Resource
AI Management Essentials
A plain-English guide to the UK government's AI Management Essentials framework — what each of its 10 stages means, and a free self-check that turns it into a practical picture of where your business stands.
Developing
AI management · 10/10 areas
Top focus areas
- Fairness0%
- Data management0%
- Issue reporting0%
A sample of the report you’ll get — click through the examples.
The 10 stages, in plain English
AIME groups 54questions into 10 areas, under three themes. Here’s what each area is really asking — and what good looks like for a smaller business.
Internal processes
| Area | What it covers | What good looks like | Why it matters |
|---|---|---|---|
01AI system record | Keeping a simple, living inventory of every AI system your business builds or uses — including the tools your team has quietly started using. | A single, maintained list (even a spreadsheet) covering all your AI systems, with a routine for adding new ones and a review at least twice a year. | You can't govern what you can't see. A record is the foundation everything else in AIME builds on. |
02AI policy | A written AI policy that sets the ground rules: what AI may be used for, who is responsible, and how to judge whether a given use is appropriate. | A short, accessible policy every employee can find, that names owners and helps people decide when AI is and isn't the right tool. | Without a policy, AI decisions get made ad hoc by whoever happens to be in the room — which is where most avoidable risk creeps in. |
03Fairness | Making sure AI systems that affect people directly — decisions about them, their personal data, or tools they use — are fair. | Clear definitions of what fairness means for each system, ways to detect unfair outcomes, and a routine to monitor and correct them. | Unfair automated outcomes carry legal, reputational and human cost. This only applies if your AI touches individuals — but when it does, it matters a lot. |
- What it covers
- Keeping a simple, living inventory of every AI system your business builds or uses — including the tools your team has quietly started using.
- What good looks like
- A single, maintained list (even a spreadsheet) covering all your AI systems, with a routine for adding new ones and a review at least twice a year.
- Why it matters
- You can't govern what you can't see. A record is the foundation everything else in AIME builds on.
- What it covers
- A written AI policy that sets the ground rules: what AI may be used for, who is responsible, and how to judge whether a given use is appropriate.
- What good looks like
- A short, accessible policy every employee can find, that names owners and helps people decide when AI is and isn't the right tool.
- Why it matters
- Without a policy, AI decisions get made ad hoc by whoever happens to be in the room — which is where most avoidable risk creeps in.
- What it covers
- Making sure AI systems that affect people directly — decisions about them, their personal data, or tools they use — are fair.
- What good looks like
- Clear definitions of what fairness means for each system, ways to detect unfair outcomes, and a routine to monitor and correct them.
- Why it matters
- Unfair automated outcomes carry legal, reputational and human cost. This only applies if your AI touches individuals — but when it does, it matters a lot.
Managing risks
| Area | What it covers | What good looks like | Why it matters |
|---|---|---|---|
04Impact assessment | Thinking through, and writing down, how an AI system could affect individuals, society and the environment — before and during use. | A lightweight impact-assessment habit covering legal/life impacts, wellbeing and wider effects, with impacts documented and shared with those affected. | Impacts you've named are impacts you can manage. Surprises after launch are far more expensive than foresight before it. |
05Risk assessment | Identifying, comparing and treating the risks your AI systems create, and monitoring them in use. | Consistent risk assessments measured against your risk appetite, live monitoring for errors and drift, repair processes, and a defined point at which you'd switch a system off. | This is the core of responsible AI management — knowing your risks, prioritising them, and having a plan when something goes wrong. |
06Data management | Looking after the data you use to train or fine-tune your own AI — its origin, quality, completeness and the contracts around it. | Documented data provenance and preparation, quality and representativeness checks, and written contracts with anyone processing personal data for you. | Models are only as good — and as fair — as their data. This mostly applies if you build or fine-tune your own systems. |
07Bias mitigation | Actively reducing harmful or unfair bias, both in your own data and in third-party AI you buy or build on. | Concrete bias-mitigation steps, records of what off-the-shelf systems were trained on, due diligence on suppliers, and a handle on relevant regulation. | Bias is the most common way AI causes unintended harm — and 'we just bought it' is not a defence. |
08Data protection | A 'data protection by design and default' approach across your AI — security, breach handling and DPIAs. | Appropriate security measures, a breach record, breach reporting to those affected, routine DPIAs for high-risk uses, and protection from third-party interference. | AI often concentrates personal data, which raises the stakes under UK GDPR. Getting the basics right protects your customers and your business. |
- What it covers
- Thinking through, and writing down, how an AI system could affect individuals, society and the environment — before and during use.
