On 9 March 2026, the RICS Responsible Use of AI in Surveying Practice standard came into force for all members and regulated firms. If your firm hasn't yet started building a governance framework to match, you are already behind. The standard isn't a suggestion. It's a mandatory requirement covering risk registers, responsible use policies, and procurement due diligence.
At the same time, the EU AI Act's full high-risk framework became enforceable on 2 August 2026. Any UK consultancy placing AI systems on the EU market, or whose AI outputs are used by EU clients, falls within scope. Brexit didn't change that. The extraterritorial reach is deliberate. Penalties for prohibited AI practices run to around £30 million (€35 million) or 7% of global annual turnover, whichever is higher. For high-risk AI violations, the ceiling is around £13 million (€15 million) or 3% of global turnover. Those figures are calculated against worldwide revenue, not just EU revenue.
The UK government's AI Opportunities Action Plan, reviewed on 29 January 2026, showed the pace isn't slowing down. The government backed the AI Security Institute with £240 million at Spending Review 2025. It has an AI Assurance Innovation Fund of £11 million and a new Centre for AI Measurement at the National Physical Laboratory. The message to UK firms is clear: governance framework maturity is now an expectation, not a bonus.
For a 200-person engineering or surveying consultancy, this matters in a very specific way. You are probably using AI tools in project delivery, report writing, cost planning, or design. Some of those tools process client data. Some influence professional advice. Without a governance framework, you cannot demonstrate oversight, accountability, or the RICS-required professional scepticism. You cannot answer a client who asks how AI is being used on their project.
The governance framework you need in 2026 has three interlocking layers: an AI register, an assurance framework, and structural governance. Firms that treat these as separate tick-boxes miss the point. They need to connect. Before looking at what each layer involves, it is worth being clear about what is driving the urgency. Three regulatory instruments converge in 2026: the RICS standard, the EU AI Act high-risk tier, and the ICO's forthcoming statutory code of practice on AI and automated decision-making. A UK consultancy serving EU clients while also advising on publicly funded projects faces all three simultaneously.
ISO 42001 as your governance framework backbone
ISO/IEC 42001:2023 is the world's first international standard for an AI Management System (AIMS). It follows a Plan-Do-Check-Act structure across 10 clauses, with 42 control objectives across 9 topics in Annex A. For UK built environment firms, it has become the most practical governance framework available. It directly addresses fairness, explainability, transparency, and data governance.
In November 2025, AvISO became the first UK consultancy to achieve accredited ISO 42001 certification, integrating AI governance into an Integrated Management System already covering ISO 27001, ISO 9001, ISO 14001, and ISO 22301. That matters because one of the hardest parts of building a governance framework is scoping it correctly. ISO 42001 certified organisations that already held ISO 27001 achieved compliance 30-40% faster, according to Protecht Group data.
For firms already ISO 27001 certified, the data governance framework elements of ISO 42001 will feel familiar. Standards for data collection, bias testing, and provenance tracking sit within a governance risk management structure you can layer over existing information security processes. That isn't duplication. It's efficiency. You are extending what works rather than building from scratch.
ISO 42001 also maps directly onto EU AI Act high-risk requirements. Annex A controls cover the quality management system, post-market monitoring, and risk management obligations that the Act demands. A structural governance programme built on ISO 42001 gives you a defensible position whether the EU Act's high-risk deadline holds at August 2026 or slips to December 2027 under the proposed Digital Omnibus changes.
What your AI register actually looks like
Your AI register is the spine of the governance framework. Everything else hangs off knowing what you have deployed and who owns it.
An AI register is not a spreadsheet of software licences. It is a structured log of every AI system your firm uses, procures, or embeds in client deliverables. For each entry, you need: the system name and vendor, the purpose and deployment context, data sources it draws on, affected client or stakeholder groups, the named internal owner, and the risk classification. RICS requires risk registers as part of its AI standard. The ICO's AI and data protection risk toolkit supports the same documentation approach. Neither is prescriptive about format, which means your register can start simple and grow.
The risk classification step is where governance risk management becomes real. A large language model used to draft internal briefing notes sits in a different risk tier to a structural analysis tool whose outputs feed directly into a professional report issued to a client. Each needs proportionate controls. The higher the stakes, the more rigorous the assurance evidence required. Mott MacDonald's responsible AI policy, updated December 2025, captures this principle: oversight and accountability must be appropriate to the level of the system being used.
