DRCF generative AI: the regulators’ AI assurance playbook is your benchmark
In short: DRCF generative AI insights, published on 24 June 2026, show how the ICO, FCA, CMA and Ofcom govern their own use of generative AI: hallucination and bias controls, retrieval grounding, human review and evaluation frameworks. The same controls are the benchmark these regulators will expect of the firms they oversee when those firms deploy AI.
Any regulated firm putting generative AI into its own operations now has a clear reference point for what good governance looks like, written by the people who will later judge it. On 24 June 2026 the Digital Regulation Cooperation Forum (DRCF), the joint forum of the ICO, FCA, CMA and Ofcom, published the findings of a year of deep-dive sessions on how its members adopt generative AI. Read as a compliance signal rather than a progress report, the DRCF generative AI work tells regulated firms how the four regulators expect AI to be governed.
What the DRCF published
The DRCF reported the results of six cross-regulator sessions held over the past year, covering four areas: governance frameworks, prompt engineering, the use of AI to detect consumer harms, and frameworks for evaluating AI performance. The work supports the Government’s AI Opportunities Action Plan and its “scan, pilot, scale” approach. Each regulator has rolled out AI productivity tools to staff and is moving from experiment to routine use. The CMA, for instance, has built agentic AI that experiences online customer journeys to spot practices such as drip pricing; the DRCF records that this has fed eight investigations and advisory letters to a hundred other businesses.
The DRCF generative AI assurance approach
The regulators described a common set of controls. Each runs an internal governance framework that manages the AI lifecycle and the risks of hallucination and bias. The FCA, for example, underpins its approach with an internal Data Management Policy, an AI Frontier Policy and a Data Privacy Policy. One regulator uses retrieval-augmented generation, building a secure index of approved documents so the model answers from verified sources, which reduces but does not remove inaccuracy. All four treat prompt engineering as a discipline, with shared prompt libraries, staff training and standardised citation rules. Before a tool moves from pilot to wider use, it passes an evaluation framework that scores outputs against reference answers on accuracy, style and substance, with human review kept as an essential check rather than an optional one.
The regulators also invested in staff training. They standardised terminology and prompts, taught staff about accuracy, bias and the limits of interpretability, and reviewed prompts collaboratively to keep outputs consistent between teams. The theme common to every session is that generative AI is treated as a governed capability, not a free-text tool, with the controls fixed before the technology is relied on. That is the same expectation the regulators bring to the firms they supervise.
| What the regulators do internally | What it signals for firms deploying AI |
|---|---|
| Run a documented AI governance framework covering the data lifecycle, hallucination and bias | An accountability framework and DPIA are expected under Article 5(2) UK GDPR where AI processes personal data |
| Ground models in verified sources through retrieval-augmented generation | Accuracy is a data protection principle; firms must be able to show how they manage model error |
| Keep human review as an essential validation step | Meaningful human involvement is a core safeguard for automated decisions under the DUAA 2025 regime |
| Score tools against an evaluation framework before wider use | Firms can expect to evidence testing, performance and failure modes before deployment |
Why DRCF generative AI work is your benchmark
The UK still has no standalone AI statute; existing regulators apply existing law to AI, a position explained in this explainer on UK AI regulation. That makes how each regulator runs its own AI unusually informative for the firms it oversees. In data protection, the ICO’s expectations on accountability, DPIAs and accuracy sit in its guidance on AI and data protection, and the Data (Use and Access) Act 2025 reshaped the rules on solely automated decisions, set out in this guide to automated decision-making. In financial services, the FCA’s AI approach applies the Consumer Duty and the senior managers regime rather than new rules, examined in this piece on the FCA AI Lab. For online services, the same governance themes sit beneath the Online Safety Act 2023 “safe by design” duties that Ofcom’s AI strategy enforces. The consumer-protection edge of the DRCF’s work is covered separately in this post on AI consumer protection.
Viewpoint
I read the DRCF generative AI work as the clearest statement yet of what the four regulators believe responsible AI use looks like, drawn from their own deployments rather than from a consultation. The controls they describe, namely documented governance, source grounding, bias checks, human review and tested evaluation, map closely onto what the ICO already asks of controllers and what the FCA expects under the Consumer Duty. A firm that can evidence the same disciplines is on stronger ground if a regulator later asks how its AI was governed. The detail that interests me most is enforcement-facing: the CMA’s agentic tools show the regulators are willing to use AI to find problems as readily as firms use it to gain efficiency. Firms weighing an AI deployment can find the assurance steps in this guide to AI and data governance.
Frequently asked questions
What is the DRCF?
The Digital Regulation Cooperation Forum is a voluntary forum that brings together four UK regulators with digital responsibilities: the CMA, FCA, ICO and Ofcom. It coordinates their approach to digital regulation and shares learning between them, but it does not itself make law.
Does the DRCF generative AI blog create new legal obligations?
No. It describes how the regulators use AI internally. The obligations on firms come from existing law, including the UK GDPR, the Data (Use and Access) Act 2025, the Consumer Duty and the Online Safety Act 2023, which each regulator applies within its remit.
What should a firm deploying AI take from it?
The assurance controls the regulators apply to themselves, namely documented governance, source grounding, bias checks, human review and evaluation, indicate the standard they are likely to expect from regulated firms that deploy AI in their own operations.
For advice on governing an AI deployment in a regulated business, contact Rob Bratby at Bratby Law.
