Summary of Policy Communication on Scotland AI Compliance Framework

Introduction

AIJurium submitted a briefing note titled ‘Scotland AI Compliance Framework’ to Keith Brown MSP, raising the potential value of a Scotland-focused approach to AI compliance and assurance. This communication was directed towards identifying how Scotland’s existing AI policy work could be strengthened through practical assurance capacity, especially as generative AI becomes more widely adopted across public, private and third sector contexts.

Core purpose of the briefing note

The briefing note was framed around Scotland’s AI Strategy and its ambition that ‘Scotland will become a leader in the development and use of trustworthy, ethical and inclusive AI.’ It aimed to draw attention to whether Scotland has ‘the practical assurance capacity needed for responsible AI adoption in public, private and third sector contexts,’ including the use of ‘widely available generative AI tools and customised organisational versions.’  The broader purpose was not to demand a fixed regulatory model, but to support discussion on how ‘standards, certification, and guidance’ could help manage risks such as ‘accountability, discrimination, children’s rights, and human rights impacts,’ while also supporting ‘interoperability and organisational readiness’ in light of the EU risk-based framework. 

Scotland policy context and existing delivery activity

The note recognised that Scotland already has a significant policy and delivery foundation. It referred to Scotland’s AI Strategy, the Scottish AI Alliance, The Data Lab, and practical resources such as Living with AI, the Scottish AI Playbook, and the AI Maturity Framework. The briefing therefore did not present the matter as if Scotland had no AI governance activity. Instead, it asked whether Scotland now needs ‘a more formalised compliance and assurance layer’ that organisations can use ‘in day to day decision making,’ and which can scale across sectors without duplicating existing tools. This was an important framing choice. It positioned the proposal as a constructive addition to Scotland’s existing AI ecosystem, rather than as criticism of existing work.

Real-world AI adoption and accountability risks

A central part of the briefing concerned the way organisations actually adopt AI. It noted that a significant share of adoption involves ready AI products, including ‘generative AI tools such as ChatGPT, Copilot, Gemini, and Grok,’ followed by organisational adaptation through ‘configuration, internal integrations, retrieval augmentation, internal datasets, fine tuning, and workflow tooling.’ The briefing stressed that these steps can ‘materially change both risk and accountability,’ especially where AI outputs are embedded into ‘business processes, customer facing services, or public service delivery.’ It also highlighted that an organisation may move beyond simple use where it adapts or re-packages AI capabilities into products or services, creating potential ‘provider like responsibilities in practice.’ The risk analysis was practical rather than abstract. The note identified possible compliance gaps where ‘roles and responsibilities are unclear,’ where ‘assurance evidence is not maintained,’ or where there is ‘no consistent approach to risk controls and monitoring.’ The potential consequences included ‘discrimination impacts, unsafe or unlawful outputs, privacy and confidentiality failures, cybersecurity issues, and harms involving children and vulnerable groups.’ 

EU alignment and external compliance expectations

The briefing also connected the Scottish discussion to the EU AI Act. It noted that Regulation (EU) 2024/1689, the Artificial Intelligence Act, is in force and uses a risk-based approach. The note referred to prohibited AI practices, staged compliance dates, obligations for providers of general-purpose AI models, and the European Commission’s guidance for general-purpose AI providers. The core point was that, for Scottish organisations placing AI systems on the EU market or providing AI-enabled services into the EU, ‘interoperability with this framework supports practical readiness.’ The note also mentioned the European Commission’s Digital Omnibus on AI Regulation proposal as an indication that EU implementation detail may continue to evolve. This gave the communication a market-readiness dimension as well as a public trust dimension.

Elements proposed for discussion

The briefing set out discussion options rather than a rigid scheme. It expressly stated that the points were ‘framed as discussion options,’ recognising that related work may already exist and that design choices may be ‘voluntary, mandatory, sector specific, or phased.’ The possible building blocks included: ‘Organisational standards and assurance evidence,’ including a common assurance profile across public, private and third sector contexts. ‘Skills and professional capacity,’ including possible training, accreditation, or certification for people responsible for AI compliance inside organisations. ‘Deployment and assurance in practice, including procurement,’ covering the lifecycle from selection and onboarding through to deployment, monitoring, and incident handling. The note also identified priority risk areas including children and young people, equality and discrimination, transparency and accountability, privacy and confidentiality, cybersecurity, incident reporting, and audit readiness. 

Governance options and implementation considerations

The briefing presented three possible institutional models: a government-led oversight function, an independent assurance or certification model, and a phased hybrid model. The hybrid model was linked to Scotland’s existing partnership style in AI delivery through the Scottish AI Alliance and The Data Lab. The implementation section treated the proposal cautiously. It recognised the importance of interaction with UK-wide governance, proportionality for SMEs, uptake where participation is voluntary, and the need for independence, trust, and governance quality if certification is involved. Possible next steps included ‘a short scoping review,’ ‘a practical pilot pathway,’ and ‘a Scotland focused guidance pack.’ 

