UK AI regulation is rapidly becoming one of those policy areas where the gap between what politicians say and what actually happens could not be wider. On one hand, we hear about the UK being "pro innovation" and "the best place to start an AI company." On the other, the compliance frameworks being drawn up will cost more to implement than most small businesses spend on their entire technology stack in a year.
I have been building software for over twenty five years. I run multiple businesses that use AI in various ways, from automating customer service workflows to generating reporting insights. None of what I do is controversial. None of it is dangerous. But the way regulation is heading, I will need a legal team just to understand whether I am allowed to keep doing it.
This is not an argument against regulation. Some regulation is necessary and sensible. This is an argument that the current approach is being shaped by the companies with the biggest lobbying budgets, and the result will be rules that big tech can absorb as a rounding error while small businesses either comply at enormous cost or simply stop innovating.
The compliance cost problem
Let me paint you a picture. Microsoft has an AI ethics team of over a hundred people. They have dedicated compliance officers, in house legal counsel specialising in AI governance, and the budget to implement whatever documentation and audit processes the government dreams up. When a new regulation drops, Microsoft adds it to the pile and carries on.
Now picture me. Or any other small business owner who has integrated AI into their product. I do not have a hundred person ethics team. I do not have dedicated compliance officers. I have myself, a small team, and a product to ship. When new regulation drops, I have to stop what I am doing, figure out what it means, work out whether it applies to me, and then either spend weeks implementing compliance measures or pay a consultant thousands of pounds to tell me what I already suspected: that the regulation was written with billion pound companies in mind and nobody thought about the small firm using a language model to help customers find the right campsite.
This is not hypothetical. I have already spent time and money figuring out how GDPR intersects with AI generated content in my products. The answer, for my use case, was straightforward. But getting to that answer cost me time I could have spent improving the product. Multiply that across every small business in the UK using AI and you start to see the economic damage of poorly targeted regulation.
Who is actually at the table
When the government consults on AI policy, who do they talk to? I will give you one guess, and it is not the bloke running a SaaS company from his motorhome.
The consultation responses are dominated by big tech firms, large consultancies, and academic institutions. The people who will be most affected by proportionality failures in AI regulation, small and medium businesses, are barely represented. Not because they do not care, but because they do not have a policy team whose literal job is to sit in these meetings and shape the rules in their favour.
The result is regulation that works perfectly for organisations with dedicated compliance infrastructure and punishes everyone else. It is not a conspiracy. It is just what happens when you let the biggest players in a market write the rules for that market. They are not doing it out of malice. They are doing it because compliance costs that are trivial for them become barriers to entry for everyone else. Every regulation that costs a startup fifty thousand pounds to comply with is a regulation that protects the incumbent.
The risk classification mess
The current approach to AI regulation loves risk classification. High risk AI gets heavy regulation. Low risk gets light touch. Sounds reasonable in principle. In practice, it is a nightmare for small businesses because the definitions are vague enough that almost anything could be classified as high risk depending on how you squint at it.
Is a booking system that uses AI to predict demand and adjust pricing "high risk"? It makes decisions that affect consumers. You could argue it either way. And that ambiguity is the problem. Big companies can afford to get a definitive legal opinion. Small companies either over comply out of fear, under comply out of ignorance, or just avoid using AI altogether. All three outcomes are bad for the economy.
What we actually need is clear, specific guidance written in plain language that tells a small business owner exactly where they stand. Not a two hundred page framework document full of conditional clauses that requires a specialist lawyer to interpret. Tell me in one paragraph whether my campsite booking AI is high risk or not. If you cannot do that, your regulation is not fit for purpose.
The transparency theatre
Transparency requirements sound wonderful in theory. Users should know when they are interacting with AI. Businesses should document how their AI systems make decisions. I agree with the principle entirely.
But the implementation requirements being discussed are absurd for small operators. Full algorithmic impact assessments. Detailed documentation of training data provenance. Regular third party audits. These are reasonable asks for a company deploying facial recognition at scale. They are completely disproportionate for a ten person company using a language model to summarise customer feedback.
The problem is that regulation does not have a "you are too small for this to matter" exemption. Or when it does, the threshold is set so low that only sole traders qualify. If you have employees and revenue, you are treated the same as Google. That is not proportionate regulation. That is lazy regulation.
What sensible AI regulation would look like
I am not anti regulation. I think some of what AI can do is genuinely concerning and deserves oversight. But I think you can regulate effectively without destroying the ability of small businesses to innovate. Here is what that would look like.
Clear size thresholds
If you have fewer than fifty employees and your AI system is not making consequential decisions about people's lives, you should face lighter requirements. Full stop. The risk of a small SaaS company's recommendation engine is not the same as the risk of an automated benefits decision system. Stop pretending they are equivalent.
Plain language guidance
Every regulation should come with a plain English guide that a non lawyer can read and understand in thirty minutes. If your regulation cannot be explained simply, it is probably too complex. The consulting industry loves complex regulation because it creates demand for their services. But complexity is not the same as rigour.
Safe harbour provisions
If you are using AI tools from regulated providers, like the major cloud platforms, and you are using them in standard ways, you should inherit their compliance. I should not have to independently audit a model that Microsoft or Google has already certified. That is duplicative, expensive, and achieves nothing beyond creating paperwork.
Outcomes based, not process based
Regulate what AI does, not how it does it. If my system produces biased outcomes, hold me accountable for that. But do not mandate that I follow a specific twenty step process to avoid bias when a simpler approach achieves the same outcome. Process based regulation rewards box ticking over actual responsible behaviour.
The real risk of getting this wrong
The risk here is not abstract. It is economic and it is immediate. If the UK makes it expensive and complicated for small businesses to use AI, those businesses will not stop using AI. They will just move. Or they will use it anyway without compliance and hope nobody notices. Neither outcome is good.
I have spoken to half a dozen founders in the past month who are actively considering relocating their AI products to jurisdictions with clearer, lighter regulation. Not because they want to be irresponsible. Because they cannot afford the time and cost of compliance in the UK while also trying to grow a business. The entrepreneurial instinct is to find the path of least resistance, and if the UK puts up barriers, founders will route around them.
Meanwhile, the big tech companies the regulation supposedly targets will comply effortlessly, absorb the cost, and use the regulatory complexity as a moat against smaller competitors. It is the exact opposite of what pro innovation policy should achieve.
What founders should do now
If you are a small business using AI, here is my practical advice.
First, document what you are doing. Not because the law currently requires it, but because it probably will soon, and having records from the start is far cheaper than reconstructing them later. Keep a simple log of what AI you use, what data goes in, what decisions come out, and who is affected.
Second, respond to consultations. The government does actually read responses from small businesses. There just are not enough of them. If you have fifteen minutes, find the current open consultation on AI governance and submit your perspective. One paragraph from an actual business owner is worth more than a hundred pages from a lobbying firm, but only if you actually send it.
Third, talk to your MP. I know, I know. But they do listen, especially when you can put a specific pound figure on the cost of proposed regulation for a specific business in their constituency. "This will cost my company forty thousand pounds and I employ eight people locally" is the kind of thing that gets attention.
The current trajectory of UK AI regulation worries me. Not because I am against rules, but because the rules being written will protect the biggest companies at the expense of everyone else. That is not innovation friendly policy. That is regulatory capture dressed up in a Union Jack. And if we do not push back now, we will be living with the consequences for decades.
