Frontier AI cyber guidance, competition remedies, and regulator accountability plans

The UK’s AI governance landscape continued to evolve through sector-specific interventions rather than framework legislation. Financial authorities issued coordinated expectations on frontier AI cyber risks, the competition regime moved closer to practical controls over AI-generated search content, and major regulators published plans explaining how they intend to support innovation while managing AI-related risks. 

Snapshot

• HM Treasury, the Bank of England and the FCA issued a joint statement on frontier AI models and cyber resilience in financial services.
• According to the Guardian the Competition and Markets Authority proposed measures requiring greater publisher control over the use of content in Google's AI-powered search features.
• The ICO published its AI and biometrics strategy work programme for 2026–27, including further work on automated decision-making and foundation models.
• The FCA continued to expand its AI governance infrastructure through AI Lab initiatives and live-testing programmes.

1. Financial authorities sharpen expectations on frontier AI cyber risk

The most significant UK AI governance development this month came from the financial sector. On 15 May, HM Treasury, the Bank of England and the FCA jointly published The Bank, FCA and HM Treasury joint statement on frontier AI models and cyber resilience, setting out expectations for firms using or exposed to frontier AI systems. The statement warns that frontier models may significantly increase the speed, scale and sophistication of cyber threats. It says boards and senior management should ensure they understand frontier AI risks, oversee appropriate governance arrangements, and strengthen vulnerability management, response and recovery capabilities. Authorities also confirmed that they will continue monitoring developments through industry engagement and operational resilience channels.

2. Competition regulation moves closer to AI search governance

Competition policy became more relevant to AI governance during May through the CMA’s ongoing work on Google's search services. The CMA proposed measures that would require Google to provide publishers with greater control over how their content is used in AI-generated search summaries and related AI-powered search products. Under the proposed approach, publishers would be able to opt out of certain AI uses of their content while preserving participation in conventional search indexing. Although these measures arise from competition powers rather than AI-specific legislation, they address one of the central governance questions facing generative AI: the relationship between platform operators, AI-generated outputs and third-party content providers. The proposals also reinforce the broader UK trend towards using existing regulatory frameworks to address AI-related concerns rather than creating entirely new legal structures. If implemented, the measures could become an important precedent for how UK regulators approach transparency, attribution and control over content used in AI-powered services.

3. The ICO advances its operational AI governance programme

The Information Commissioner’s Office continued to develop its AI governance agenda during May through its broader AI and biometrics work programme. The regulator confirmed that work on automated decision-making guidance remains a priority and indicated further activity relating to foundation models, generative AI, biometric technologies and the future AI and automated decision-making code of practice. These initiatives sit within the ICO’s wider strategy of applying existing data protection law to emerging AI systems while providing more detailed practical guidance for organisations deploying them.

4. The FCA continues building AI governance through experimentation

The FCA’s AI governance model continued to mature during May through ongoing development of its AI Lab ecosystem. The regulator maintained its emphasis on supervised experimentation, live testing and industry engagement as tools for understanding AI risks and benefits. The second cohort of AI Live Testing remained underway, while the FCA continued preparing further outputs on good and poor practice in AI deployment. The authority’s position remains that existing regulatory frameworks provide the primary basis for AI supervision, supported by evidence generated through testing and market engagement. This approach distinguishes the FCA from jurisdictions pursuing highly prescriptive AI regulation. Instead, the FCA continues to prioritise iterative supervision and practical governance expectations informed by real-world deployment experience.

Outlook

May 2026 reinforced the UK’s preference for distributed AI governance. Financial authorities focused on frontier AI cyber risks, competition regulators advanced oversight of AI-powered search services, the ICO continued building detailed compliance expectations, and sector regulators faced growing pressure to demonstrate how they will support safe innovation. The result is a governance framework that remains decentralised but is becoming increasingly operational, coordinated and sector-specific.

Sources: HM Treasury, Bank of England, Financial Conduct Authority, Competition and Markets Authority, Information Commissioner’s Office