Ask your team what AI tools they’re using and you’ll typically get two types of answer: the ones you’ve paid for and sanctioned, and a longer list of things people have been using on free accounts to get work done faster. Nobody meant any harm. Somewhere in that second list, though, there’s probably a tool that has been processing client names, draft emails, or financial summaries without a data-processing agreement in place and without anyone having decided whether that was acceptable.
Setting requirements for AI use does not mean hiring a compliance team. It means deciding, clearly and in writing, what conditions AI has to meet before your business relies on it.
What do “core requirements” for AI use actually mean?
The phrase “AI requirements” sounds like it belongs in a FTSE 100 board paper. For an owner-managed business, it refers to the baseline conditions you set before AI enters your workflow: who is accountable, which data can go into which tools, what vendors must agree to in writing, how staff know what is permitted, and how you check that AI-generated outputs are reliable.
These conditions come from three sources. Some are legal obligations. UK GDPR and the Data Protection Act 2018 apply to any AI use involving customer or employee data. The ICO has published detailed guidance on how these rules apply to AI systems, covering lawful basis, fairness, transparency, data minimisation, and individual rights.
Some requirements come from UK sector regulators. The NCSC has issued secure AI use guidance for organisations of all sizes. The FCA has confirmed in a discussion paper that financial services firms and their senior managers remain fully accountable for AI-assisted outcomes.
Some are practical operating decisions that sit outside regulation entirely. Whether to accept AI-generated output without human review is not something the law decides for you. A US lawyer discovered this in 2023, when a court sanctioned him after he filed documents citing cases that ChatGPT had invented. The cases did not exist.
The EU AI Act adds a risk-based layer for any business with EU customers, with stricter obligations as AI use moves closer to decisions that affect individuals directly.
Why do these requirements protect your business, not just your regulator?
Enforcement decisions give the requirements their weight. The ICO fined Clearview AI £7.5 million in May 2022 for unlawfully collecting and processing UK residents’ biometric data and ordered the company to delete it. Owner-managed businesses are not typically building facial recognition databases, but the principle applies: data protection law holds regardless of business size, and the ICO acts on it.
Beyond data protection, accountability risks appear in more everyday contexts. For a consultancy, an advisory firm, or any professional services business, AI-generated output submitted as fact is your liability.
Human oversight failures have a documented record. The Dutch tax authority’s automated fraud-detection system for childcare benefits was later found to discriminate against claimants based on nationality, generating thousands of wrongful demands. The scandal contributed to the Dutch government’s resignation in January 2021. The system did not bypass humans entirely. People had delegated decisions to it without building in the checks the situation required.
Setting requirements while your AI use is small and recoverable is substantially cheaper than addressing an accountability gap after something reaches a client or a regulator.
Where do these requirements show up in practice?
For an owner-managed business, the requirements land in five areas: a defined purpose with a named owner for each AI use case; data-handling rules covering legal basis, sensitive data categories, and vendor agreements; an acceptable-use policy telling staff what they must never put into external AI tools; vendor due diligence; and human review checkpoints for outputs that reach customers or affect individual decisions.
On data handling, the ICO recommends a Data Protection Impact Assessment for any processing likely to result in high risk to individuals. For an owner-managed business, a DPIA is typically a two-page document: what data is involved, what the legal basis is, what the risks are, what controls are in place. It is not a six-month compliance project.
On vendor contracts, the key distinction is between free-tier consumer accounts and enterprise plans. OpenAI, Microsoft, and Google updated their enterprise terms in 2023 and 2024 to include explicit “no training on your data” commitments on business-grade plans. Free-tier accounts typically do not carry the same guarantee. If client confidential information flows through your AI tools, the plan tier you are on is a material question rather than an administrative detail.
On internal policy, the NCSC guidance is direct: every organisation using AI should specify in writing what data categories must never enter an external AI tool. Client names, financial records, health information, and legally privileged material are the obvious starting points. One clear rule, communicated to all staff, does the same job as a lengthy acceptable-use document.
When should you apply these in full, and when is a lighter touch enough?
Not every AI use carries the same exposure. A founder summarising publicly available reports for internal reading faces different obligations from one using AI to screen job applicants or generate personalised client-facing recommendations. The scrutiny you apply should match the consequence: the closer an AI output gets to a decision affecting someone’s livelihood or finances, the more formal your requirements need to be.
Low-impact cases sit at the lighter end: drafting internal documents with no personal data involved, reformatting your own content, summarising public information for your own reading. These raise IP and confidentiality questions but carry few data-protection obligations.
The requirements tighten quickly when AI touches people’s circumstances. The ICO is explicit that solely automated decisions with legal or similarly significant effects on individuals are restricted under UK GDPR Article 22. That restriction applies regardless of business size.
A practical starting point is an audit rather than a framework. List every AI tool in use across your business, who uses it, what data goes in, and what comes out. That list takes two hours to compile and surfaces more genuine risk than many governance documents do in twice the time.
What connects AI requirements to how you already run your business?
AI requirements sit on top of the data governance, staff training, and vendor management practices your business already has, or should have. A business that handles client data carefully, tells staff what is and is not permitted with sensitive information, and reviews its supplier contracts periodically will find that adding AI extends those existing habits rather than demanding a separate compliance track from scratch.
McKinsey’s 2023 State of AI survey found that organisations capturing the most value from AI were nearly twice as likely to align their AI initiatives to specific business metrics as lower-performing peers. The requirements create the conditions for that alignment. A named owner, a defined problem, a human review checkpoint, and a clear vendor agreement: each of these is an operational prerequisite that makes AI outputs reliable enough to build on.
One practical step for this week: confirm whether every AI tool your team uses has a written data-processing agreement in place, and whether any are on free-tier accounts with no such commitment. Two hours of checking surfaces more real exposure than many governance audits do at three times the length.
If you want to think through how these requirements apply to your specific setup, Book a conversation.
