UK AI Regulatory Framework · v2023-03 white paper / 2024-…
UK AI Regulatory Framework
UK AI Regulatory Framework — 80% covered.
33 requirements · 22 enforced · 6 designed · 5 advisory · 0 deferred.
Source: DSIT 'A pro-innovation approach to AI regulation' (white paper 2023-03 + response 2024-02) · License: Open Government Licence v3.0
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Central function & sector regulator engagement | 10 | 3 | 3 | 4 | 0 | 55% |
| P1 Safety, security & robustness | 6 | 6 | 0 | 0 | 0 | 100% |
| P2 Appropriate transparency & explainability | 4 | 3 | 1 | 0 | 0 | 88% |
| P3 Fairness | 4 | 3 | 0 | 1 | 0 | 81% |
| P4 Accountability & governance | 5 | 4 | 1 | 0 | 0 | 90% |
| P5 Contestability & redress | 4 | 3 | 1 | 0 | 0 | 88% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
uk-ai-framework.central-function |
Central function (DSIT-hosted) monitors cross-cutting AI risks and coordinates between sector regulators (ICO, CMA, FCA, MHRA, Ofcom, etc.) | advisory | audit_events: kye.compliance.attestation.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
uk-ai-framework.P1.safety-by-design |
P1 — Safety considerations should be embedded throughout the AI system lifecycle (DSIT response §2.6) | enforced | audit_events: kye.purpose.permission.v1, kye.compliance.attestation.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
uk-ai-framework.P1.testing |
P1 — Pre-deployment and continuous testing including red-teaming and adversarial robustness (DSIT response §2.7) | enforced | audit_events: kye.scenario_run.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
uk-ai-framework.P1.incident-response |
P1 — Incident response procedures for AI safety events (DSIT response §2.8) | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
uk-ai-framework.P2.intelligibility |
P2 — Sufficient information about output rationale to enable affected persons to interpret meaningfully (DSIT response §3.4) | enforced | audit_events: kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/36-GOVERNEDUI.md |
uk-ai-framework.P2.public-disclosure |
P2 — Appropriate public disclosure where AI substantially affects rights/interests (DSIT response §3.5) | designed | audit_events: kye.comms.dispatch.v1, kye.compliance.attestation.v1constitution_refs: constitution/38-COMMS-RAIL.md |
uk-ai-framework.P3.bias-monitoring |
P3 — Continuous monitoring for fairness/bias outcomes (DSIT response §4.5) | enforced | audit_events: kye.scenario_run.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
uk-ai-framework.P3.equality-act |
P3 — Compliance with Equality Act 2010 protected characteristics in AI decisions (DSIT response §4.7) | enforced | audit_events: kye.data_use_manifest.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
uk-ai-framework.P4.lifecycle-accountability |
P4 — Lifecycle accountability across providers, deployers, and end users (DSIT response §5.4) | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.purpose.permission.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
uk-ai-framework.P4.dpia-link |
P4 — Linkage with existing UK GDPR DPIA where applicable (DSIT response §5.6) | designed | audit_events: kye.compliance.attestation.v1, kye.evidence.pack.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
uk-ai-framework.P5.complaint-channel |
P5 — Effective complaint and challenge channels for affected persons (DSIT response §6.4) | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
uk-ai-framework.P5.human-review |
P5 — Right to human review of significant AI decisions (DSIT response §6.5) | enforced | audit_events: kye.approval_decision.v1, kye.evidence.decision_map.v1governedui_modules: kye.governedui.module.action_approval.v1constitution_refs: constitution/36-GOVERNEDUI.md |
uk-ai-framework.central-function.gap-analysis |
Central function — gap analysis between regulator approaches and DSIT framework principles (DSIT response §7.4) | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
uk-ai-framework.central-function.cross-cutting-risks |
Central function — monitoring cross-cutting / emerging AI risks (DSIT response §7.5) | enforced | audit_events: kye.signal.drift.detected.v1, kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
uk-ai-framework.central-function.cross-regulator-coordination |
Central function — cross-regulator coordination (CMA, ICO, FCA, OFCOM, etc.) (DSIT response §7.6) | advisory | audit_events: kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
uk-ai-framework.regulator.ico-guidance |
Sector regulator engagement — ICO guidance on AI and data protection | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
uk-ai-framework.regulator.fca-guidance |
Sector regulator engagement — FCA AI Discussion Paper / CP outcomes | designed | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/26-COMMERCIAL.md |
