DRCF Insights: Innovating With Generative AI in the DRCF Member Regulators

Summary The Digital Regulation Cooperation Forum (DRCF) shares new insights from cross-regulator deep dive sessions with member regulators, revealing how UK regulators are adopting generative AI (GenAI) to strengthen regulatory effectiveness, while managing risks and protecting consumers.

The Digital Regulation Cooperation Forum (DRCF) is a voluntary forum for collaboration that brings together four UK regulators with responsibilities across the digital landscape – the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO), and Ofcom.

The DRCF unites the four regulators to promote a coordinated approach to digital regulation for the benefit of people and businesses online, enabling the regulators to engage on digital policy areas of mutual interest and implement their shared vision of harnessing technology to enhance regulatory effectiveness and efficiency. This vision supports HM Government’s AI Opportunities Action Plan and its ambition for the UK to assume global leadership in artificial intelligence. Aligned with the Plan’s Scan, Pilot, Scale approach, the DRCF is playing a central role in supporting the safe and effective adoption of generative AI (GenAI) in its member regulators.

GenAI tools are rapidly emerging with the potential to transform regulatory analysis, supervision, and enforcement. Each member regulator has been testing, developing, and deploying GenAI capabilities to strengthen regulatory responses and ensure sustained regulatory effectiveness. For example, AI productivity tools have been rolled out to staff in each of the member regulators to support the development of organisational capability and digital confidence, and to set standards for responsible AI use. This approach ensures that experimentation with GenAI is practical, well-governed, and aligned with the member regulators’ public interest objectives.

In tandem, the DRCF has enabled shared learning, peer review, and collaborative exploration of emerging GenAI tools through an ongoing programme of cross-regulator deep-dive sessions. These sessions are designed to facilitate structured knowledge-sharing and joint exploration of new technologies, helping to accelerate the scalable deployment of GenAI tools while managing costs and mitigating risk. This collaborative approach supports faster, more consistent regulatory responses to emerging technologies and has helped empower staff to make more effective use of AI tools.

Over the past twelve months, the DRCF has convened a series of six deep-dive sessions with internal leaders on advanced regulatory technologies. We have focused on four priority areas:

1. Governance frameworks, including managing hallucination risks, bias, and ethical considerations.
2. Prompt engineering, which is providing clear, comprehensive, and targeted instructions to AI models to achieve specific results.
3. Use of AI for detection of consumer harms, including those related to online choice architecture and harmful design patterns.
4. Frameworks for evaluating the performance and impact of AI solutions.

This article summarises the key findings from this work from over the past year.

Governance Frameworks

What are governance frameworks, and why do they matter?

Governance frameworks provide structured systems that shape how decisions are made, how accountability is exercised, and how organisations can align their operations with their strategic goals and regulatory obligations. When data is processed using algorithms or AI systems, these governance structures must ensure that AI performs as expected, including avoiding introducing harmful errors, known as ‘hallucinations,’ and bias.

Establishing governance frameworks within the member regulators

Transparent and secure data practices are critical for building public trust in regulatory systems. As the DRCF’s work involves coordinating activities between regulators and supporting the adoption of new regulatory technologies, robust data governance frameworks are essential.

DRCF members opened the series of deep-dive sessions by sharing their experiences of designing internal governance frameworks. This included how such frameworks are being used to enable innovation, manage decision-making and data lifecycles, and identify and mitigate risks such as hallucination and bias, through proportionate oversight and controls.

The member regulators highlighted that the responsible adoption of AI is a strategic enabler; it strengthens their ability to anticipate and respond to emerging risks, deliver better regulatory outcomes, and identify potential harms at an earlier stage. For example, the FCA’s approach is underpinned by a comprehensive internal governance framework. This includes its internal Data Management Policy, AI Frontier Policy, Data Privacy Policy, and structured training on risk management systems.

Prompt Engineering

Prompt engineering involves the design and refinement of instructions given to large language models (LLMs) to achieve desired outputs. During the second deep-dive session, several member regulators shared the prompts they have developed to enhance the efficiency and effectiveness of their regulatory processes.

Case study: Using RAG to ground LLM responses 

One member regulator implemented a retrieval‑augmented generation (RAG) approach to process internal forms and free text attachments. The system builds a secure index of approved internal and proprietary documents on which the LLM draws when responding to a query. By injecting the most relevant retrieved information directly into the prompt, responses are grounded in verified sources, thereby reducing hallucination risks. Although grounding reduces inaccuracies, it cannot eliminate them entirely, so RAG remains one tool among several validation measures.

