AI Compliance Framework for Regulated Businesses

AI compliance isn't just a policy document.
It's a system.

A policy tells your team what to do. A compliance framework makes sure they actually do it — and gives you evidence if anyone ever asks.

See What's Included → See Pricing →
The Difference

Most businesses stop at the policy. The framework is what actually protects you.

AI Policy (what most businesses have)
  • A document
  • States the rules
  • Given to employees once
  • Sits in a folder
  • No evidence of compliance
AI Compliance Framework (what protected businesses have)
  • A system
  • Enforces the rules
  • Regularly reviewed and updated
  • Evidenced and auditable
  • Demonstrates due diligence to ICO, regulators, and clients
What's Included

A complete AI compliance framework has six components.

01 — Acceptable Use Policy

Acceptable Use Policy

The foundation document. Defines approved tools, prohibited uses, data rules, and employee responsibilities. Customised to your business.

02 — Data Classification Matrix

Data Classification Matrix

Categorises every type of data your business handles (public, internal, confidential, restricted) and defines which AI tools each category can be processed by.

03 — GDPR Compliance Position

GDPR Compliance Position

For each AI tool you use: is it a data processor? Is there a DPA? Where is data stored? Does it train on your inputs? Documented and maintained.

04 — Employee Training & Acknowledgement

Employee Training & Acknowledgement

Plain-English guidelines per team and role. Employees read, understand, and sign acknowledgement. You have a record.

05 — AI Risk Register

AI Risk Register

A live document listing every AI tool in use, the risks associated with each, and the mitigations in place. Updated when tools are added or changed.

06 — Incident Response Procedure

Incident Response Procedure

What happens if something goes wrong. Who is notified, in what order, within what timeframe. Required by UK GDPR for data incidents.

Your Sector

Regulated industries have additional obligations.

Legal (SRA regulated)

Client confidentiality, legal professional privilege, and SRA Code of Conduct obligations apply when using AI with client matter files. The SRA has published specific guidance.

Financial Services (FCA regulated)

The FCA expects firms to manage AI as an operational risk. Consumer Duty obligations extend to AI-assisted advice or communications.

Healthcare & Care

CQC and ICO requirements overlap. Special category health data has the highest level of GDPR protection. Any AI processing of patient or service user data requires explicit justification.

Education

If children's data is involved, additional safeguarding obligations apply. Ofsted may ask about AI use in safeguarding contexts.

EU AI Act

Trading with Europe? The EU AI Act already applies to you.

The EU AI Act is not just a European regulation. It has explicit extraterritorial reach — if your AI systems produce outputs used inside the EU, you are in scope. That includes any UK business with Irish clients, EU supply chain partners, or EU-based customers.

Feb 2025

Prohibited AI practices banned

Manipulative AI, social scoring, and mass biometric surveillance outlawed across the EU — including outputs from UK-based systems reaching EU users.

Aug 2025

Fines now enforceable

EU regulators can issue fines today. Up to €35 million or 7% of global annual turnover for serious violations. No grace period on prohibited practices.

Aug 2026

Full enforcement — 4 months away

High-risk AI rules (Annex III), Article 50 transparency obligations, and full national enforcement across all EU member states. This is the critical deadline.

Aug 2027

AI in regulated products

AI embedded in medical devices, vehicles, and regulated machinery faces its own compliance deadline.

Who This Catches

UK businesses with any customers in Ireland or mainland Europe

B2B suppliers whose end clients serve EU customers

Businesses processing data about EU citizens

Any business planning EU expansion — build it now, not later

What's Inside Your Document
Part 01
Your AI Compliance Profile
Tools inventory · Risk classifications · Fine exposure calculator
Part 02
Your AI Policy Document
Policy sections with specific legal references · Sign-off sheet
Part 03
Implementation Roadmap
Phased actions · How-to instructions · Consequences of skipping
Part 04
Supporting Templates
Staff declarations · Incident report forms · Supplier AI questionnaires
Part 05
Regulatory Reference
Plain-English regulation guides · Key dates · Official guidance links
19
pages
10
policy sections
5
phases
4
templates
jurisdiction-specific
Investment

UK, EU, and US AI compliance — choose the jurisdiction you need.

Choose the framework that matches where your customers, employees, and operations are. Need more than one? We offer bundles — or you can start with one and extend later.

