Free download · AI governance

AI Governance Checklist for UK Firms (Free PDF)

Fifteen governance items every UK firm should be able to evidence when AI use is on the agenda. Mapped to UK GDPR, ICO, NCSC, FCA, and sector regulator expectations. Audit-ready format.

Free PDF · No signup · UK

Download the PDF. Print it. Bring it to your next leadership-team meeting.

What's inside

  • Ownership and accountability. Named senior owner, board-level visibility, escalation paths. The first thing a supervisor or auditor asks about.
  • Policy and procedures. AI usage policy, approval workflows, exception handling, periodic review.
  • Data and lawful basis. DPIA coverage, transparency notices, lawful basis per use case, third-party register accuracy.
  • Human in the loop. Decisions affecting individuals reviewed by named accountable humans; the reviewer is the decision-maker.
  • Audit and assurance. Logging, retention, training records, evidence pack ready for 7-day production.

Who this is for

UK regulated firms (legal, accountancy, financial services, NHS suppliers) where AI governance must demonstrate alignment with sector supervisor expectations. Also useful for any UK business preparing for client procurement due diligence.

How to use this

Score each item against current evidence. Anything you cannot evidence today is a governance gap that should close before scaling AI use further. The 'audit-ready evidence pack' framing is deliberate — supervisors and clients increasingly ask the same questions, and a single pack answers both.

Frequently asked

Is AI governance different from data governance?

Overlapping but distinct. Data governance is about how data is managed; AI governance is about how AI is used (including but not limited to data handling). UK regulators are increasingly clear that AI governance is its own discipline.

How does this map to FCA expectations?

The checklist aligns with the direction of FCA SS1/23 (model risk), SS2/21 (third-party risk), SMCR senior-manager accountability, and SYSC obligations on systems and controls. It's not a compliance attestation — for that, take regulatory advice.

Does this work for sole traders or very small firms?

Yes, but with lighter weighting. A sole trader still needs an AI policy and basic governance, just not a board-level structure.

How is governance different from compliance?

Governance is the structure that makes compliance possible. Compliance is the evidence that the structure is operating as designed. The checklist focuses on governance — the controls that allow compliance to follow.

What if we already have an ISO 27001 framework?

ISO 27001 covers part of this — particularly security, audit, and supplier dimensions. The AI-specific items (use case governance, human in the loop, AI vendor due diligence) sit on top.

Related Arx Certa services

If the gaps this resource surfaces for your business need outside help to close:

  • AI services — implementation reviews, AI policy work, vendor due diligence, and pilot scoping.
  • Cybersecurity — security overlay for AI use, UK GDPR / NCSC alignment, vendor risk assessment.
  • Database — data foundations work AI projects depend on.
  • Infrastructure — cloud, identity, network and integration foundations.

Score your AI readiness in 4 minutes

The Arx Certa AI Readiness Scorecard quantifies the foundations this resource describes — across governance, data, infrastructure, security and use case. Free, 12 questions, personalised report.

Get your AI readiness score → 4 minutes · 12 questions · Personalised report

Related insights