UK regulators expand generative AI use in oversight

The Digital Regulation Cooperation Forum has published findings on how four UK regulators are using generative AI in their work. The review covers the Competition and Markets Authority, the Financial Conduct Authority, the Information Commissioner’s Office and Ofcom.

Generative AI is moving beyond pilot projects into regular use across regulatory analysis, supervision and enforcement, the forum found. Joint work over the past year has focused on governance, prompt design, detecting consumer harm and testing AI tools before wider deployment.

The report offers one of the clearest accounts yet of how UK public authorities are trying to use large language models and related systems in day-to-day oversight of digital markets and services. It also shows the extent to which regulators are building internal tools rather than relying solely on off-the-shelf products.

From pilots

According to the findings, each member regulator has been testing, developing or deploying generative AI tools. Staff have also been given access to AI productivity software as part of a broader effort to build familiarity with the technology and set rules for its use.

That work has been supported by six cross-regulator deep-dive sessions involving leaders working on advanced regulatory technology. The sessions examined how to manage risks such as hallucinations and bias, improve outputs through prompt design, identify harmful online design practices and assess whether AI systems are reliable enough for specific regulatory tasks.

A central conclusion is that governance remains critical. AI tools may offer clear benefits, but in a regulatory setting where errors can affect enforcement decisions and consumer protection, they require proportionate oversight, clear accountability and human review.

The Financial Conduct Authority was cited as one example of a regulator using a structured internal framework, including policies on data management, frontier AI and privacy, alongside staff training on risk management systems.

Consumer harm

Some of the clearest examples relate to monitoring websites and apps for harmful design patterns. These include drip pricing, misleading scarcity claims, reference pricing and so-called sludge practices that make it harder for consumers to cancel subscriptions or navigate terms and conditions.

The Competition and Markets Authority has developed what the forum described as agentic AI that can experience and record the consumer journey at scale. The aim is to detect possible breaches of consumer law by navigating online services in a way that mirrors how users encounter prices, prompts and design choices.

This approach has already fed into enforcement activity. The authority has opened investigations into eight businesses and sent advisory letters to 100 others following the investment, according to the forum.

The Financial Conduct Authority has also tested whether large language models can be used for sludge audits. Instead of relying on staff to click manually through websites and recreate customer journeys, the regulator ran a pilot to see whether models could simulate consumer personas and carry out many of those checks more quickly.

The pilot found that the models could perform a large share of the audit work, but with important caveats. Prompt design was needed to improve consistency, the systems did not always interpret webpages correctly and human review remained necessary to check accuracy.

Ofcom has been using behavioural audits in its own work to examine whether online services meet obligations under the Online Safety Act. These audits look at areas such as sign-up processes, features that influence time spent on a service, negative sentiment tools and reporting mechanisms.

The Information Commissioner’s Office and the Competition and Markets Authority have also worked jointly on harmful design in digital markets, while the Information Commissioner’s Office has monitored compliance on the use of non-essential cookies at scale.

Testing tools

Another strand of the programme focused on how regulators assess the quality of AI systems before wider deployment. Several have created minimum viable internal evaluation frameworks that define the task an AI tool is meant to support, set guardrails for users and test for accuracy, usefulness and obvious failure modes.

These frameworks compare model outputs against reference answers using test questions, source documents and preset criteria such as factual accuracy, substance and citation style. Models are then scored against pass-fail thresholds.

This approach helps technical teams decide whether a tool is suitable for sensitive work and supports a more controlled move from trial use to broader deployment. But the process can be time-consuming because reference materials and benchmark answers must be created in advance.

Prompt engineering emerged as another practical area of work. Regulators reported that better outputs often depend on supplying context, defining a role for the model, giving examples and setting clear constraints. More advanced methods included breaking down complex questions into smaller parts and linking prompts in sequence.

The findings also refer to the use of retrieval-augmented generation, in which models draw on approved internal documents to ground responses in verified material. The forum said this can reduce the risk of hallucinations, but not remove it, so it is being used alongside other checks.

Overall, the picture is of regulators using AI to cut the time and cost of investigations without removing human judgment from the process. In areas such as consumer protection and online safety, the technology is being positioned as a way to monitor large numbers of services and spot patterns that would be difficult to identify manually.

Cross-regulator cooperation has helped speed adoption, reduce duplication and support more consistent approaches across the four bodies, the forum found. Strong governance, evaluation frameworks and human oversight remain essential to the safe and effective use of generative AI in regulation.