uk-ai-framework.regulator.mhra-guidance |
Sector regulator engagement — MHRA SaMD + AI Airlock program | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
uk-ai-framework.regulator.cma-ai-foundation-models |
Sector regulator engagement — CMA review of AI foundation models | advisory | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
uk-ai-framework.atrs.1 |
Algorithmic Transparency Recording Standard (ATRS) — Tier 1: high-level information about algorithmic tool | designed | audit_events: kye.entity.model.v1, kye.model.capability_profile.v1constitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
uk-ai-framework.atrs.2 |
ATRS — Tier 2: detailed information about algorithmic tool decision-making | designed | audit_events: kye.evidence.decision_map.v1, kye.model.influence_envelope.v1constitution_refs: constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
uk-ai-framework.P1.safety |
AI systems should function in a robust, secure and safe way throughout the AI lifecycle | enforced | audit_events: kye.purpose.admissibility.v1, kye.resilience.drift_event.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
uk-ai-framework.P1.security |
Risks to the security of AI systems should be continually identified, assessed and managed | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.agent.mcp_allow_list.v1, kye.agent.refusal.v1engines: internalconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
uk-ai-framework.P1.robustness |
AI systems should perform reliably under expected and unexpected conditions including adversarial inputs | enforced | audit_events: kye.evidence.trace_replay_spec.v1, kye.signal.stress_test.high_risk_detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
uk-ai-framework.P2.transparency |
AI systems should be appropriately transparent — information about purpose, training data, function communicated | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1engines: internalgovernedui_modules: kye.governedui.module.entity_passport.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md, constitution/36-GOVERNEDUI.md |
uk-ai-framework.P2.explainability |
AI systems should be appropriately explainable — decisions can be explained to affected parties | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.trace_replay_spec.v1, kye.governedui.evidence_timeline.v1engines: internal, internalgovernedui_modules: kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
uk-ai-framework.P3.fairness-policy |
AI systems should not undermine legal rights, discriminate unfairly, create unfair commercial outcomes, or breach UK statutory equality duties | enforced | audit_events: kye.purpose.permission.v1, kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
uk-ai-framework.P3.fairness-measurement |
Fairness outcomes should be measurable and substantively tested across protected characteristics | advisory | audit_events: kye.evidence.trace_replay_spec.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
uk-ai-framework.P4.governance-measures |
Effective oversight of the supply and use of AI systems with clear lines of accountability | enforced | audit_events: kye.purpose.grant.v1, kye.federation.cross_org_delegation.v1, kye.risk.authority_register.v1engines: internalgovernedui_modules: kye.governedui.module.authority_scope.v1, kye.governedui.module.authority_drift.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/21-DELEGATED-AUDITABILITY.mdrule_packs: kye:rule-pack:public-sector-governance |
uk-ai-framework.P4.accountability |
Clear allocation of responsibility for the use, performance, and outcomes of an AI system | enforced | audit_events: kye.purpose.grant.v1, kye.evidence.decision_map.v1, kye.agent.governance.v1engines: internal, internalconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
uk-ai-framework.P4.risk-management |
Appropriate risk management practices throughout the AI lifecycle | enforced | audit_events: kye.risk.score.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
uk-ai-framework.P5.contestability |
Affected third parties should be able to contest harmful outcomes or decisions | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.trace_replay_spec.v1, kye.governedui.evidence_timeline.v1engines: internalgovernedui_modules: kye.governedui.module.evidence_timeline.v1, kye.governedui.module.critical_point_review.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/36-GOVERNEDUI.md |
uk-ai-framework.P5.redress |
Mechanisms for redress should be available, identifiable and accessible to affected parties | designed | audit_events: kye.evidence.pack.v1, kye.signal.approval_evidence_pack.generated.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md, constitution/38-COMMS-RAIL.md |