UK AI Security Institute Australia MoU
In short: The UK AI Security Institute Australia MoU, signed in Canberra on 25 May 2026, deepens bilateral cooperation between the UK AI Security Institute (AISI) and the Australian AI Safety Institute on frontier AI evaluation, research and best practice. It does not change UK law and creates no new compliance duties for UK regulated firms.
UK firms deploying frontier AI face an evaluation infrastructure that is still being built. The bilateral cooperation agreement signed today in Canberra between the two AI safety institutes is the latest piece of that infrastructure. It does not change UK law and creates no new compliance duties. The UK is relying on existing legislation, including UK GDPR as amended by the Data (Use and Access) Act 2025, and on a series of executive policy choices through which sector regulators apply their existing frameworks to frontier AI.
The UK AI Security Institute Australia MoU in summary
UK AI Minister Kanishka Narayan and Australia’s Assistant Minister for Science, Technology and the Digital Economy, Dr Andrew Charlton, signed the MoU when they met in Canberra on Monday 25 May 2026. The agreement sits between two government bodies: the UK AI Security Institute (rebranded from the AI Safety Institute) and the Australian AI Safety Institute. The MoU covers four heads of cooperation: information sharing on frontier AI capabilities; joint research into emerging risks; collaboration on best practice for testing and evaluating AI systems; and staff exchanges between the two institutes.
The DSIT press release frames the agreement as a response to fast-moving AI security risks, and is timed alongside new AISI research on the rate at which advanced AI systems are improving their ability to carry out complex cyber-attacks. The MoU is the second of AISI’s named bilateral partnerships and sits within the broader International Network for Advanced AI Measurement, Evaluation and Science, AISI’s multilateral evaluation programme with research bodies across the world’s major economies.
AISI’s bilateral programme and the wider evaluation network
The UK Government established AISI in November 2023, around the Bletchley Park AI Safety Summit, and houses it within the Department for Science, Innovation and Technology (DSIT). Its rebrand from “AI Safety Institute” to “AI Security Institute” tracks a wider shift in UK AI policy from safety-first caution to a security-and-opportunity register, reflected in the AI Opportunities Action Plan published in January 2025. Its operational remit is unchanged: red-team and evaluate frontier AI models against safety and cyber-security criteria, publish research, and inform UK policy.
The MoU does not codify the AISI evaluation methodology into UK law. The UK has no AI-specific statute. Instead, the UK is relying on existing legislation, primarily the UK GDPR as amended by the Data (Use and Access) Act 2025 and sector regulators applying their existing frameworks, alongside executive policy choices such as the 2023 AI White Paper, the AI Opportunities Action Plan, and DSIT’s open letter on AI cyber threats to UK organisations. We have covered the wider framework in our UK AI regulation practitioner framework.
UK sector regulators do not have their own frontier AI evaluation capability. The ICO sets out enforcement and guidance principles in its Regulating AI strategic approach; the FCA frames its expectations through the Consumer Duty and AI Lab; Ofcom raises cyber-security concerns through its 21 April 2026 open letter to Communications Providers on frontier AI cyber risk. AISI is one source of frontier-model capability assessment within the UK Government, alongside the NCSC, which publishes parallel threat intelligence on AI cyber capability. The methodology AISI develops with allied institutes feeds into sector guidance over time but does not bind any specific regulator.
Where this sits in existing UK law
The MoU itself is not a legal instrument that binds firms. The substantive duties remain unchanged: Article 32 UK GDPR requires data controllers and processors to apply technical and organisational measures appropriate to the risk, taking into account the state of the art; the Data (Use and Access) Act 2025 (c.18) added new Articles 22A to 22D UK GDPR on solely-automated decisions with legal or similar effects, in force from 5 February 2026 under SI 2026/82; the FCA’s Consumer Duty applies to fintech firms using AI in retail offerings; Ofcom’s General Conditions and the TSA 2021 apply to telecoms operators. None of these moves because of the MoU. Where firms want to align their AI assurance with the evolving regulator expectation, our AI data governance advice page sets out when in-house counsel typically engage with us.
Viewpoint
This MoU demonstrates continuing cooperation with one of the UK’s Five Eyes partners on frontier AI.
Frequently asked questions
Does the UK AI Security Institute Australia MoU change UK law?
No. The MoU is a bilateral cooperation agreement between two government research bodies. It does not create new compliance duties on firms, does not amend the UK GDPR or the Data (Use and Access) Act 2025, and is not a statutory instrument. UK firms deploying AI continue to be regulated under the existing sector-by-sector framework, with the ICO, the FCA and Ofcom applying their existing powers.
Will UK sector regulators adopt the AISI evaluation methodology?
Not as a binding standard. The UK has no statutory mechanism that obliges the ICO, the FCA or Ofcom to use any particular technical evaluation. AISI’s evaluation work is one input regulators can draw on alongside other UK Government sources, including NCSC threat intelligence. Firms should treat the AISI methodology as a reference point that may inform sectoral guidance over time, not as a regulatory standard.
