Free governance tools for UK regulated organisations.

Whitepaper: AI Is Already in Your Business

A practical briefing for CISOs, compliance officers, and senior leaders at UK regulated businesses

Seventy-one percent of UK employees are using unapproved AI tools at work. More than half do so weekly. The question most organisations are now facing is not whether AI is present in their operations — it is whether they can see it, govern it, and stand behind it when a regulator or client asks. This whitepaper sets out the problem clearly, without vendor theatre. It covers what shadow AI actually looks like in legal, financial services, and healthcare-adjacent organisations; what the regulatory environment — UK GDPR, FCA Consumer Duty, SRA obligations, EU AI Act — actually requires; what the financial exposure looks like in pounds; and what a structured path from current exposure to a defensible position involves. It is written for the CISO or IT director who needs to understand the risk, the compliance officer who needs to map it to a regulatory framework, and the senior leader who needs to explain it to a board. The executive summary is available below. The full report — including sector-specific considerations for legal, financial services, and healthcare-adjacent organisations, the ISO certification pathway, and six questions worth putting to your leadership team — is included in the same download.

AI Penalty Exposure Calculator

Most organisations know AI governance penalties can be significant. Fewer know what that figure actually looks like against their own revenue. This tool takes your turnover band, sector, and EU exposure, and returns the statutory maximum penalties under UK GDPR and the EU AI Act — with a plain-English interpretation of what the figures mean for a firm like yours. Three questions. No registration required.

AI Risk and Regulatory Exposure in FCA-Regulated Firms

For senior partners, managing directors, and compliance leads at FCA-regulated firms of 50–500 employees

The FCA’s 2024 Multi-Firm AI Review did not identify a theoretical problem. It identified three specific failure patterns at regulated firms it had already reviewed: staff using unapproved AI tools without the firm’s knowledge, firms unable to produce audit evidence of AI interactions, and firms that had not assessed AI providers as technology dependencies. These are supervisory findings, not forward guidance. Firms that cannot demonstrate they have addressed them face follow-up action — including Section 166 skilled person reviews. This briefing maps the ten primary regulatory risks created by uncontrolled AI tool usage at FCA-regulated firms: client data leakage under UK GDPR, shadow AI exposure, absent audit trails, SMCR individual accountability, Consumer Duty data obligations, operational resilience gaps under PS21/3, SYSC 8 third-party due diligence, US CLOUD Act data sovereignty, DORA for EU-facing firms, and the financial promotions boundary under FSMA 2000. For each risk it sets out what CattleGrid mitigates at the AI API input layer and what the firm must address independently. A dedicated section maps the three FCA Multi-Firm Review findings directly to the documentary evidence CattleGrid generates. The point is a simple one: the FCA has told regulated firms what it expects to see. Deploying CattleGrid before a supervisory visit means you can produce that evidence. Deploying it after means you cannot. The briefing also includes a plain does/does not table. CattleGrid does not inspect AI outputs, draft governance policies, conduct DPIAs, assess the suitability of AI-generated financial advice, or determine what constitutes a serious incident under the EU AI Act. Those obligations remain with the firm. This document is designed to be read by a senior partner or MD alongside their compliance officer, and to support a decision about whether and how to deploy CattleGrid.

Information Governance and AI: What CattleGrid Does — and Doesn't

For information governance professionals at UK regulated organisations of 50–500 employees

Every time a member of staff pastes client data into an AI tool, something happens at the data layer that your governance framework almost certainly hasn’t caught up with. The AI provider becomes a data processor under UK GDPR. The prompt may contain personal data with no lawful basis for transfer. The interaction leaves no audit trail. And if your organisation is FCA-regulated, SRA-regulated, or subject to ISO 27001, there are specific obligations attached to each of those facts. CattleGrid operates at the AI API layer — between your staff and the AI provider — intercepting outbound prompts in real time, applying your configured data governance rules, and generating an immutable audit record of every interaction. This reference document maps what that means in practice across the compliance frameworks most relevant to information governance professionals: UK GDPR, FCA requirements, SRA obligations, ISO 27001:2022, the EU AI Act, and the US CLOUD Act. The mapping uses a three-level classification: Direct (CattleGrid addresses the obligation), Partial (CattleGrid addresses part of it, and names what remains), and Supporting (CattleGrid provides the evidence infrastructure the obligation requires). The document also lists, plainly, the obligations CattleGrid does not address — DPIAs, RoPA, privacy notices, AI governance policy drafting, and others. Knowing the scope of any technical control is as important as knowing its capabilities. This document is designed to be read before an onboarding conversation, shared with a DPO or compliance officer reviewing a CattleGrid deployment, or used as a reference when mapping AI governance obligations across your organisation.

Shadow AI Risk Assessment

For FCA-regulated UK firms of 50–500 employees

Shadow AI is already in your firm. The IBM data suggests 71% of UK employees are using unapproved AI tools, more than half of them weekly. The question for an FCA-regulated firm is not whether this is happening but what the regulatory consequences are and what you are doing about them. This template provides a structured eight-section assessment covering discovery methodology, a tool inventory, per-tool risk ratings across data leakage, regulatory breach and operational resilience dimensions, and a regulatory exposure map that works through Consumer Duty outcomes, SMCR individual accountability, PS21/3 operational resilience obligations, SYSC 8 outsourcing implications, financial promotions risk, and UK GDPR simultaneously. It includes a prioritised remediation table and a governance gap analysis referencing the FCA’s own multi-firm AI review findings. The FCA has confirmed it will rely on existing frameworks — Consumer Duty, SMCR, SYSC — to govern AI use in financial services rather than introducing AI-specific regulation. That makes understanding how those frameworks apply to shadow AI usage a compliance obligation, not a forward-looking aspiration. This template maps the exposure and gives you the evidence trail.

DPIA Template for AI Tools

For UK organisations of 50–500 employees in regulated sectors

Every time an employee submits client data to ChatGPT, Claude, or any other public AI service, that AI provider becomes a data processor under UK GDPR. Your organisation remains the data controller. The legal obligation to conduct a Data Protection Impact Assessment before high-risk processing begins does not disappear because the tool is consumer-facing and the employee used it without thinking. This template is structured around UK GDPR Article 35 and ICO DPIA guidance. It covers necessity and proportionality assessment, data flows and international transfer mechanisms, a pre-populated risk register with likelihood and severity ratings, risk mitigation measures, consultation and sign-off, and a review schedule. Warning boxes flag the specific errors we see most frequently in practice: incorrect Article 9 conditions, IDTA being applied to EEA transfers that do not require it, the Microsoft Copilot controller-status question, and the DPO mandatory appointment threshold. It is designed to be completed once per AI tool or major use case and attached to your Records of Processing Activities.