The DRCF is committed to promoting debate and better understanding of new technologies, their potential impacts across the economy, and the role of regulator cooperation in enabling their safe and trusted adoption. One of the ways we do this is through publishing papers and articles from DRCF researchers. The findings presented in this publication are contributions to debate and do not represent or imply the views of any of the DRCF member regulators and should not be interpreted as such. They do not represent or indication of the DRCF members' regulatory policies.
This article presents five lessons we learned about the relationship between digital regulation and AI adoption in the UK, drawing on a series of semi-structured interviews with stakeholders and a survey of UK businesses.
About the article
This year, the DRCF has conducted a large-scale survey of UK firms, and a series of semi-structured interviews, with senior representatives at the heart of AI decision making in government, regulators, AI service providers, and industry AI adopters.
Through this methodology, we’ve been able to learn more about how AI is making its way into UK businesses; what drives decisions to adopt, buy or build, and choose suppliers; and how regulators can help create the environment necessary for AI to flourish safely across the UK.
This blog sets out five lessons we learned. Though presented separately, we see the lessons as threads that weave through one fabric of AI adoption in the UK.
Lesson one: AI literacy is not a course, it is a culture
Across our interviews, the strongest predictor of successful AI adoption was not budget but a leadership choice to make AI use the default option.
One global law firm described how they designed their desktop environment, nudged reluctant teams, and made access universal from day one. Their point was simple, you cannot hope to teach people how to prompt in isolation and then expect transformation. You build habits, and crucially, you lower the internal threshold for when legal and risk should be consulted. In practice, this means making it easy, even expected, for teams to raise questions early, without fear of slowing projects down. By embedding legal and risk input into everyday workflows, organisations normalise responsible use and prevent compliance from becoming a last-minute obstacle.
Literacy, in this sense, is not just technical skill but the cultural reflex to check risks as naturally as checking spelling. EU AI Act Article 4 style literacy, which establishes a requirement for companies to take measures to ensure sufficient AI literacy, is a useful baseline, but it does not necessarily monitor the behaviours that make literacy stick.
Our survey adds capability as a factor to culture. About a third of respondents (ca. 29%) said that technical skills for building or adapting systems are a main hurdle, while micro firms both feel more cautious and are more likely to be unfamiliar with governance around development and procurement. Formal standards are widely used, yet the smallest firms lag on ongoing issue tracking and on informing customers about data use. That is a cultural gap as much as a resourcing gap. Regulators and public bodies working to adopt AI report similar internal processes. They keep a human in the loop for now, complete data protection impact assessments, are careful to avoid data leakage, and stress the need for continual education. That is literacy as responsibility rather than a one-off workshop. This shows that most organisations favour a culture of adoption with appropriate built-in safeguards, rather than adoption at all costs.
Going forward, numerous interviewees called for a bespoke AI literacy obligation that goes beyond certificates and not only instigates but also monitors behavioural changes as a welcome addition to the UK’s pro-innovation regulatory approach.
Lesson two: clarity, not more rules
Those tasked with maintaining AI compliance want clearer advice, with examples and ready to use structured templates. An official working on skills and assurance spoke plainly about the demand for practical guidance and about plans to professionalise third party assurance to close this gap. The message was not anti-regulation. It was a call for regulators to show how rules map to workflows, procurement and deployment, including interoperability with European approaches.
AI vendors echoed that sentiment. One interviewee contrasted high level principles with a desire for concrete signals, for example pointing businesses towards internationally recognised management standards as a baseline for risk management. Interviewees emphasised this is about giving buyers a common language to ask better questions.
Our survey adds context. Around half of firms (ca. 53%) say they tell users when they are interacting with AI, what the limits are, and how to report issues. Larger firms are more likely to do this well. Our interviews found this is because they translate rules into templates and routines that people can actually use.
A key objective of the DRCF is to provide clarity to industry on our members’ regulations. We do this through industry outreach, writing articles to clarify our positions and where regulations overlap, we’ve also been global leaders in providing innovation services to industry. Following our AI and Digital Hub pilot, we have launched our Thematic Innovation Hub and are working to provide industry with a Digital Regulatory Library, which will provide a unified regulatory resource for organisations, freeing them up to focus on innovation while navigating compliance with confidence. Our regulators have prioritised the application of existing rules and regulations, rather than adding more.
