United Kingdom

Runtime authority for sovereign UK AI.

When a UK regulator, a clinical-AI panel, or a financial-services audit asks who or what acted, on whose behalf, under what authority, inside what scope, in what state, with what decision and evidence — KYE Protocol answers from a record that existed at the moment of action. Not reconstructed after the audit, not assembled by counsel, not stored in a vendor's logs. Sealed at decision time. Verifiable from the customer's own JWKS.

rocket_launch Apply for UK pilot fact_check Per-requirement coverage maps
UK AI Opportunities Action Plan · AISI · DSIT

The UK is moving from principles to runtime accountability.

The UK's pro-innovation AI framework (DSIT 2023 White Paper), the AI Opportunities Action Plan, the AI Safety Institute, FCA + PRA model-risk discipline, MHRA's SaMD & AI Change Program, NHS DSPT and the Cabinet Office Algorithmic Transparency Recording Standard are converging on the same expectation: AI systems must prove their authority at runtime, not declare it in a policy document.

KYE Protocol is the runtime authority and evidence layer that lets a UK organisation answer the regulator's first question — who or what acted — with a signed, replayable, machine-verifiable record. No vendor-lock-in on the evidence. The verifier is open; the customer holds the keys.

UK frameworks mapped to KYE

Per-requirement bijection — not a checklist on a slide.

For each UK framework below, every substantive requirement is bijection-mapped to the actual KYE artefact that enforces it (schema, engine, agent, worker, PDP, evidence pack, audit event). Click a card to open the per-requirement map. The bijection gate fails the build if a citation drifts.

HAARF v1.0

Healthcare AI Agents Regulatory Framework

Comprehensive security and governance standard for autonomous AI agents in clinical environments. 279 requirements across 8 categories.

88% weighted coverage · 213 enforced, 64 designed

Per-requirement map (279 reqs) →
MHRA MDR 2002

UK Medical Devices Regulations 2002

UK Statutory Instrument 2002/618 as amended. Risk classes (I / IIa / IIb / III + software class) and conformity assessment.

91% coverage · 19 enforced, 4 designed

Per-requirement map (23 reqs) →
MHRA PMS 2025

UK Post-Market Surveillance Regulations 2025

SI 2024/1368, effective June 2025. PMS plan, periodic safety update, trend reporting, incident reporting, FSCA notification.

83% coverage · 6 enforced, 3 designed

Per-requirement map (9 reqs) →
MHRA SaMD & AI

Software and AI as a Medical Device Change Program

MHRA Change Program (2023). 15 work-packages: qualification, classification, PCCP, clinical evidence, AI Airlock, adaptive control, failure-mode analysis.

93% coverage · 13 enforced, 2 designed

Per-requirement map (15 reqs) →
DSIT 2023

UK AI Regulatory Framework

The UK's pro-innovation AI principles — safety, transparency, fairness, accountability, contestability — with DSIT, FCA, MHRA, CMA and Ofcom as cross-sectoral regulators.

Five-principle alignment · Authority Gate + Decision Map bindings

Coverage detail →
UK AI Assurance

DSIT AI Assurance Toolkit

DSIT's AI assurance ecosystem — assurance techniques, third-party evaluation, AI Standards Hub, AISI evaluations.

Replay Proof + signed Evidence Pack as third-party-verifiable assurance artefacts

Coverage detail →

All UK framework cards above link to per-requirement bijection maps generated from the canonical coverage registry. The framework-coverage-bijection gate fails any merge where a citation drifts — the maps cannot lie about which KYE artefact enforces which requirement.

UK regulated sectors

Where UK AI runtime authority matters first.

account_balanceUK financial services

FCA Consumer Duty + PRA model-risk discipline + FCA AI Live Testing. Every AI-assisted decision that touches a customer outcome needs a defensible authority chain. KYE provides the runtime evidence the FCA expects under SYSC and the PRA expects under SS1/23.

local_hospitalNHS & clinical AI

NHS Data Security and Protection Toolkit + MHRA SaMD + DCB 0129 / 0160 clinical-safety-case discipline + HAARF clinical agent oversight. KYE binds the authority chain at recommendation time so the clinical-safety case is contemporaneous, not reconstructed. See clinical AI →

apartmentPublic sector

Cabinet Office Algorithmic Transparency Recording Standard (ATRS) + Data (Use and Access) Act 2025 + GDS service-standard accountability. KYE produces the ATRS-aligned signed records straight from the runtime decision — not from a quarterly catalogue refresh.

securityCritical national infrastructure

NIS Regulations 2018 (post-Brexit) + NCSC CAF + critical-supplier obligations. KYE gives operators authority-attenuation, signed revocation and offline-verifiable evidence packs that survive a third-party-supplier audit.

UK-sovereign deployment

UK data, UK keys, UK control.

KYE Protocol deploys to the customer's own Cloudflare account with UK-aligned data-locality (D1 + R2 + KV pinned to the customer's region), customer-held signing keys (BYOK / customer KMS), and an offline-verifiable evidence chain that doesn't depend on a vendor server staying up.

  • Data residency — deploy to UK-region Cloudflare resources; configurable per-tenant.
  • Customer KMS — signing keys live in the customer's HSM / KMS; KYE never has access to the private key material.
  • Open verifier — any third party (auditor, regulator, dispute panel) can replay an Evidence Pack using only the published JWKS. No vendor dependency in the audit path.
  • UK GDPR alignment — PII is referenced by URN, not embedded; UK records can stay UK; right-to-erasure is a first-class lifecycle state.
  • Apache 2.0 schemas + vocabulary — the contracts the customer relies on are open. The patent-track runtime mechanism is paid; the proof formats are not.
UK pilot

Start in shadow mode. Generate evidence before enforcing controls.

UK pilots run in shadow mode first — KYE observes the delegated-action chain and produces signed Evidence Packs without blocking any production decision. After the pre-agreed evaluation window, the customer promotes specific Guards from shadow to enforce, one at a time, via a signed Adoption Stage transition. Rollbacks are first-class.

  1. Identify the delegated-action pathway — one AI-assisted workflow where a regulator's first-question audit would be costly.
  2. Bind KYE read-only — observe the actor, principal, authority, purpose, scope and state at decision time. No IAM replacement, no production blocking.
  3. Identify authority gaps — signed reports surface where the chain breaks (missing grant, out-of-scope action, stale delegation, etc).
  4. Produce signed Evidence Packs — per governed action, replayable offline from the customer's JWKS.
  5. Promote selected Guards to enforce — one narrow class of action at a time, on the customer's schedule, with signed adoption-stage transitions and first-class rollback.
rocket_launch Apply for UK pilot forum Talk to the UK team
{BLOCK} {BLOCK}

Independent — no government affiliation. KYE Protocol™ is an independent protocol and is not affiliated with, endorsed by, or part of any government, regulator, or official “Sovereign AI” programme. References to regulators and frameworks describe the requirements KYE™ helps you evidence — not any official relationship.