Which AI Rules Actually Apply to Your Business?
The UK has no AI-specific statute. AI is regulated through existing law and through your sector regulator, which means your obligations depend on what your AI does, whose data it processes, and where its output is used. These are the rules we assess against.
UK GDPR and the DPA 2018.
If your AI processes personal data, UK GDPR applies to it: the most universal hook for UK businesses. Processing that is likely to result in a high risk to individuals requires a Data Protection Impact Assessment, and many AI uses of personal data fall into that category. An assessment establishes which systems need a DPIA and whether the ones you have would stand up to ICO scrutiny.
The reformed Article 22 rules.
The Data (Use and Access) Act 2025 reformed the UK GDPR rules on automated decisions with legal or similarly significant effects on people, and the data-protection provisions commenced on 5 February 2026. These rules are in force now, and they bite on hiring, credit, insurance and pricing. If software decides something about a person in your business, this is the rule to take seriously first. Our Article 22 explainer covers it in depth.
The Equality Act 2010.
Algorithmic bias in recruitment, pricing or service delivery can create discrimination liability under the Equality Act 2010, even where the bias is unintended. A compliance assessment stress-tests the decisions your AI makes against protected characteristics, before a claimant does.
Your sector regulator.
Financial services firms face supervisory expectations of their own: PRA SS1/23 sets model risk management principles for banks, effective since 17 May 2024. In healthcare, AI in medical devices is regulated separately by the MHRA. An assessment establishes what your regulator expects of AI, not just what general law requires.
Where the ICO is heading.
The ICO consulted on draft updated automated decision-making and profiling guidance between 31 March and 29 May 2026, with final guidance expected in Summer 2026. Its recruitment work found employers using automated decision-making without realising it: exactly the kind of exposure an audit surfaces. A statutory code of practice on AI and automated decision-making is also on the horizon. The direction of travel is more explicit expectations, not fewer. We track every date that matters on our live AI regulation tracker.
The EU AI Act, if your AI touches the EU market.
The EU AI Act applies to any organisation whose AI systems are used within the EU, which includes UK businesses serving EU users or exporting into the EU. The high-risk compliance deadline was deferred to 2 December 2027, but the transparency duties still apply from 2 August 2026. Read our EU AI Act overview for the full timeline and obligations, and UK vs EU AI rules for how the two regimes compare. For purely domestic UK firms the Act is a voluntary benchmark, not a duty, and we will tell you so.
Penalty Exposure, Stated Once
We do not lead with fear, so here are the numbers once, factually. EU AI Act penalties reach up to EUR 35 million or 7% of global annual turnover for prohibited practices, and up to EUR 15 million or 3% for other breaches, including the high-risk obligations. Those figures apply only if the Act binds you in the first place. In the UK, enforcement runs through the existing regulators: the ICO for data protection, and your sector regulator for the rest.
For most businesses the practical risk is not a headline fine. It is being unable to evidence compliance when a regulator, an insurer or an enterprise customer asks. That is the gap an audit closes.
What an AI Compliance Audit Delivers
An audit answers three questions in writing: what AI you are actually running, which obligations attach to each system, and what to fix, in what order. Every service below is fixed-price and time-bound, with a written deliverable you can put in front of a regulator, an insurer, a board or an enterprise procurement team. No open-ended day rates.
AI Governance Health Check
The baseline assessment: a structured maturity review across ten governance dimensions, the right starting point when you need a full picture before committing to a deeper audit. You receive a maturity heatmap, a prioritised action plan with effort estimates, and a board-ready summary.
View on the Services page →EU AI Act Rapid Audit
For UK firms whose AI touches the EU market. We inventory your AI systems, classify each one against the Act's risk tiers, gap-test against the high-risk obligations, and deliver a written audit report with prioritised actions mapped to the current enforcement timeline, plus an executive summary suitable for board or legal review.
View on the Services page →Automated Decision-Making Audit
A focused audit of every automated decision your AI makes about a person. We map the decision flows, identify where the Article 22 conditions apply, assess your safeguards, and stress-test for bias against the Equality Act's protected characteristics. Deliverables include a DPIA template and ICO-aligned documentation.
View on the Services page →AI Controls and Security Assessment
A security and controls assessment of your AI estate, aligned to NCSC AI cyber-security guidance: full estate discovery and mapping, data-handling and privacy risk analysis, a controls gap analysis, and a prioritised remediation roadmap.
View on the Services page →See the full description of each service at /services/.
Compliance or Governance: Which Do You Need First?
If you have a known obligation or a hard deadline, start with an audit from this page: it tells you exactly where you stand against the rules that bind you. If your problem is the operating model, the registers, policies, human oversight and board reporting that keep you compliant as your AI use grows, start with our AI governance consultancy service. For most businesses the honest answer is an audit first, then the governance framework to act on what it finds.