Analytical argument in the briefing

The briefing’s analytical summary argued that Scotland’s AI delivery landscape is already strong on ‘principles, awareness, and practical signposting,’ but that the harder issue is assurance when AI becomes ‘operational, embedded, and difficult to reverse.’ It identified the main pressure point as the movement from policy commitments to repeatable organisational practice, where accountability may fragment across suppliers, internal teams, and customised deployments of general-purpose and generative AI. The note warned that without a clearer assurance layer, ‘risk tends to be managed inconsistently,’ evidence may not be retained for scrutiny, and organisations may discover compliance issues only after ‘harm, complaint, or regulatory attention.’ The briefing concluded that the value of a Scotland-focused compliance framework would not be in adding another set of principles, but in strengthening ‘governance capacity through practical, proportionate assurance habits that can be repeated, evidenced, and improved over time.’ 

Keith Brown MSP’s referral to the Minister

Keith Brown MSP referred the matter to Richard Lochhead MSP, Minister for Business and Employment. In his letter, Mr Brown stated that he was contacting the Minister ‘having received representation from a constituent.’ He noted that the constituent’s correspondence ‘clearly sets out his enquiry’ and that he attached the briefing note ‘for your perusal.’ Mr Brown then asked the Minister for attention to the matters raised, stating: ‘I would welcome your attention to the matters my constituent raises and look forward to your response.’ This shows that the communication was formally passed into the Scottish Government policy process, rather than remaining only a local constituency exchange.

Ministerial recognition of the insight offered

The response from Richard Lochhead MSP was constructive. The Minister stated that he had asked ‘officials within the Scottish Government’s Artificial Intelligence policy team’ to consider the points raised and provide ‘coordinated advice.’ He then expressly recognised the quality of the submission, stating: ‘I appreciate the high-quality insight offered, particularly in relation to the practical and ethical considerations associated with the increasing adoption of artificial intelligence and the limitations that must be addressed.’ This is the most significant phrase in the response. It indicates that the Scottish Government treated the submission as a serious policy contribution and that the practical and ethical framing of the briefing was understood.

Ministerial clarification of the policy landscape

The Minister also clarified the institutional position. He noted that ‘artificial intelligence is not managed centrally within the Scottish Government,’ and that ‘significant elements of the digital policy landscape remain reserved to the UK Government.’ This clarification is important for future work. It suggests that any Scotland AI compliance framework would need to be designed with care, taking account of devolved competences, UK-level digital policy, and the practical delivery role of Scottish institutions.

Existing Scottish Government activity identified in the response

The Minister identified several areas of existing or developing Scottish Government activity. He referred to ‘ongoing activity through the innovation cluster’ and highlighted ‘the role of the Scottish AI Register,’ which he described as providing ‘a level of compliance and transparency, alongside technical and strategic guidance for organisations engaging with AI systems.’ He also referred to the ‘new Sustainable Digital Public Services Delivery Plan,’ describing it as a document that ‘acts as a refreshed Digital Strategy for Scotland’ and sets priorities for ‘resilient, ethical and future focused digital public services.’ The response therefore confirms that Scotland is already developing relevant governance and digital delivery structures, even if the precise relationship between those structures and a broader AI compliance framework remains open for further analysis.

AI Scotland and wider delivery programmes

The Minister further listed key programmes and activities supporting AI and related dependencies in Scotland. These included ‘Launching AI Scotland as a national change programme to encourage investment in, and adoption of, AI across the economy,’ supporting sectoral clusters in areas including ‘FinTech, GovTech, MedTech,’ and transformational technologies including ‘quantum, photonics, and AI.’ He also referred to ‘continued investment in digital infrastructure’ and support for ‘Scottish businesses, the third sector, and other organisations to enhance their cyber resilience.’ Finally, he noted that ‘a refreshed National AI Strategy was published on 20 March’ and encouraged review of the new publication. These points are important because they show that the Scottish Government’s response did not reject the premise of the briefing. Instead, it located the issue within a wider developing policy and delivery landscape.

Conclusion

This correspondence can be summarised as a constructive and appreciative policy exchange. AIJurium raised the need to consider practical AI compliance and assurance capacity in Scotland, especially in relation to generative AI adoption, organisational customisation, accountability, and EU interoperability. Keith Brown MSP formally referred the issue to the Minister for Business and Employment, and the Minister confirmed that Scottish Government AI policy officials had considered the points and provided coordinated advice. The Minister’s recognition of the ‘high-quality insight offered’ is particularly significant, as it confirms that the briefing was received as a serious contribution to Scotland’s AI governance discussion. The response also identifies a useful next direction. Future work could usefully review the current developments identified in the Minister’s response through the lens of the Scotland AI Compliance Framework. This would involve considering how the Scottish AI Register, the Sustainable Digital Public Services Delivery Plan, AI Scotland, the innovation cluster, cyber resilience work, and the refreshed National AI Strategy relate to the assurance and compliance issues raised in the briefing. Such a review could help identify where existing activity already addresses these questions and where AIJurium may be able to offer a more targeted and constructive contribution.