How do UK companies report on AI adoption, risks and harms?

An observatory has been launched to track “AI-related risk, adoption, and third-party AI exposure across UK public-company annual reports” with a focus on Critical National Infrastructure (CNI) sectors.

The observatory is sponsored by the UK's AI Security Institute.  It is currently in beta - i.e. a near complete version which is in final testing phase - but provides a useful source and indicative information about not only how UK companies are reporting on these issues, but the underlying issues themselves.

What does the observatory cover?

The observatory:

• spans all annual reports published by all public companies in the UK (excluding those listed but not registered in the UK). The observatory focuses on annual reports because they are audited, structured and published on a consistent basis. In the view of the authors, this makes them a ‘reliable, high-signal source of information’. But the authors recognise the limitations - these are backward-looking, often with a ‘significant delay'. Further, that some CNI sectors have few public companies or suppliers represented, such as space and civil nuclear;
• covers the period 2020 and 2026, meaning there is coverage pre- and post- launch of Chat GPT;
• covers (at launch) 1,362 companies, comprising 9,821 filings;
• classifies the type of AI mention, including by harm, adoption, risk, vendor;
• with further sub-categories for adoption (e.g. traditional AI, LLM, agentic AI), risk (e.g. regulatory/compliance, cybersecurity), and vendor (e.g. specific third party, or internal).

What are some of the key findings?

According to Andrew Sutton who helped lead the research:

- AI risk mentions took off from 2023 and never looked back. From 3% of reports in 2020 to 67% in 2026 to date. Strategic pressures, cyber threats and operational risks are the top risks disclosed.
- as mentions become more frequent, they have also become more generic
- disclosure varied a lot between sectors: reflecting different risk profiles or different attitudes to disclosure?
- just seven reports disclosed an actual AI-related harm.
- Microsoft is the most-mentioned AI vendor, but with firms increasingly mentioning self-developed systems.

The full dashboard is here and includes useful trend charts and sector heatmaps, such as those below.
Note that the observatory explains ‘publication year’ as follows: 

Years on the x-axis reflect when the report was filed or published, not the end of the company's fiscal year. A report covering fiscal year 2021 but published in April 2022 will appear under 2022. This is consistent across the entire dataset.

This appears to mean that figures in 2026 reflect the year a company's accounts were published, which may relate to a company's accounts for 2025. Consequently, there is a lag in the data. Further information is available in the dashboard and methodology.

If you would like to discuss how current or future regulations impact what you do with AI, please contact Tom Whittaker, Brian Wong, Lucy Pegler, Martin Cook, Liz Griffiths or any other member in our Technology team.  For the latest on AI law and regulation, see our blog and newsletter.

Citation: AI Risk Observatory Dataset (v1.0), AI Security Institute, April 2026.