Ofcom’s 2026/27 AI Strategy: What it means for the sectors it regulates

Ofcom published its updated Strategic Approach to AI and there’s a lot to unpack, both for businesses operating in Ofcom-regulated sectors and for anyone watching how the UK's regulatory landscape around AI is developing.

The headline position

Ofcom’s starting point is that regulation should be technology-neutral and outcomes-focused, which in practice envisions companies in the sectors it regulates (broadcasting, telecoms, online platforms) being free to deploy AI as they see fit, provided they can do so within existing regulatory obligations. That said, the report is clear that this flexibility has limits. Where AI creates or amplifies harm (and particularly where market mechanisms can't address that harm) Ofcom will act – as it has already demonstrated.

Where Ofcom has already moved

The report references two significant actions in the past year:

1. Ofcom coordinated with the AI Security Institute and the National Cyber Security Centre after Anthropic's preview of Claude Mythos caused widespread concern about frontier AI's cybersecurity implications.
2. Ofcom became the first national regulator to launch a formal investigation into X's Grok chatbot.

Such examples show that Ofcom is willing to use its existing powers in novel contexts rather than waiting for bespoke AI legislation to catch up.

Deepfakes remain a significant concern

The report spends real time on deepfakes:

• Over one in five internet users now report encountering fake or deceptive images or videos online – a figure Ofcom treats as a live problem, not an emerging one.
• Its Deepfake Defences research programme has been examining a range of technical mitigation techniques, including watermarking, and the limitations of those techniques (watermarks, it turns out, are more removable than you might imagine). The findings are feeding directly into a draft Fraudulent Advertising Code of Practice, which is due for consultation this summer.

For online services in scope of the Online Safety Act, Ofcom is preparing for new enforcement responsibilities under the Crime and Policing Act and the Schools and Children's Wellbeing Act, both of which have AI-relevant provisions.

Agentic AI

The report's annex on agentic AI use cases across Ofcom's regulated sectors identifies various use cases: autonomous content moderation, network optimisation and customer service chatbots. Whilst most of these use cases are either still at pilot stage or still theoretical, Ofcom’s overarching concern is accountability; agentic systems that make consequential decisions without direct human intervention create "black box" problems that are hard to resolve within existing frameworks.

That's a tension the DRCF (Digital Regulation Cooperation Forum, of which Ofcom is a founding member alongside the ICO, CMA and FCA) spent much of last year looking at. Their joint work on agentic AI sets some useful groundwork, though further regulatory guidance in this space seems likely within the next twelve months.

The Telecoms Sector

There are two specific workstreams that telecoms companies will want to track:

1. Ofcom is currently gathering input from TSA-regulated operators on how AI is being used in cybersecurity, and specifically whether existing regulatory requirements are creating unintended barriers to AI adoption. That engagement closes in the coming months, and the findings will inform policy development.
2. Separately, Ofcom is investigating how networks might need to evolve to support AI applications at scale. 

Broader observations

Perhaps the most notable aspect of the report is the tone. Rather than seeking to hold back innovation, Ofcom comes across as a regulator that wants to support it, whilst recognising the need to be prepared when things go wrong. Its investigation into Grok and its coordination efforts around Mythos both suggest a willingness to act quickly when it believes intervention is necessary.

For businesses operating in regulated sectors, the message is fairly clear – Ofcom is not requiring organisations to seek permission before deploying AI systems, but it is paying close attention. It has the regulatory powers to intervene where needed and is steadily building the technical expertise required to exercise those powers effectively.

If you would like to discuss how current or future regulations impact what you do with AI, please contact Tom Whittaker, Brian Wong, Lucy Pegler, Martin Cook or any other member in our Technology team.  For the latest on AI law and regulation, see our blog and newsletter.