All are fixed-price with written deliverables. If you are not yet sure which one you need, the free 10-minute AI Readiness Scorecard will tell you which rules are likely to apply to you and the right next step.

Find out exactly where you stand

Take the Free Scorecard

Take the free 10-minute AI Readiness Scorecard. You will come away with a RAG-rated score, a plain-English summary of which UK rules and benchmarks actually apply to you, and a recommended next step. No salesperson. No follow-up unless you ask.

If you already have a deadline or a known obligation, book a free consultation and we will scope the right audit.