With no single UK AI Act, “AI compliance” can feel vague. The fix is a checklist — a clear set of bases to cover. Here’s a practical one for UK businesses in 2026, cited to official sources. (dgm implements osFoundry as an independent partner. General information, not legal advice.)

How UK AI compliance works

Because the UK has no single AI Act, compliance is a checklist across several areas rather than one statute. Most of it flows from data-protection law, with sector rules and (if relevant) the EU AI Act on top.

The checklist

1. Data protection (start here)

  • Lawful basis identified for any personal data (training and inference).
  • DPIA completed for high-risk processing (assume needed for most AI on personal data). (DPIA guide)
  • Transparency — people are told their data is used in AI.
  • Automated decision-making safeguards under the DUAA 2025 — inform, representations, contest, human intervention. (ADM guide)
  • Data minimisation and security across the lifecycle.
  • Data residency/transfers assessed. (Data residency guide)

2. Human oversight and accountability

  • Named accountability for AI use.
  • Human review of significant or customer-facing outputs.
  • Audit trail of what the AI did.

3. Sector rules

  • FCA (financial services) — Consumer Duty, SM&CR. (FCA guide)
  • MHRA — is the AI a medical device? (MHRA guide)
  • Ofcom — Online Safety Act for user-facing chatbots. (OSA guide)
  • Public sector — AI Playbook + ATRS if you sell to government. (Public sector guide)

4. EU AI Act exposure

  • Does your AI reach the EU market? If so, classify against its risk tiers and meet the live obligations. (EU AI Act guide)

5. Governance basics

  • AI use policy in place. (Use policy guide)
  • Vendor/data checks done.
  • Review cadence set (guidance evolves — e.g. the ICO’s ADM guidance).

A checklist isn’t sign-off

Use this to cover the bases, then have your DPO and legal advisers confirm. Compliance is ongoing, not a one-off tick-box — especially as ICO and regulator guidance evolves through 2026.

Where osFoundry and dgm fit

dgm builds AI that satisfies the technical side of this checklist — data control (self-host or an EU region, bring-your-own-key), audit logging, human-in-the-loop review, and transparency — on osFoundry, so each item is straightforward to evidence rather than retrofit. osFoundry publishes US/EU/JP regions (not a UK one), so UK data-sensitive work uses an EU region or self-hosting.

dgm is an independent integration partner with zero integrations so far, and not a law firm. Legal sign-off stays with your advisers. To scope an AI project that’s easy to evidence against this checklist, book a consultation with dgm.