AboutBlogBusiness First AIFounder FreedomBook a conversation

Training staff to use AI safely and consistently

May 17, 2026
Four colleagues gathered around a meeting table with laptops open, in conversation during a working session
TL;DR

Staff at many UK services firms are already using AI tools at work, often without any guidance, and the ICO confirms this can trigger UK GDPR breaches. A structured approach, built on a written AI use policy, an internal champion, and role-specific training, is the practical starting point. UK government subsidies cover much of the cost for eligible SMEs. Start with low-risk, high-volume workflows and build the governance layer from there.

Key takeaways

- Cisco's 2024 benchmark found 69 per cent of organisations globally had discovered staff using generative AI with work data and without formal guidance, and a UK services firm with no policy is almost certainly in the same position. - Under UK GDPR, copying client personal data into an unapproved public AI tool can constitute a data breach, and the ICO has listed AI as a top enforcement priority in its 2024-25 strategic plan. - A one-page AI use policy covering approved tools, data rules, output review requirements, and incident reporting is the single highest-value starting move for an owner-managed firm. - Role-specific training, aligned to the actual workflows each team uses, produces measurably better adoption and fewer misuse incidents than generic AI literacy sessions. - The UK Government's AI Upskilling Fund offers match funding of up to £10,000 per SME for AI training, and the AI Skills Bootcamps provide free or subsidised training for eligible staff in England.

A founder described a moment during a team check-in when she asked, off the cuff, how many people had used an AI tool for work in the past month. Almost the entire room put their hands up. She hadn’t authorised any tools. There was no policy, no approved list, no training. The tools were already embedded in daily work, and she had no way of knowing whether any client data had passed through them.

That moment is where AI staff training actually starts.

What does training staff to use AI safely actually involve?

Training staff to use AI safely involves three things working together: a written policy that sets out what is permitted and what is off-limits, an internal champion who keeps the practice alive, and role-specific sessions that connect those rules to actual workflows. Each element is built around the tools your team is already using and the tasks they do every day, not a generic course delivered once and forgotten.

Cisco’s 2024 Data Privacy Benchmark Study found that 69 per cent of organisations globally had discovered staff using generative AI tools with work data and without any formal guidance. Spicy Advisory’s 2026 analysis of UK SMB adoption shows a similar pattern: tools are in use, but rarely in ways that would satisfy a regulator or produce consistent outcomes.

The one-page policy is the foundation. It names the approved tools, specifies the data that must never be entered, such as client personal data or confidential documents, identifies who must check AI outputs before they reach customers, and describes how to report a concern. Every staff member reads and signs it annually.

The internal champion role sits alongside the policy. This is a respected member of the team, not the most senior person in the room, who puts roughly one day a week into testing tools, maintaining a shared prompt library, and helping colleagues apply the policy to real work. Role-specific workshops then follow, built around the tools and workflows your team already has, rather than a standardised curriculum that doesn’t map to what your people actually do.

Why does unmanaged AI use put a services firm at real risk?

UK GDPR and the Data Protection Act 2018 apply in full whenever AI processes personal data. The ICO’s guidance on AI and data protection confirms that employees copying client personal data into a public AI tool, without a data processing agreement in place, can constitute a data breach. The ICO listed AI as a top enforcement priority in its 2024-25 strategic plan, and that applies to firms of any size.

In October 2022, the ICO fined Interserve £4.4 million for failing to implement appropriate security measures after a cyber-attack compromised the personal data of 113,000 employees. The case was not AI-specific, but it demonstrates the regulator’s willingness to penalise inadequate governance, exactly the gap that unmanaged AI use creates.

The commercial case is equally clear. Only 31 per cent of UK SMBs report a measurable return from AI, according to Spicy Advisory’s analysis of ONS and vendor data. The consistent finding is that ad-hoc, untrained use rarely produces reliable outcomes or consistent output quality.