For a 200-person consultancy, the practical register will typically have 15 to 30 entries. That number tends to surprise people. Once you count design AI tools, specification assistants, scheduling software with machine learning, cost intelligence platforms, and generative AI tools for reports or bids, the total grows quickly. The register also forces a conversation about vendor-supplied AI embedded in platforms you didn't think of as AI systems. That conversation is part of the data governance framework work.
The assurance framework: connecting risk to evidence
An assurance framework answers a different question to the register. The register asks: what AI do we use? The assurance framework asks: how do we know it is working correctly, fairly, and within the bounds we set? The UK government's Trusted Third-Party AI Assurance Roadmap, published September 2025, sets the direction: assurance services should be testable, verifiable, and independent where stakes are high.
For most built environment firms, the assurance framework does not require external certification immediately. It does require documented internal processes. At minimum: AI Impact Assessments before deployment of significant systems; model testing and validation records; output review protocols that specify when a qualified professional must check AI-generated content before it goes to a client; and incident logging where AI outputs caused errors or required correction. This is structural governance in practice.
"The standard helps here as it talks about professional scepticism. This highlights the importance of the Chartered Surveyor in curating the inputs and validating the outputs." Paul Beeston FRICS, Chartered Surveyor, quoted in RICS guidance on the Responsible Use of AI standard (2026)
A good assurance framework makes that scepticism auditable. It doesn't just require the check. It records that the check happened. Embedding this into the wider governance framework is not optional under the RICS standard.
The ICO is now preparing a statutory code of practice on AI and automated decision-making, following SI 2026/425 coming into force on 12 May 2026. Once published, that code will carry statutory weight under the Data Protection Act 2018. Departure from it will require justification. The data governance framework obligations this creates will apply to any UK firm processing personal data through AI systems, which in built environment work includes health and safety data, staff records, and sometimes biometric site access systems.
Who actually owns it
The structural governance question is where many consultancy AI programmes stall. ISO 42001 requires named accountability. RICS requires named surveyors on AI-assisted professional advice. Mott MacDonald assigns responsibility to a Group AI governance working group monitored by regional general managers. Arup's AI policy is owned by the Chief Digital and Information Officer, reviewed annually, and set by the Group Board. For a 200-person firm, you need the equivalent: one named person at director level who owns the whole programme.
In practice, that means a named AI lead at director or senior associate level. Not a committee. One person who owns the governance framework, maintains the register, coordinates governance risk management reviews, and signs off the assurance evidence before it is filed. That person doesn't need to be a technical AI specialist. They need to understand the firm's risk appetite, the regulatory landscape, and how to connect a policy on paper to what people actually do on projects. They also need the authority to pause a deployment if the risk evidence isn't in order.
The UK government's own AI Opportunities Action Plan requires regulators to publish annual plans on how they will enable safe AI innovation. For firms in built environment sectors, RICS is now one of those regulators, having brought its standard into force. The expectation of having your governance documentation ready for professional review, client request, or regulatory inspection is now real and immediate.
Three things to do now
One. Build your AI register now, before you build anything else. Audit the tools in use across the firm, assign each one an owner and a risk tier, and record the data sources. This single step gives you the foundation for your governance framework and tells you where your highest-priority governance risk management work sits. Use the RICS risk register guidance and the ICO AI and data protection risk toolkit as templates.
Two. Adopt ISO 42001 as your governance framework structure, even if formal certification is 12-18 months away. The standard's Plan-Do-Check-Act model gives you a data governance framework and assurance framework in one structure. Firms already holding ISO 27001 certification can get there 30-40% faster. Start with a gap analysis.
Three. Appoint a named AI lead and set their first task as drafting an AI governance policy that connects your AI register, your assurance processes, and your client communication obligations under the RICS standard. That layer of accountability only becomes credible when one person is responsible for keeping it current. The policy doesn't have to be long. It has to be real.
The firms in UK built environment that will navigate 2026 well aren't the ones with the most advanced AI. They are the ones that know what they're running, who is accountable for it, and how to explain it to a client or a regulator. That starts with a governance framework, and it starts now.
The Responsible with AI programme helps architects, designers, and other built environment professionals develop practical frameworks for integrating AI tools responsibly.