🇬🇧
UK AI Compliance

For businesses operating in the UK. Covers UK GDPR, ICO obligations, SRA/FCA sector requirements, and AI acceptable use. Foundation from £797.

🇪🇺
EU AI Act Compliance

For any business with EU customers, employees, or operations. Full enforcement 2 August 2026. Applies to UK and US businesses. Essentials from £497.

🇺🇸
US AI Compliance

For businesses with US operations, employees, or customers. California, Colorado, Texas, and Illinois laws are live now. Policy from £197.

UK Compliance Frameworks

Foundation Framework
£797 one-off

~$1,010 · ~€930

  • Acceptable Use Policy
  • Data Classification Matrix
  • GDPR Compliance Position (up to 5 AI tools)
  • Employee Guidelines + Acknowledgement Forms

Turnaround: 7–10 working days · Valid for 12 months

Annual policy refresh available at £297 to keep pace with evolving regulation.

Most Popular
Full Compliance Framework
£1,297 one-off

~$1,650 · ~€1,520

  • Everything in Foundation Framework
  • AI Risk Register (populated for your current tools)
  • Incident Response Procedure
  • Staff briefing session (60 min, remote)
  • 12-month policy review reminder

Turnaround: 7–10 working days · Valid for 12 months

Annual reassessment + update available at £497 — required for ongoing regulatory alignment.

Best for: regulated businesses (FCA, SRA, ICO), businesses with 10+ employees, any business handling significant client data.

Managed Compliance
£197 /month

~$250 · ~€230/month

6-month minimum term, then rolling monthly with 30 days' notice.

  • Your compliance framework maintained as AI regulation evolves
  • Quarterly review of tools, policies, and regulatory changes
  • Annual full re-assessment included
  • Unlimited tool additions and policy changes covered
  • Priority response if you receive an ICO enquiry or data subject request
  • New legislation updates applied as standard

Best for: businesses that want zero compliance risk, ongoing, without thinking about it.

EU AI Act Compliance

Full enforcement 2 August 2026. Applies to any business with EU customers, employees, or operations — not just EU companies. UK businesses with Irish clients, US businesses with German users — all in scope.

Looking for standalone EU AI Act compliance (not bundled with UK)? Essentials from £497 — see the full EU AI Act packages →
EU AI Act Assessment
£1,500 one-off

~$1,900 · ~€1,750

  • EU AI Act risk tier classification for all AI tools in use
  • Gap analysis against Annex III high-risk obligations
  • Article 50 transparency requirements assessment
  • Documented EU compliance position
  • Supply chain risk review

Turnaround: 10–14 working days

Best for: businesses already actively trading with EU clients who need standalone EU compliance.

Best Value
UK + EU Combined Framework
£2,400 one-off

~$3,050 · ~€2,800

  • Everything in Full Compliance Framework (UK)
  • EU AI Act risk classification + Annex III gap analysis
  • Article 50 transparency obligations
  • Cross-border data governance documentation
  • Supply chain compliance review
  • Staff briefing covering both UK and EU obligations
  • Saves £400 versus purchasing separately

Turnaround: 10–14 working days · Valid for 12 months

Best for: any business operating across UK and EU markets — the most comprehensive option available.

EU Extension
£900 one-off

~$1,140 · ~€1,050

  • For existing Ops Intel UK Full Compliance clients only
  • Upgrades your existing framework to cover EU AI Act
  • No duplication of work already completed
  • EU risk classification + Article 50 compliance
  • Updated documentation covering both jurisdictions

Turnaround: 7–10 working days

Best for: existing clients expanding into EU trading. Contact us to confirm eligibility.

Enquire — £900 →

Managed EU Compliance Add-on

Added to any UK Managed Compliance plan. Covers ongoing EU AI Act monitoring as August 2026 enforcement beds in, quarterly reviews, and proactive updates as member states publish national enforcement guidance.

+£150/month

~+$190 · ~+€175/month

Added to UK Managed plan · 6-month minimum Enquire →

US AI Compliance

California, Colorado, Texas, and Illinois AI laws are live now. Illinois law applies to any employer using AI in hiring decisions — regardless of which state your business is in.

Not sure if US law applies to you? Read the full breakdown — see the US AI Compliance packages →
US AI Policy
£197 one-off

~$250 · ~€230

  • AI Acceptable Use Policy
  • Employee AI guidelines
  • AI tool inventory template
  • Plain-English summary of obligations by state

Best for: small businesses wanting a baseline policy covering all 50 states.