Best practices identified in designing prompts

The member regulators have highlighted common techniques that significantly improve output quality:

• Context – supplying the model with relevant background, including document links and definitions
• Persona – instructing the model to adopt a specific viewpoint or role
• Few‑shot prompting – providing example inputs and outputs, taking advantage of the AI’s ability to use a long context window
• Constraints and formats – specifying factual accuracy, prohibiting conclusions, or requiring conciseness.

Once these practices are in place, users apply more advanced techniques, such as:

• Decomposing complex questions into sub‑questions to help L1LMs focus on one sub-question at once
• Using chain‑of‑thought and tree‑of‑thought prompting to support step‑by‑step reasoning
• Prompt chaining, linking outputs sequentially
• ReAct (Reason + Acting), where the LLM is instructed to collect and consider additional information before responding.

The member regulators have found that refinement of prompts involves iterative testing. Once a prompt is optimised, it is tested against a different document set to check generalisability. This staged testing helps standardise citation formats and make the prompts repeatable between teams.

Training staff in prompt engineering

DRCF members have experimented with GenAI platforms for staff training. This includes:

• Standardising terminology and prompts
• Educating staff about accuracy, bias, transparency, and interpretability limitations
• Building shared prompt repositories
• Reviewing prompts collaboratively to improve accuracy and consistency

Harmful Design Patterns and Online Choice Architecture

In this deep-dive session, the member regulators discussed their work on detecting harmful design patterns and assessing online choice architecture.

What is meant by online choice architecture and harmful design pattern detection?

Online choice architecture (OCA) refers to how digital environments, such as websites and apps, present choices and information to users. This includes the placement, framing, and presentation of options, ranging from default settings to navigation menus. We know from research that OCA directly influences consumer decisions and actions. Depending on the design chosen, consumers can either be guided towards better choices and outcomes or nudged towards options that are profitable to the business involved but may not be to the consumer’s benefit. Harmful design patterns are part of this picture. The term refers to deceptive web design practices that are intended to manipulate users into making choices against their best interests; these exist in a wide range of consumer journeys.

Drip pricing, for example, is a sales tactic in which companies initially show a low price for a product or service, to which they gradually add mandatory fees, taxes, or charges during the checkout process. By the time the final cost of the purchase is revealed, consumers have often already committed to completing the transaction.

Reference pricing is a marketing technique in which retailers compare a discounted ‘sale’ price with a reference price, for example, an ‘original,’ ‘from,’ or ‘recommended retail’ price. That reference price must reflect a real and substantiated advantage for the consumer. Where it does not, for example, because the reference price has been inflated or fabricated, it can mislead consumers into believing that they are receiving a significant discount.

In the same vein, misleading scarcity claims are a marketing strategy in which businesses inflate demand for a product by exaggerating its availability or popularity. This can have the effect of rushing consumers into making fast, emotionally driven purchasing choices, spurred by the concern of missing the deal. If a business creates a misleading sense of urgency, by overstating popularity or understating availability, consumers may feel compelled to act immediately, when in reality, the product is not in limited supply or likely to run out of stock.

The term ‘sludge practices’ is used to refer to certain online choice architecture harms in which design features impose friction on consumers in ways that can lead to poor outcomes, such as making it difficult to cancel unwanted services or subscriptions, showing consumers poor quality terms and conditions, or leading consumers through confusing pathways.

Harmful design patterns can sometimes be AI-powered, in that businesses may use algorithms to analyse user behaviour in real-time and create personalised, subtle persuasion.

How the member regulators are detecting harmful design patterns and evaluating online choice architecture

DRCF members have been studying online choice architecture and considered the implications. They have also developed a range of AI-enabled tools to evaluate online choice architecture practices and detect harmful design patterns.

For example, the CMA published a taxonomy of online choice architecture practices in 2022 along with a comprehensive evidence review. Together, the CMA and ICO have also set out how online choice architecture practices can undermine consumer choice and individuals’ control over their personal information in a joint position paper on Harmful Design in Digital Markets (2023).

Since publication of the 2023 paper, the ICO has secured increased compliance with current communication and data protection regulations with regards to the use of non-essential cookies, and https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/ico-action-secures-increased-cookie-compliance/continues to monitor ‘cookie compliance’ at scale. In parallel, the CMA has published advice for businesses on the fair and transparent use of innovative pricing models, while continuing to ensure that online shoppers are able to access clear and accurate pricing information.