For FCA-regulated firms, the exposure is higher still. The FCA’s 2022 AI update, reinforced in its 2024 feedback on machine learning in UK financial services, confirms that AI does not change a firm’s regulatory obligations. The board remains responsible for conduct, fairness, and operational resilience. A regulated SME that cannot demonstrate how its staff are using AI, or what controls are in place, is carrying a risk that may not yet be visible on its radar.

Where does this problem show up in a typical services firm?

Client work carries the most immediate exposure. Personal data flows into AI tools when staff use them to summarise meeting notes, draft proposals, or handle enquiries, and many public tools route that data through third-party servers without the user noticing. Without an approved tools list and a data processing agreement, each instance is a potential compliance issue. The gap is invisible until something goes wrong.

The second risk is output quality. AI-generated text goes out in client emails and proposals without review, sometimes inconsistent in tone, sometimes factually wrong. The ASA’s position is that AI-generated content must meet the same standards of truthfulness and substantiation as any other communication. For a professional services firm, a single inaccurate AI-drafted report can be harder to recover from than the compliance issue itself.

The third is shadow use. When staff find approved tools too slow or too restricted, they use unapproved ones instead, working around the policy rather than within it. The NCSC’s guidance on secure AI development identifies unmonitored tool use as a risk that creates audit gaps and expands the attack surface. Restricting access to unapproved public AI tools at network level makes shadow use a deliberate decision rather than the default path.

When should you start, and what does the first 90 days look like?

Start with three to five workflows that are high-volume and low-risk: drafting routine emails, summarising calls, producing first-draft proposals, triaging standard enquiries. Write the one-page policy around those specific tasks, appoint the champion, and run a short workshop per function using the tools the team already has. A structured 90-day pilot is achievable without a large budget, and UK government funding covers much of the cost for eligible firms.

The UK Government’s AI Skills Bootcamps provide free or heavily subsidised AI and data skills training for adults in England, including SME staff, structured around occupational pathways rather than generic literacy sessions. The AI Upskilling Fund pilot offers match funding of up to £10,000 per SME for AI-related training. Providers such as TESS Group, Summone Consulting, and Cosmic offer hands-on workshops built around a firm’s own tools and workflows.

What to hold back in the first phase: AI-driven decisions on credit, employment, or regulated financial advice, and any processing likely to trigger a Data Protection Impact Assessment under the ICO’s guidance. High-risk workflows come once the policy is tested and the champion is confident.

Review the pilot at 90 days with three straightforward questions. Did it save measurable time? Did output quality hold up against your firm’s standard? Did the champion flag any concerns that need addressing before you go further? What you learn in that period sets the scope for the next phase.

What connects AI training to the rest of how you run the business?

AI training connects to the governance layer your business needs regardless of AI. The one-page policy feeds into your data protection practices. The approved tools list links to your IT access controls. Human review of AI outputs maps onto your existing quality assurance routines. Getting this right doesn’t create a parallel layer of overhead; it integrates AI use into the operation you’re already running to a standard.

The NCSC’s guidelines for secure AI system development set out the core controls: access management tied to existing identity systems, logging to support incident investigation, and supply-chain due diligence when choosing AI vendors. These are the same principles governing any other software your team relies on, applied to a new category of tool.

For firms with European clients or EU-based processing, the EU AI Act is worth understanding. It sets risk-based obligations including mandatory human oversight and transparency requirements for AI-generated content. UK firms operating entirely domestically are not directly in scope, but the Act is shaping how global AI vendors design their products, and its risk categories are useful framing for any policy you are building.

The culture point holds too. A team that understands what AI does well and what it does badly, that has a shared prompt library and documented workflows, and that knows how to flag a concern is a more capable team. That capability builds over time in a way that uncoordinated tool adoption never does. The training is the start; the practice is what embeds it.

If you want to think through what a structured AI rollout looks like for your specific firm, Book a conversation.

