As AI adoption accelerates across UK businesses, security and compliance teams are working to align deployments with GDPR requirements and new government cybersecurity guidance.
Regulators and industry bodies warn that widespread use of unapproved AI tools and third-party platforms is creating governance and data security risks that many organizations are only beginning to address.
UK businesses continue to adopt AI as security teams catch up
According to data from the Office for National Statistics (ONS), in September 2025, just under a quarter of all UK businesses have deployed AI in some form, and an additional 15 percent said they would deploy within the next three months. If we take the ONS data at face value, over one-third of all businesses should have deployed AI by now.
Security and compliance leaders are moving to correct early deployment mistakes, which have involved employees using AI to draft documents, analyze data, and write code, often before IT teams have approved the tools or know where the data is going.
As AI deployment comes to involve more sensitive data and a larger pool of resources, this shadow AI problem could have far-reaching consequences if left unchecked.
GDPR compliance and shadow AI risks
The Information Commissioner’s Office (ICO) has already said that UK businesses using AI for personal data must still comply with UK GDPR principles, which include security, data minimization, fairness, and accountability.
Any rogue units or employees trialing AI systems need to be aware of this, and if they go into production, there needs to be more than one set of eyes to assess whether they meet these principles.
NCSC issues guidance on rise in AI-driven cyber threats
On top of compliance with GDPR, the UK National Cyber Security Centre (NCSC) has also warned that deployment of AI systems will increase the volume and impact of cyber threats. To mitigate the increase, the NCSC has published AI development guidance that covers building AI systems from scratch and using third-party tools.
This is critical, as the vast majority of UK businesses are not deploying their own AI systems but are accessing them through cloud, SaaS, and cybersecurity platform providers. And the vast majority of them are foreign AI systems, making data governance and sovereignty even more critical.
The three pillars of UK financial regulation and standards – the Bank of England, Financial Conduct Authority, and HM Treasury – have been examining the adoption and operation of frontier AI models, with a focus on cyber resilience, operational distribution, and third-party dependencies.
The sector already has a mature compliance culture when it comes to outsourcing critical supply; the introduction of AI simply adds another layer.
Why governance doesn’t have to slow down AI adoption
The introduction of standards, guidelines, and regulations does not necessarily mean that AI adoption will slow. In fact, there seems to be a growing number of employees who are using unapproved AI tools at work.
Microsoft UK research found 71 percent of employees had used unapproved tools and 51 percent were doing so every week. SAP UK reported similar numbers in their findings. This seems to indicate that many don’t understand the compliance and security risks, or are willing to risk data for the productivity benefits of AI tools.
But for larger deployments, security concerns are likely to shape the deployment. Regulated, customer-facing, or data-heavy AI systems will face longer approval cycles from security teams, due to the need to comply with several UK regulatory bodies.
There has already been an uptick in AI projects halted due to safety and security concerns, according to surveys by Aikido and CybaVerse.
For UK businesses, the approval cycle for AI systems needs to be accelerated to avoid the use of non-compliant software. There also needs to be more oversight of tools used for sensitive data projects, with strict blocks on unapproved tools.
How UK partners can enable successful and secure AI deployment
For channel partners, the openness of AI systems in UK businesses creates an opportunity to serve as the evidence and authoritative source on whether these systems are secure, auditable, and compliant.
Vendors that can provide a comprehensive set of secure processes will be better positioned than those simply adding AI to their packages without credible assurances.
AI is far too valuable and hyped to be slowed down, at least at the moment, but it can be better controlled by organizations.
As in the US market, UK-based MSPs, resellers, integrators, and other partners can leverage AI adoption to initiate new conversations with customers about compliance, data governance, and overall security posture in the coming months.