These regulatory interventions align with the requirements of the Online Safety Act (OSA), which places obligations on online platforms to operate in a ‘safe by design’ manner, particularly in relation to children, and to act transparently and accountably. This includes protecting users from harmful content, especially those who are more vulnerable or impressionable, while safeguarding privacy and freedom of expression.

Behavioural audits are sometimes used by DRCF members to assess whether online choice architecture is compliant. For instance, Ofcom uses these to assess whether online services comply with obligations under the OSA, exploring four key areas:

• Service sign‑up processes
• Features influencing time spent on the service
• Negative sentiment tools
• Reporting mechanisms

By auditing aspects of the consumer experience, the member regulators can assess whether services are designed in ways that meet regulatory expectations and deliver fair, transparent outcomes for consumers, while enabling businesses to innovate responsibly.

The CMA has developed agentic AI that is able to ‘experience’ and capture the consumer journey at scale, to identify potential infringements of consumer law such as drip pricing. Using agentic AI to detect issues at scale across the economy is helping the CMA better understand consumers’ experience and target its enforcement activity where it will have the greatest impact. As a result of this investment, the CMA has recently been able to open investigations into eight businesses and send advisory letters to one hundred others.

The FCA shared insights from a sprint‑style pilot testing LLM capability to identify sludge practices. While traditional sludge audits require humans to manually replicate consumer journeys by clicking through websites, the FCA’s pilot found that LLMs can simulate consumer personas and perform many audits quickly, offering scalability and potential efficiency gains. However, the pilot also identified that:

• Prompt engineering is required to ensure consistent output.
• LLM interpretation of webpages is imperfect.
• Human review remains essential to validate accuracy.

Overall, the pilot reinforced that LLMs are useful but also that they must be applied cautiously.

Evaluation Frameworks for AI Solutions

The fourth and final priority area addressed by the member regulators during this programme focused on the development of internal evaluation frameworks to assess whether AI tools are suitable and impactful for specific regulatory use cases. Several member regulators have developed minimum viable products (MVPs) for AI evaluation. These MVPs typically comprise a concise articulation of the task the GenAI tool is intended to support, with clearly defined use cases; user guidance and guardrails designed to promote good practice; and a set of core performance checks, including assessments of accuracy and usefulness, as well as the identification of obvious failure modes, such as hallucinations.

How these frameworks work

Frameworks compare LLM outputs with reference answers using:

• Test questions
• Relevant source documents
• Predetermined criteria, such as accuracy, style (including citation rules), and overall substance.

Models are scored on a pass/fail basis depending on thresholds.

Benefits and challenges

These frameworks are:

• Objective, standardised, and repeatable
• Helpful in assessing sensitive use cases, including where local or frontier models may be more appropriate
• Efficient for scenarios requiring significant testing
• Useful in identifying constraints rapidly.

However, developing the test materials and reference answers is time-consuming, and frameworks work best where the technical requirements are straightforward to articulate.

Communicating model performance

The member regulators observed that development and application of evaluation frameworks are central to enabling technical teams to assess, understand, and discuss internally the performance of models and to support the responsible adoption of GenAI. In practice, these frameworks provide a structured mechanism to progress from pilot activity to wider deployment where initial trials are successful, doing so in a controlled, proportionate way. By consistently capturing lessons learned and performance metrics, evaluation frameworks reduce duplication, support continuous improvement, and enable more efficient and robust scaling.

In each DRCF member organisation, the deployment of AI tools is underpinned by established evaluation processes, including risk assessments, data protection safeguards, information security controls, and assurance of compliance with relevant legal and public interest standards. Governance‑focused discussions earlier in the DRCF programme have helped upskill staff and improve understanding of evaluation principles.

Next Steps

The DRCF members’ use of GenAI is shifting from experimentation to becoming a core component of future‑ready regulatory oversight and impact. Member regulators are making rapid progress and developing approaches that are scalable, practical, and responsible.

The DRCF welcomes the opportunity to discuss any of the lessons learned from these deep dives in greater depth with other regulators and Government. Cross‑regulatory collaboration through the DRCF is delivering tangible benefits, including peer review, consistency across regulatory approaches (where applicable), and savings in collective resource as learnings are shared proactively. The member regulators are also drawing on wider government strategy and public sector initiatives to support broader alignment, ensuring that regulatory innovation is a strengthening element of the UK’s wider AI ecosystem.

Looking ahead, the DRCF will continue to convene deep‑dive discussions between its members, focusing on new aspects of AI development and adoption. This DRCF workstream will continue to support innovative and responsible regulatory uses of GenAI and promote transparent and safe adoption of AI tools in each of the DRCF’s members.