- What good looks like
- A lightweight impact-assessment habit covering legal/life impacts, wellbeing and wider effects, with impacts documented and shared with those affected.
- Why it matters
- Impacts you've named are impacts you can manage. Surprises after launch are far more expensive than foresight before it.
- What it covers
- Identifying, comparing and treating the risks your AI systems create, and monitoring them in use.
- What good looks like
- Consistent risk assessments measured against your risk appetite, live monitoring for errors and drift, repair processes, and a defined point at which you'd switch a system off.
- Why it matters
- This is the core of responsible AI management — knowing your risks, prioritising them, and having a plan when something goes wrong.
- What it covers
- Looking after the data you use to train or fine-tune your own AI — its origin, quality, completeness and the contracts around it.
- What good looks like
- Documented data provenance and preparation, quality and representativeness checks, and written contracts with anyone processing personal data for you.
- Why it matters
- Models are only as good — and as fair — as their data. This mostly applies if you build or fine-tune your own systems.
- What it covers
- Actively reducing harmful or unfair bias, both in your own data and in third-party AI you buy or build on.
- What good looks like
- Concrete bias-mitigation steps, records of what off-the-shelf systems were trained on, due diligence on suppliers, and a handle on relevant regulation.
- Why it matters
- Bias is the most common way AI causes unintended harm — and 'we just bought it' is not a defence.
- What it covers
- A 'data protection by design and default' approach across your AI — security, breach handling and DPIAs.
- What good looks like
- Appropriate security measures, a breach record, breach reporting to those affected, routine DPIAs for high-risk uses, and protection from third-party interference.
- Why it matters
- AI often concentrates personal data, which raises the stakes under UK GDPR. Getting the basics right protects your customers and your business.
Communication
| Area | What it covers | What good looks like | Why it matters |
|---|---|---|---|
09Issue reporting | Giving employees, users and outsiders a real way to report when an AI system fails or causes harm — and acting on it. | Accessible reporting channels with anonymity/confidentiality options, a named owner for escalations, transparent and timely responses, and a documented trail. | The people closest to a problem usually spot it first. A reporting route turns near-misses into fixes instead of headlines. |
10Third party communication | Telling the people who rely on your AI how to use it safely — through both technical and non-technical documentation. | Knowing what each audience needs, and providing technical docs (how it works, its limits) and non-technical docs (benefits, risks) in a format they understand. | Safe use depends on clear communication. Good documentation builds trust and reduces misuse. |
- What it covers
- Giving employees, users and outsiders a real way to report when an AI system fails or causes harm — and acting on it.
- What good looks like
- Accessible reporting channels with anonymity/confidentiality options, a named owner for escalations, transparent and timely responses, and a documented trail.
- Why it matters
- The people closest to a problem usually spot it first. A reporting route turns near-misses into fixes instead of headlines.
- What it covers
- Telling the people who rely on your AI how to use it safely — through both technical and non-technical documentation.
- What good looks like
- Knowing what each audience needs, and providing technical docs (how it works, its limits) and non-technical docs (benefits, risks) in a format they understand.
- Why it matters
- Safe use depends on clear communication. Good documentation builds trust and reduces misuse.
Is this still current?
Last reviewed June 2026
AI Management Essentials (AIME) was published for public consultation by the UK government's Department for Science, Innovation and Technology (DSIT) on 6 November 2024. It was aimed at SMEs and start-ups that find the wider landscape of AI standards hard to navigate.
Following the consultation, the government decided not to publish AIME as a finished tool, and it will not become a procurement requirement. DSIT signalled it would instead focus on simpler, SME-specific guidance. So the official product has effectively been shelved.
That does not make the thinking behind it wrong. AIME distils widely-recognised AI-governance principles — drawn from ISO/IEC 42001, the NIST AI Risk Management Framework and the EU AI Act — into 10 practical areas. As a free, vendor-neutral baseline for a smaller business, it remains an excellent starting point. We've kept the questions faithful to the original and added the plain-English explanations and recommendations the government never published.
Built on principles from established standards:
ISO/IEC 42001
The international management-system standard for AI.
NIST AI Risk Management Framework
The US framework for identifying and managing AI risk.
EU AI Act
The EU's risk-based regulation of AI systems.
Free self-check · ~10 minutes
Where does your business stand?
Work through the 10 areas and get an instant maturity picture — your strengths, your priority gaps, and a practical next step for each, as a downloadable PDF report.
Start the self-check