Who This Is For
Compliance help is most urgent where AI makes or shapes decisions about people, or where your AI touches the EU market:
Financial services.
Lenders, insurers and credit teams sit squarely in scope of the reformed Article 22 rules, with SS1/23 model risk expectations on top for banks.
Healthcare.
Firms whose AI sits near patient data face UK GDPR and DPIA duties; AI in medical devices brings the MHRA into the picture.
Manufacturing.
Exporters whose products or AI systems reach the EU market need to know their EU AI Act position, not guess it.
Logistics.
Operators using AI for scheduling, routing and workforce decisions are making automated decisions about people more often than they realise.
Legal services.
Firms adopting AI on confidential client matters, where data protection duties leave little room for error.
HR and recruitment, in any sector.
Teams using CV screening or candidate ranking: exactly what the reformed Article 22 rules were written for.
See how we work across industries at /sectors/.
Why Nimble AI
Nimble AI is a specialist AI governance and compliance consultancy for UK businesses. We are not generalist IT consultants with a compliance side-line: AI governance and compliance is the focus of our practice, and we are fluent in the whole UK stack, from UK GDPR and the DUAA 2025 to sector regulators and ICO guidance.
Behind the firm is more than 30 years in enterprise technology, service management and transformation, including building and leading award-winning teams and businesses. We've delivered ServiceNow, enterprise service management and large-scale process change in the real world: we have run the operations we now help you govern. That is why our audits produce action plans your team can actually execute, not shelfware.
And we tell you honestly what compliance requires and what it does not: if a rule does not apply to you, we say so, in writing. Learn more about our approach at /about/.
AI governance and compliance is not a side-line for us. It is the whole practice.
We have run the operations we now help you govern. Our audits produce action plans your team can actually execute, not shelfware.
If a rule does not apply to you, we say so, in writing.
Every paid service is fixed-price and time-bound. No open-ended day rates.
How an Engagement Runs
We scope before we sell.
A short conversation to establish which rules plausibly apply to you. If the honest answer is "fewer than you feared", you will hear that.
We audit against the rules that bind you.
Not a generic checklist: a gap assessment against the specific obligations your AI use triggers, with evidence gathered as we go.
We deliver an evidence pack, not a lecture.
Systems inventory, risk classification, gap analysis, prioritised action plan, executive summary: written deliverables you can show a regulator or customer.
We help you remediate at your pace.
Some clients have a hard deadline; others close gaps steadily over a quarter. We design the remediation plan around your timeline and resources.
Frequently Asked Questions
Is AI compliance a legal requirement in the UK?
The UK has no AI-specific act: AI is regulated through existing law and sector regulators. But the obligations that already apply are real and in force. UK GDPR requires a DPIA for high-risk AI processing of personal data. The reformed Article 22 rules under the Data (Use and Access) Act 2025 govern automated decisions about people. The Equality Act 2010 creates liability for biased outcomes. Which of these binds you depends on what your AI does: that is what a compliance assessment establishes.
Does the EU AI Act apply to UK companies?
Only if your AI touches the EU market. The Act applies to any organisation whose AI systems are used within the EU, so UK firms serving EU users or exporting into the EU are in scope regardless of where they are based. The high-risk deadline was deferred to 2 December 2027; transparency duties still apply from 2 August 2026. For purely domestic UK firms it is a voluntary benchmark, not a duty. Our EU AI Act overview has the full timeline.
What is an AI compliance audit?
A fixed-scope assessment that establishes which AI systems you are running, which legal obligations attach to each one, where you fall short, and what to fix first. The written deliverables typically include an AI systems inventory, a risk classification for each system, a gap analysis, a prioritised action plan and an executive summary: an evidence pack you can show a regulator, insurer or enterprise customer. Ours are fixed-price and run over 1 to 4 weeks depending on scope.
What is the difference between AI compliance and AI governance?
Compliance is meeting the specific legal obligations that bind your business: knowing which rules apply, closing the gaps, and being able to evidence it. Governance is the operating model you run AI within: registers, policies, human oversight and board accountability. Compliance tells you what you must meet; governance is how you keep meeting it as your AI use grows. This page covers compliance; our AI governance consultancy page covers the governance side. Most businesses need both eventually.
How long does an AI compliance audit take?
The AI Governance Health Check runs over 1 to 2 weeks. The EU AI Act Rapid Audit and the Automated Decision-Making Audit each run over 2 to 3 weeks from engagement. The AI Controls and Security Assessment takes 3 to 4 weeks. All are fixed-price with written deliverables. If you are not yet sure which one you need, the free 10-minute AI Readiness Scorecard will tell you which rules are likely to apply to you and the right next step.