A services firm owner opens a government tender pack and finds a section they weren’t expecting: questions about AI. Are they using it in delivery? Where? How is data handled? Who reviews outputs? They’re already using a language model to help draft the proposal itself. The gap between what they’re doing and what they’re being asked to account for suddenly feels very visible.
This is a relatively new kind of discomfort. The UK government has embedded AI disclosure into its procurement guidance, and for smaller services firms the question is no longer whether this matters but exactly where it bites and how seriously to prepare.
What is AI disclosure in government contracting?
The UK government now asks suppliers to declare how they plan to use AI in delivering a contract. Procurement Policy Note guidance from the Cabinet Office tells commercial teams to include optional questions about supplier AI use where AI in delivery is plausible, and to build AI-specific safeguards into award criteria and contract terms where the risk warrants it.
This framework grew out of a procurement landscape where AI was entering service delivery without visibility or governance. The government’s AI procurement guidelines, published in 2020, set out themes for assessing AI viability and embedding standards into contracts. The AI Playbook for UK Government, launched in February 2025, reinforced that expectation across departments and public bodies. The Playbook explicitly requires teams to understand, monitor, and mitigate AI risks, involve assurance teams early, and maintain programme-level oversight. Suppliers sit downstream: the governance architecture buyers build for themselves shapes what they look for in the firms they contract with.
The practical consequence is that a tender response silent on AI, while the delivery model relies on it, creates exposure later. The Cabinet Office guidance also says commercial teams may require suppliers to declare AI use and provide further detail. If the buyer later asks to audit data handling or review how human oversight worked, a firm that never addressed these questions is in a weaker position.
Why does this create risk for a smaller services firm?
Public-sector buyers working from government guidance now expect suppliers to explain what their AI does, where data flows, who reviews outputs, and how errors are escalated. For a small services firm using third-party AI tools, this means a black-box supplier arrangement, where you cannot describe the model’s purpose, data handling, or human oversight, does not satisfy that expectation at tender stage or during delivery.
The Government’s AI Playbook makes this concrete. It requires departments to maintain organisation-specific security and data-handling policies, documented review processes, escalation routes, and oversight at programme or board level. Buyers building this governance architecture naturally look for compatible controls in their suppliers. Documentation ready to share when asked is the practical minimum. A services firm that cannot describe its own AI governance is answering a question the buyer is already asking.
Data protection adds a second layer. The ICO has confirmed that UK GDPR principles apply fully to AI systems that process personal data. Fairness, transparency, accuracy, and accountability are requirements regardless of whether the processing is automated. The ICO’s AI procurement guidance goes further, pointing to data protection impact assessments, meaningful human review, and supplier management as practical requirements for organisations deploying AI in service delivery.
Where will you actually encounter this in a tender?
AI governance in public-sector contracting surfaces at three points. At bid stage, the tender pack may include questions about AI use in delivery, which systems are involved, and how data is handled. At contract negotiation, buyers may request specific clauses on data flows, output review, and logging rights. During delivery, where audit rights or escalation routes are written into the contract, you are expected to perform against them.
The NCSC’s AI security guidance adds a technical dimension to all three stages. Its work on prompt injection, data leakage, insecure integration, and supply-chain risk translates directly into the questions a well-briefed procurement team will ask. If the buyer’s commercial team has read NCSC guidance, they will want to know about model access controls, logging practices, and what happens when a data boundary is breached.
The CMA’s position on AI claims is relevant at bid stage. If your proposal describes specific AI-driven outcomes, those claims need to be accurate and defensible. The CMA has said businesses must not exaggerate AI capabilities, must be clear about limitations, and must take responsibility for outputs. A bid that promises AI precision it cannot deliver creates risk before the contract is signed.
When do you need to act on this, and when is the risk lower?
The governance burden scales with two variables: how sensitive the data is that your AI processes, and whether the AI is doing decision-support work or purely internal drafting. A language model helping your team write first-draft documents, with no client data fed in and no effect on what the buyer receives, sits at the lower end of the risk spectrum. AI processing client submissions or recommending outcomes for beneficiaries sits at the high end.
The government guidance is consistent on this distinction. The AI Playbook emphasises suitability assessments, which means using AI where it is genuinely the right tool at the right risk level. If your AI use is wholly internal and has no effect on the contracted service, the procurement burden is lighter. Where any AI component touches what the buyer is paying for, transparency, human oversight, and data controls become requirements, not optional extras.
A separate consideration applies for firms with FCA-regulated activities or those working with financial services clients. The FCA has signalled active scrutiny of AI and data-driven decision-making under its operational resilience and third-party risk frameworks. A services firm supporting financial services clients, even in a delivery capacity, should check where those obligations extend to them.
What are the related regulations you need to know?
UK GDPR, enforced by the ICO, is the foundational layer for any AI system that processes personal data. The core principles apply regardless of whether you are the data controller or processor, and regardless of whether AI is incidental or central to the service you deliver. The ICO has published dedicated guidance covering both AI deployment and AI procurement, including DPIAs, meaningful human review, and supplier management expectations.
The NCSC’s AI security collection and its guidance on securing large language model applications cover the specific technical risk surface, including prompt injection, data leakage, and supply-chain vulnerabilities. These risks translate directly into contract clauses about logging, model access controls, and incident response. A cyber assurance requirement in a public-sector contract will typically reference NCSC guidance as the expected standard.
The EU AI Act matters if your firm works with EU public-sector buyers or handles contracts where EU law applies. It creates obligations for high-risk AI systems and transparency requirements for certain use cases. UK firms are not automatically exempt when the end-user is in the EU.
For the government guidance itself, two documents are worth bookmarking: the AI procurement guidelines PDF published in 2020, and the AI Playbook for UK Government published in February 2025. Both are on GOV.UK. The two-step pattern running through all of it is disclosure at tender and governance built into contract terms. Both steps belong to the firm that signs the contract, not the AI supplier it uses.