Sources

- ICO (2024). Guidance on AI and data protection. Confirms UK GDPR applies whenever AI processes personal data; covers lawful basis, DPIAs, automated decision-making, and controller responsibilities. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ - UK Government (2024). Artificial Intelligence Playbook for the UK Government. Sets out written governance, approved tool standardisation, access controls, and human oversight as foundations for any AI deployment. https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html - NCSC (2023). Guidelines for secure AI system development. Establishes secure-by-design principles including access management, logging, and supply-chain due diligence for AI vendors. https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development - Cisco (2024). Data Privacy Benchmark Study. Reports 69 per cent of organisations globally found staff using generative AI tools with work data and without formal guidance. https://www.cisco.com/c/en/us/products/security/privacy-center/data-privacy-benchmark-study.html - UK Government, Department for Education (2024). Skills Bootcamps: digital and AI skills. Free or subsidised AI training for adults in England, structured around occupational pathways. https://www.gov.uk/government/publications/skills-bootcamps/skills-bootcamps - UK Government, DSIT (2024). AI Upskilling Fund pilot scheme. Match funding of up to £10,000 per SME for AI-related training. https://www.gov.uk/government/publications/ai-upskilling-fund-pilot-scheme - FCA (2022). Artificial intelligence: today and tomorrow. Confirms AI does not change regulated firms' obligations; boards remain responsible for conduct, fairness, and operational resilience. https://www.fca.org.uk/news/speeches/artificial-intelligence-today-and-tomorrow - ICO (2022). ICO fines Interserve Group Limited £4.4m for failing to keep personal information secure. Demonstrates the regulator's enforcement appetite for inadequate governance and security practice. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/ico-fines-interserve-group-limited-4-4-million/ - Spicy Advisory (2026). AI adoption for UK SMBs: stats, barriers and playbook. Reports 70 per cent of UK SMBs use AI tools at work but only 31 per cent report clear, measurable ROI, largely due to ad-hoc untrained use. https://spicyadvisory.com/blog/ai-adoption-uk-smb-guide-2026 - EU (2024). Artificial Intelligence Act. Sets risk-based obligations including mandatory human oversight, transparency requirements, and documentation for high-risk AI use; relevant for UK firms with EU clients. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2021%3A206%3AFIN

Frequently asked questions

Do my staff need formal AI training, or can they learn as they go?

Letting staff learn informally is how client data ends up passing through public AI tools without a data processing agreement, and without anyone realising it happened. The ICO confirms that employees using public AI tools with personal data, without appropriate controls, can constitute a UK GDPR breach. A one-page policy and a short role-specific session are the minimum to bring informal use inside a framework that protects the business.

What should a one-page AI use policy actually cover?

At minimum: an approved tools list specifying which AI tools may and may not be used for work; data rules covering what must never be entered, such as client personal data or special-category data, without explicit IT approval and a data processing agreement; output review requirements identifying who must check AI-generated content before it reaches clients; prohibited uses; and an incident reporting route. Every staff member should read and sign it, and it should be reviewed annually.

Is there government funding available for AI training in a small UK business?

Yes. The UK Government's AI Skills Bootcamps provide free or heavily subsidised AI training for adults in England, including employees of SMEs. The AI Upskilling Fund pilot offers match funding of up to £10,000 per SME for AI-related training. Providers such as TESS Group offer Level 5 AI Apprenticeship Units at £750 per learner, with 100 per cent government funding for firms with a paybill under £3 million. Cost is rarely the real barrier to getting started.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Business owner at a desk reviewing options on a laptop in a small office with natural light

How to choose the right AI setup for a 20-person business

Choosing between a lean SaaS AI stack and a custom build is the first real AI decision a 20-person owner-managed business faces, and the three questions that settle it.

A person reviewing data on a laptop at a workbench in a manufacturing workshop with machinery in the background

Choosing AI for small and mid-sized manufacturers: a decision guide

A practical guide for owner-managed manufacturers on choosing between off-the-shelf and bespoke AI, the key questions to ask, and what it costs to get the decision wrong.

Accountant reviewing documents at a desk with a laptop open and papers arranged nearby

Choosing AI for accountancy firms and practices

For UK accountancy practices choosing AI: which type fits your situation, what each one costs to get wrong, and what to ask any vendor before you sign.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd