UK FCA Mills Review Mandates Independent Annual AI Safety Audits with Attorney General Enforcement and Public Disclosure
Source
The Week AI Governance Stopped Being Optional
techletter.co
Via techletter.co
What happened
The UK Financial Conduct Authority published the Mills Review on July 6, 2026, establishing a mandatory requirement for companies operating under FCA oversight to submit their existing AI safety plans to independent auditors on an annual basis. The review mandates public disclosure of those audit outcomes, meaning that gaps or deficiencies in a firm's safety documentation will be visible to regulators, investors, and the public rather than remaining internal. Critically, the Mills Review does not introduce new substantive AI safety standards; instead, it operationalizes the validation of commitments firms have already made. Enforcement authority sits with the Attorney General, elevating the consequence of non-compliance beyond financial penalty into potential legal proceedings. The instrument sits within the broader UK AI Regulation Framework and reflects the FCA's shift toward governance-through-transparency as a primary supervisory tool.
Why it matters
- ·The Attorney General enforcement mechanism transforms AI safety plan deficiencies from a regulatory fine risk into a potential legal liability, requiring legal, compliance, and audit functions to treat AI safety documentation with the same rigor applied to financial statements.
- ·Because the Mills Review audits existing plans rather than imposing new standards, firms that have produced AI safety documents primarily for internal or marketing purposes will face immediate exposure when those documents are subjected to independent scrutiny and public disclosure.
- ·Annual independent auditing creates a recurring assurance cycle that must be integrated into existing internal audit planning calendars, vendor selection processes, and board reporting rhythms, particularly for financial services firms already navigating UK AI Regulation Framework obligations.
Governance controls affected
What to do now
- ☐Conduct a substantive review of all existing AI safety plans and supporting documentation to assess whether they would withstand independent audit scrutiny, identifying gaps before an external auditor does.
- ☐Map the Mills Review audit cycle into your internal audit planning calendar and assign ownership to a named function, ensuring the annual submission timeline is treated as a hard compliance deadline equivalent to financial audit obligations.
- ☐Assess whether current AI safety documentation meets a public-disclosure standard, and remediate any language that is aspirational, vague, or unsupported by evidence of actual controls in operation.
- ☐Engage legal counsel to evaluate the firm's exposure under the Attorney General enforcement mechanism and determine whether existing indemnities, D&O coverage, or legal privilege arrangements need to be updated.
- ☐Initiate a vendor selection or scoping process for an independent AI safety auditor, establishing qualification criteria and conflict-of-interest standards before the first annual submission deadline.
What to watch next
Compliance teams should monitor the FCA for supplemental guidance clarifying the scope of entities covered by the Mills Review, particularly regarding non-financial firms with significant FCA-regulated activities and multinational organizations with UK operations. The intersection of this requirement with incoming EU AI Regulation Framework conformity assessment obligations will create dual-audit pressure for firms operating across both jurisdictions, and regulators may issue coordination guidance. Attorney General enforcement actions, if any are initiated in the first annual cycle, will set important precedents for what constitutes an adequate safety plan and a compliant audit process, making early enforcement signals a critical monitoring priority.
AI Governance Weekly
Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.
