UK AI Regulation Tightens: What the ICO Guidance and Parliament's Inquiry Mean for Employers

The UK's approach to AI regulation has been characterised, since the 2023 AI White Paper, by deliberate restraint. The government's position — that existing regulators should apply existing law to AI rather than creating new AI-specific legislation — was intended to avoid the regulatory fragmentation that has complicated AI deployment in the EU. It was also, critics noted, a way of postponing difficult decisions.

Those decisions are now arriving. In April and May 2026, three significant regulatory developments — an ICO consultation on automated decision-making in employment, a House of Commons inquiry into AI in UK workplaces, and new guidance from the Digital Regulation Cooperation Forum on agentic AI — have collectively shifted the regulatory landscape from permissive to prescriptive. The direction of travel is clear: automated AI decisions that affect people are coming under closer scrutiny, and the organisations that have not thought carefully about accountability and transparency will find themselves exposed.

Development 1: The ICO's Automated Decision-Making Consultation

The Information Commissioner's Office launched a consultation in April 2026 on the use of automated decision-making in recruitment. The consultation, which closes on 29 May 2026, focuses on a specific and contentious area: the use of AI to screen CVs, assess candidate suitability, schedule interviews, and in some cases make hiring recommendations without meaningful human involvement at each stage.

The ICO's working position is that automated decisions affecting employment — whether hiring, performance management, disciplinary outcomes, or promotion — require meaningful human involvement at decision points that have material consequences for the individual. Meaningful, in this context, is doing significant work. The ICO has been explicit that a human clicking "approve" on an AI recommendation, without genuinely reviewing the underlying decision, does not constitute meaningful involvement.

The practical implications are considerable:

• CV screening tools that rank or filter candidates before a human reviewer sees them need to be audited for bias and explainability. The output must be reviewable by a human who can override it on the basis of their own judgment.
• AI interview assessment tools — software that analyses facial expressions, speech patterns, or responses to score candidates — face particular scrutiny. The ICO has flagged these as high-risk under existing data protection law, and the consultation suggests formal guidance is coming.
• Performance management systems that use AI to generate ratings, flag underperformance, or recommend disciplinary action must have human decision-makers who are genuinely engaged with the evidence, not simply ratifying an algorithmic output.

Organisations that are using AI in any of these ways should submit to the consultation — or at minimum read the ICO's working draft — before the closing date of 29 May. The guidance that follows will have real teeth: the ICO has enforcement powers and a track record of using them in high-profile cases.

Development 2: The House of Commons Business and Trade Committee Inquiry

In parallel with the ICO consultation, the House of Commons Business and Trade Committee launched an inquiry into the use of AI in UK workplaces. The inquiry is examining three primary areas: AI in recruitment and selection, AI in performance monitoring and management, and AI in decisions about pay, hours, and employment terms.

Parliamentary inquiries do not create law directly, but they shape it. The Committees' conclusions influence government policy, provide a platform for concerns from workers and trade unions, and create political pressure that tends to produce regulatory responses. The areas under scrutiny — recruitment, performance management, and terms of employment — cover the majority of consequential AI applications that UK employers are currently deploying or planning to deploy.

The inquiry is also examining the transparency obligations that employees should have when AI is used in decisions affecting them. Current UK law requires organisations to inform individuals when decisions about them are made solely by automated means. The inquiry is examining whether this obligation is being met in practice, and whether the threshold — solely automated — is set at the right level.

Development 3: DRCF Guidance on Agentic AI

The Digital Regulation Cooperation Forum — the body that coordinates between the ICO, FCA, Ofcom, and CMA — published guidance in May 2026 on the governance of agentic AI. This is the first UK regulatory guidance specifically addressed at the new generation of AI agents that can take actions, make decisions, and operate over extended periods without direct human oversight.

The DRCF guidance establishes a framework built around three principles:

• Accountability. Organisations deploying agentic AI must be able to identify who is accountable for the agent's actions, and that accountability must sit with a human or organisation, not with the AI system itself.
• Transparency. Where agentic AI takes actions that affect other people — customers, employees, third parties — those people must be able to understand that an AI system was involved and have a route to challenge the outcome.
• Control. Organisations must be able to pause, override, or shut down agentic AI systems when required, and must have documented processes for doing so. Autonomous systems that cannot be interrupted are not acceptable under the framework.

For organisations that have been building or deploying AI agents — whether for internal automation or customer-facing services — this guidance provides the clearest statement yet of what UK regulators expect. It is not yet legally binding in the way that ICO enforcement action would be, but it sets the standard against which future enforcement will be measured.

Which Systems Are in Scope

The combined effect of these three developments is to bring into scope a wide range of AI applications that many organisations have deployed without detailed regulatory analysis. The following systems deserve immediate audit:

• ATS (Applicant Tracking Systems) with AI scoring. Any system that ranks, filters, or scores candidates before human review.
• AI interview platforms. Tools that assess candidates via video analysis, psychometric profiling, or automated scoring of responses.
• Performance management software with AI analytics. Systems that generate performance scores, flag patterns, or recommend outcomes without separate human analysis.
• Workforce management tools. AI that schedules shifts, allocates tasks, or manages working hours based on algorithmic optimisation.
• Customer-facing AI agents. Any agent that makes or influences decisions about customers — credit, claims, service levels — without human review of individual cases.
• Internal agentic workflows. Automated processes that take consequential actions (sending communications, updating records, triggering payments) without a human checkpoint.

What to Do Now

The regulatory direction is clear: automated AI decisions affecting people are moving from permissive territory to regulated territory. Organisations that get ahead of this will be better positioned than those that wait for enforcement. Here is a practical starting point.

Audit your automated decision-making systems

Compile a complete inventory of AI systems that influence or make decisions about employees, job applicants, or customers. For each, document: what decision the AI is involved in, what data it uses, what a human reviewer sees and when, and what the process is if the decision is challenged.

Define what "meaningful human involvement" looks like in your processes

The ICO will be looking for evidence that human reviewers are genuinely engaged with AI outputs — not rubber-stamping them. This means designing review processes where the human has access to the underlying evidence, has time to form their own view, and has documented their reasoning. A reviewer who can only see the AI's recommendation, and not the data behind it, does not meet the standard.

Prepare your transparency documentation

Employees and job applicants have rights under existing data protection law to know when automated decision-making is being used. Audit whether your current privacy notices, job application processes, and employee communications accurately describe the AI systems you use. Update them where they do not.

Review your agentic AI governance against the DRCF framework

If you have deployed AI agents — even internally — map them against the DRCF's three principles: accountability, transparency, and control. For each agent, you should be able to name the accountable person, describe how affected parties could challenge the agent's actions, and demonstrate that you can pause or override the system if required.

UK AI regulation is not following the EU's prescriptive path, but it is moving in a clear direction: organisations that use AI in ways that affect people will be expected to demonstrate accountability, transparency, and genuine human involvement in consequential decisions. The organisations that are already building these disciplines into their AI deployments will face this transition as a confirmation of existing practice. Those that have not will face it as a compliance project — and compliance projects are always more expensive than getting it right the first time.