Turnaround: 3–5 working days

Most Popular
US AI Compliance Foundation
£797 one-off

~$1,010 · ~€930

  • Everything in US AI Policy
  • State obligations assessment (CA, CO, TX, IL)
  • Employment AI disclosure notices
  • Algorithmic discrimination prevention procedures
  • Consumer-facing AI transparency disclosures

Best for: businesses with US employees or customers in California, Colorado, Texas, or Illinois.

Turnaround: 5–7 working days

US AI Compliance Complete
£1,497 one-off

~$1,900 · ~€1,750

  • Everything in Foundation
  • Multi-state compliance matrix
  • Full HR AI procedures and disclosure templates
  • Impact assessment templates
  • Incident response procedure
  • Federal legislation readiness assessment
  • 12-month policy update included

Best for: multi-state businesses, 15+ employees, or businesses wanting full coverage ahead of federal legislation.

Turnaround: 7–10 working days · Valid for 12 months

Ongoing US Compliance

Managed US Compliance
£197 /month

~$250 · ~€230/month

6-month minimum term, then rolling monthly with 30 days' notice.

  • New state AI laws monitored and applied to your framework
  • Federal legislation tracking — updated when it passes
  • Quarterly compliance reviews
  • Priority support for HR or regulatory enquiries

Best for: businesses that can't afford to track 50 state legislatures themselves.

How It Works

Four steps to a complete framework.

01

Audit

We inventory your current AI tools and data flows — what's being used, by whom, and what data is involved.

02

Draft

We write every document, customised to your business — policy, data matrix, GDPR position, risk register, incident procedure.

03

Brief

We walk your team through everything — plain-English guidelines, acknowledgement forms signed and filed.

04

Maintain

Annual review, tool additions, policy updates — keeping your framework current as AI evolves.

Questions

Quick answers.

Do we need a framework or just a policy?

Depends on size and sector. For a 2-person business using ChatGPT occasionally: a policy is probably enough. For a solicitors' firm with 8 staff using multiple AI tools with client data every day: the full framework is appropriate. We'll tell you honestly on the call.

Can this be used if the ICO investigates us?

Yes. One purpose of the framework is to demonstrate due diligence. If the ICO investigates a data incident, having documented policies, training records, and a risk register is material evidence of responsible data handling.

How often does it need updating?

The AI landscape changes fast. We recommend reviewing your policy and risk register every 12 months minimum, or whenever you adopt a significant new AI tool. The Managed Compliance add-on handles this automatically.

We're UK-only right now — do we need EU coverage?

If you have no clients, suppliers, or data subjects in EU member states (including Ireland), the UK framework is sufficient for now. However, if there's any chance you'll expand into EU markets in the next 12–24 months, building EU compliance in from the start is significantly cheaper than retrofitting it later. The EU Extension at £900 is available to existing UK Full Compliance clients when you're ready to make that move.

Does the EU AI Act really apply to a small UK business?

Yes — if your AI systems produce outputs used inside the EU. The Act's extraterritorial scope is explicit. A UK solicitor with one Irish client using AI to assist with their work is in scope. A UK marketing agency with one EU-based client is in scope. The fines are proportional for SMEs, but proportional is not zero — and the reputational risk of an enforcement action is the same regardless of company size.

Is this legal advice?

No. Our compliance frameworks are general compliance guidance documents and do not constitute legal advice. Ops Intel is not a law firm and is not authorised by the Solicitors Regulation Authority or Financial Conduct Authority. We recommend seeking independent legal advice for specific regulatory questions relating to your circumstances. Our frameworks are designed to demonstrate due diligence and reasonable steps — the standard most regulators apply when assessing SME compliance.

Sample Reports

See exactly what you receive.

Every framework is tailored to your business, your AI tools, and your jurisdictions. These samples show the range — from a clean low-risk result through to a business with significant gaps to close.

Example A — Low Risk

AI Compliance Framework Version 1.0  ·  May 2026

Harrison & Cole Accountants Ltd

Prepared by Ops Intel  ·  Jurisdictions: United Kingdom  ·  European Union

16 sections  ·  Risk register  ·  Gap analysis  ·  Remediation roadmap
1

Executive Summary

Shown

Harrison & Cole is a 14-person chartered accountancy practice in Leeds. The firm uses AI tools across email drafting, transaction categorisation, tax return preparation, and receipt processing.

Overall Risk Level LOW
Gaps Identified 3
Prohibited / High-Risk AI None

All AI systems are limited-risk or minimal-risk under the EU AI Act. Primary exposure: transparency obligations under Article 52 and sub-processor controls for financial data.

3

AI System Inventory

Shown

Every AI tool the firm uses is catalogued — purpose, data involved, and whether it's client-facing.

ID System Provider Purpose Client-facing?
AI-001 Microsoft 365 Copilot Microsoft Email drafting, document summarisation, client correspondence Indirectly
AI-002 Xero (AI features) Xero Ltd Transaction categorisation, smart reconciliation No
AI-003 QuickBooks AI Intuit Expense categorisation, bookkeeping suggestions No
AI-004 IRIS Elements AI IRIS Software Tax return data extraction No
AI-005 Dext Dext Ltd OCR receipt and invoice extraction No
AI-006 ChatGPT (ad hoc) OpenAI Ad hoc drafting — no policy in place No policy
5

EU AI Act — Risk Classification

Shown

Each AI system is classified under the EU AI Act four-tier risk framework. Risk tier determines which obligations apply.

Limited Risk Microsoft 365 Copilot Generates text delivered to clients — Article 52 transparency obligations apply
Minimal Risk Xero, QuickBooks, IRIS, Dext Assistive processing; human reviews all outputs; no legal effect on data subjects
Limited Risk ⚠ ChatGPT (ad hoc) Generative AI with no usage policy — gap requiring immediate action

No prohibited or high-risk AI systems in use.

7

Risk Register

Client Confidential
Risk register — included in your framework
8

AI Usage Policy

Client Confidential
Tailored AI usage policy — included in your framework
15

Gap Analysis & Remediation Roadmap

Shown

Every gap is assigned a priority, a target date, and a clear action. Nothing is left as "review required."

High
GAP-001 — No AI disclosure in client engagement letters
EU AI Act Art. 52 · DUA Act 2026 Target: 31 July 2026
High
GAP-002 — Privacy notice does not reference AI processing
DUA Act 2026 · UK GDPR · ICO guidance Target: 30 June 2026
High
GAP-003 — ChatGPT usage uncontrolled; potential client financial data exposure
UK GDPR · EU AI Act Target: 31 May 2026
Med
GAP-004 — GAP-006 — Vendor DPA reviews, training records
Target: 31 July – 30 September 2026
9–14, 16

Data Governance · Vendor Management · Incident Response · Training · Sign-off

Client Confidential
7 further sections included in your full framework

Your framework. Your AI tools. Your regulations.

Delivered within 48 hours. Accurate as at delivery. Managed Retainer clients get monthly regulatory updates included.

Get Your Framework →

Sample report. Client name, trading details, and AI tool configuration are illustrative only. Any resemblance to actual organisations is coincidental.

Example B — High Risk

AI Compliance Framework Version 1.0  ·  May 2026

Apex Creative Agency Ltd

Prepared by Ops Intel on behalf of Apex Creative Agency Ltd  ·  Jurisdictions: United Kingdom · European Union · United States

16 sections  ·  Risk register  ·  Gap analysis  ·  Remediation roadmap
1

Executive Summary

Shown

Apex Creative Agency Ltd is a 22-person digital marketing agency based in Manchester, delivering paid media, content, and creative services to clients across the UK, EU, and North America. The agency uses AI tools extensively across campaign delivery, copywriting, image generation, client reporting, and outreach.

Immediate action required. This assessment has identified critical compliance gaps that require remediation before the EU AI Act transparency obligations take full effect in August 2026.
Overall Risk Level HIGH
Gaps Identified 9
High-Priority Gaps 6
AI-generated content delivered to clients with no disclosure — Article 52 breach risk
Client personal data entered into consumer ChatGPT by multiple staff — active GDPR exposure
AI ad targeting tools (Meta Advantage+, Google Performance Max) operating without deployer review — EU AI Act gap
No AI sub-processor DPAs in place for 4 of 7 tools — UK GDPR Article 28 breach
Midjourney used to generate synthetic client imagery — no deepfake / synthetic media disclosure
US client data processed by EU-based AI tools without transfer mechanism — GDPR international transfer gap
3