Lesson three: assurance must be context specific
Most firms (88%) of our survey say they use formal standards such as ISO 42001 or 38507, and many conduct reviews during development and deployment. When we asked what really influences buyers’ decisions to build or buy, the focus moved to context-specific evaluation, i.e. acknowledging that assurance needs to account for the unique requirements of each domain and use case. Regulators adopting AI internally described multidisciplinary scrutiny, a continuing human in the loop, and a heavy focus on data flow mapping to avoid leakage. They complete risk assessments to unlock use of powerful models safely. That is assurance that provides the confidence firms need to use AI to fulfil high value tasks.
In domains like legal search or drafting, both providers and large users warned that benchmarks can mislead if they strip away the nuance of the task. Public benchmarking is useful for presentation yet can hide the judgement that real cases require. The result is the need for compact, context aware evaluation notes that can accompany a system from pilot to scale, and for assurance practices that are interoperable across jurisdictions.
The DRCF has been active on AI Assurance since 2021, gathering information and data that gas supported regulators in navigating this growing industry. We also note DSIT's recent work to establish a Trusted Third-party Assurance Roadmap.
Lesson four: enabling confident compliance through clarity
Our survey found legal and compliance teams are the least assisted by generative tools. We consistently heard barriers concerning both the (in)accuracy and lack of trustworthiness of AI models, and uncertainty around duties and liability. Experienced practitioners described the formidable investment required to interpret guidance, negotiate sensible positions, and draft contracts, even as case law evolves.
Businesses are not confident to innovate when it comes to compliance. Our discussions with legal professionals have been revealing. Interviews with both AI providers and law firms consistently pointed to the perception that regulatory statements do not provide clarity about what crosses into regulated legal advice and what counts as research, triage or referral. The effects of this are widespread, impacting product design, marketing and even whether a start-up will pursue a product as desired.
Providing machine readable regulation offers vast opportunities in reducing regulatory compliance costs for firms. We are pushing to stay ahead of the curve, through our Digital Library we will be making it easier than ever to access our regulations and rules, obtaining the answers quicker and cheaper. Our regulators continue to explore the opportunities for making regulations machine readable. For instance, the FCA Handbook is now ingestible, searchable and readable by a computer.
Lesson five: procurement exposes the imbalance between risk and control
We found small and medium firms mostly buy generative AI systems rather than build in house. They often receive little long-term support, are less likely to insist on information about system limits at the point of sale, and yet still report that purchases met expectations. This demonstrates that the opportunity to ask sharp questions is unevenly distributed, which may increase the chance of avoidable harms on the part of the smallest buyers (and their potential consumers). In practice, this leaves liability blurred: if something goes wrong, SMEs may be forced to absorb risks that larger buyers can negotiate away.
Experienced negotiators stressed how power dynamics play out. With a few large providers, contract terms shift only for very large deals. Smaller buyers may accept one sided clauses and then rely on after the fact risk assessments to keep pace. We also found high street and mid-market firms gravitate towards familiar products and providers, not always because they are the best fit for the task, but because they are readily available and trusted. This may have consequences for competition and for the type of innovation that reaches end users.
These findings bring to the fore early DRCF work, in the autumn of 2022, where we held two workshops with 23 vendors and buyers of algorithmic systems to explore transparency during the process of procurement.
Additional threads that run through everything
Internal first, then external. Both buyers and public bodies start with back office and internal productivity before stepping into consumer facing work. It is a risk management pattern and a learning pattern. Vendors see the same arc in other regions, though appetite in North America and parts of Asia is stronger for consumer uses.
Agentic systems are the next test. Several interviewees are already deploying agentic features and expect this to complicate assurance as tools begin to act across systems. It will demand a clearer account of orchestration, permissions and monitoring.
The law is not the only source of friction. Much of the real delay is organisational. Without literacy and habits, regulatory action will only go so far to closing the gap.
Scale and sovereignty anxieties coexist. Some founders worry that prolonged uncertainty on copyright and data mining will push development abroad, while buyers say they want certainty that a vendor will still be around in future years. Confidence is both legal and commercial.
Taken together, these lessons are not separate threads but part of the same fabric. Literacy as culture, clarity in guidance, assurance that reflects context, cautious but confident compliance, and procurement shaped by power dynamics all weave into the wider fabric of how AI adoption and regulation interact in the UK. The strength of that fabric lies in how well each strand supports the others: culture enables clarity, clarity underpins assurance, assurance builds confidence in compliance, and procurement determines whether innovation reaches firms and, ultimately, consumers fairly. By recognising these interconnections, regulators and industry alike can help ensure that AI adoption is both safe and ambitious, stitched into the everyday practices of UK organisations.
Stergios Aidinlis (British Academy Research Fellow, DRCF Core Team)