AI System Inventory

Shown

7 AI systems identified across campaign delivery, content production, client outreach, and reporting.

ID System Provider Purpose DPA in place? Client data?
AI-001 ChatGPT (consumer) OpenAI Ad copy, emails, client briefs, proposals ✗ No Yes — uncontrolled
AI-002 Midjourney Midjourney Inc. Client creative assets, social imagery, ad visuals ✗ No Client brand assets
AI-003 Meta Advantage+ Meta Platforms Automated audience targeting and creative optimisation ~ Partial Client audience data
AI-004 Google Performance Max Google LLC Automated campaign management and targeting ~ Partial Client audience data
AI-005 HubSpot (AI features) HubSpot Inc. CRM email drafting, lead scoring, contact enrichment ✓ Yes Prospect data
AI-006 Jasper AI Jasper AI Inc. Long-form content, blog posts, landing page copy for clients ✗ No Client briefs, brand guides
AI-007 Whatagraph (AI reports) Whatagraph Ltd Automated client performance reporting ✓ Yes Client campaign data
5

EU AI Act — Risk Classification

Shown

Three systems carry active transparency obligations under Article 52. Two require immediate deployer review under Article 26.

Limited Risk ⚠ ChatGPT (AI-001) Generates client-facing copy with no disclosure. Consumer account — no DPA. Active GDPR and Article 52 breach risk.
Limited Risk ⚠ Midjourney (AI-002) Generates synthetic imagery delivered to clients and published publicly. Article 52(3) — synthetic media disclosure obligation not met.
Limited Risk ⚠ Jasper AI (AI-006) AI-generated content delivered to clients without disclosure. No DPA. Client brand data processed without Article 28 agreement.
Limited Risk Meta Advantage+, Google Performance Max (AI-003, AI-004) Automated ad targeting and optimisation. Deployer obligations under Article 26 not yet assessed or documented.
Minimal Risk HubSpot AI, Whatagraph (AI-005, AI-007) Assistive features with human oversight. DPAs in place. Low risk.
August 2026 deadline: EU AI Act Article 52 transparency obligations take full effect. Three systems are currently non-compliant.
7

Risk Register

Client Confidential
Full risk register with likelihood, impact, and residual risk — included in your framework
8

AI Usage Policy

Client Confidential
Tailored AI usage policy for agency operations — included in your framework
15

Gap Analysis & Remediation Roadmap

Shown

9 gaps identified. 6 are high priority. The roadmap sequences remediation to address the highest legal exposure first.

Critical
GAP-001 — Consumer ChatGPT used with client personal data — no DPA, no data minimisation, model training not restricted
UK GDPR Art. 28 · Art. 32 · DUA Act 2026 Target: Immediate — restrict use today
Critical
GAP-002 — AI-generated images (Midjourney) published as client content with no synthetic media disclosure
EU AI Act Art. 52(3) — synthetic content disclosure Target: Before next campaign launch
Critical
GAP-003 — Jasper AI and Midjourney processing client brand and brief data without Article 28 DPAs
UK GDPR Art. 28 — processor agreement required Target: 31 May 2026
High
GAP-004 — AI-generated copy (ChatGPT, Jasper) delivered to clients without disclosure in any channel
EU AI Act Art. 52(1) & Art. 52(3) Target: 30 June 2026
High
GAP-005 — Meta Advantage+ and Google PMax AI operating without documented deployer review or human oversight controls
EU AI Act Art. 26 — deployer obligations Target: 31 July 2026
High
GAP-006 — Privacy notice does not disclose AI processing or sub-processors; no DUA Act 2026 reference
DUA Act 2026 · UK GDPR · ICO AI guidance Target: 30 June 2026
Med
GAP-007 — GAP-009 — International transfer mechanism for US client data; staff AI training records; client AI disclosure in contracts
Target: 31 July – 30 September 2026
9–14, 16

Data Governance · Vendor Management · Incident Response · Training · Sign-off

Client Confidential
7 further sections included in your full framework

If this looks familiar, the time to act is now.

EU AI Act transparency obligations apply from August 2026. Delivered within 48 hours. Managed Retainer clients get monthly regulatory updates included.

Get Your Framework →

Sample report. Client name, trading details, and AI tool configuration are illustrative only. Any resemblance to actual organisations is coincidental.

Don't wait for an incident to get compliant.

Book a 30-minute call. We'll assess what your business actually needs and give you a clear quote.

Book a Free Compliance Call →

Free 30-minute call · Written quote before work starts · Delivered within 2 weeks · UK-based team

Call Now Claim Your Free Audit