June 23, 2026
ISO 42001 and the Evidence Problem: Why Good Intentions Don't Survive an AuditWhen an AI system decides something about a person, a loan declined, an application screened out, a claim flagged, a price set, the organisation deploying that system is accountable for the decision, not the software. Accountability cannot be delegated to a system that cannot itself be held to account, so it always lands on a person or an organisation. The only real question is whether you decided in advance where it lands, with the controls and evidence to support that, or whether you will discover it after the fact, in an incident review or a regulator's enquiry, in the least convenient way. This article is about closing that gap deliberately, and about why UK law made the question more urgent in February 2026, not less.
The accountability question used to be easier to avoid, because AI mostly advised and people mostly decided. The model produced a recommendation, a human read it, the human chose, and accountability sat with the human in the obvious place. Autonomous and automated systems remove that comfortable arrangement. The system perceives, decides, and acts, often across several steps, without a person endorsing each one. The decision still gets made. The accountability for it can quietly go missing.
We call this the ownership gap, and it is distinct from any technical shortcoming. A system can be accurate, well-tested, and properly integrated, and the ownership gap can still be wide open, because ownership is not a property of the model. It is a property of the organisation around it. It is the answer to a question the model cannot answer for you: when this system acts, whose name is under the outcome?
The gap opens through entirely reasonable steps. A team builds a system to handle a repetitive decision. It works. They scale it. The volume that made automation attractive means no human now reviews individual cases. The people who built it move on. The business owner assumes the risk team has it; the risk team assumes it was signed off at deployment; the sign-off, if it happened, covered the pilot, not the production system that has since been modified twice. Nobody decided to abandon accountability. It dissolved through ordinary organisational drift. Then something goes wrong, and the honest answer to who owns this is that nobody quite does.
There is a temptation, when a system acts autonomously, to treat the autonomy as the explanation. The AI made the call. No regulator, court, board, or wronged customer accepts software as the accountable party. The accountability lands on a human or the organisation regardless, which is precisely why deciding in advance where it lands is not a nicety but a control.
The regulatory direction makes this concrete on two fronts. Under the EU AI Act, high-risk systems must enable effective human oversight, which read properly is a requirement that a human remains accountable and able to intervene even when the system runs autonomously. And in the UK, the rules on automated decisions were not loosened in a way that removes accountability; they were loosened in a way that shifts the burden onto operational safeguards.
This is the part many organisations have not absorbed. On 5 February 2026, the Data (Use and Access) Act 2025 replaced Article 22 of the UK GDPR with new Articles 22A to 22D, and inverted the default for solely automated decisions that have legal or similarly significant effects on people.
Under the old Article 22, the default was prohibition: you generally could not make such decisions by purely automated means unless a narrow exception applied, such as explicit consent, contractual necessity, or legal authorisation. Under the new Article 22C, for decisions based on ordinary, non-special-category personal data, the default is permission subject to safeguards. You may make significant automated decisions on a wider range of lawful bases, including legitimate interests, provided you implement and document specific safeguards. Decisions based wholly or partly on special category data, under Article 22B, remain more tightly restricted and generally require explicit consent or another condition.
The safeguards are the point, and they are operational, not documentary. The controller must give the individual information about the decision, allow them to make representations about it, provide a route to obtain meaningful human intervention, and allow them to contest the decision. Article 22A defines a decision as solely automated where there is no meaningful human involvement, and a token rubber-stamp does not count; the extent of profiling must be considered. The Secretary of State has reserved power under Article 22D to define meaningful human involvement more precisely, and the ICO has signalled guidance, but as the rules took effect, controllers were left to determine what counts as meaningful for their own processing.
The practical effect is counter-intuitive but important. The UK relaxed the rule, and in doing so made run-time accountability more demanding, not less. The legal protection now rests on safeguards that have to actually function in production: a real, exercisable right to human review, a working way to contest a decision, genuine transparency about decisions as they are made. A safeguard that exists only in a privacy notice is not a safeguard. It has to be operational, which makes it a run-time governance problem.
Closing the gap is a design decision, made before a system goes live, because afterwards is too late and drift has already begun. A useful discipline is to refuse to deploy any consequential AI system until you can answer a short set of questions cleanly.
Who is the named owner of this system's behaviour, by role rather than by committee? A system owned by everyone is owned by no one. What is this system permitted and explicitly not permitted to do? An unwritten boundary is not a boundary. How does a human exercise oversight in practice, not in principle: which decisions can be reviewed, how a person actually intervenes, how an affected individual contests an outcome and reaches a human who can change it? How would you reconstruct what the system did and why, after the fact, with evidence rather than recollection? And when the system changes materially, who re-confirms all of the above, because ownership decays silently as systems are modified?
These are not bureaucracy. The first three are now, for many UK decisions, the substance of a legal safeguard. The fourth is what lets you prove the safeguard worked. The fifth is what stops it lapsing. Answered well, they turn an autonomous system from a liability you are quietly carrying into a capability you can stand behind.
The organisations that deploy automated and agentic decision-making with confidence are not the ones that trust their systems more. They are the ones that have decided, deliberately and in advance, exactly who is accountable for what those systems do, and have built the oversight, the human-intervention routes, and the evidence that make that accountability real rather than nominal.
That is the uncomfortable truth at the centre of automated decision-making. The technology offers to take the decision off your hands. The accountability for it stays firmly in them, and UK law now expects you to prove, in production, that a person can step back in when it matters. Owning that on purpose, before deployment, is what lets you grant autonomy without losing control.
Who is legally accountable for an AI decision?The organisation deploying the system, and the accountable individuals within it, not the AI. Accountability cannot rest with software. UK and EU rules both require that a human remains responsible and, for significant decisions, able to intervene.
What changed for automated decision-making in the UK in 2026?On 5 February 2026 the Data (Use and Access) Act 2025 replaced Article 22 UK GDPR with Articles 22A to 22D. For significant decisions on ordinary personal data, the default shifted from prohibition to permission subject to safeguards: information, representations, a right to human intervention, and a right to contest. Special category data remains more restricted.
What is meaningful human involvement?A decision is solely automated where there is no meaningful human involvement, and a token review that simply rubber-stamps the machine does not qualify. Meaningful involvement requires a human with genuine authority and information to alter the decision. UK guidance on the precise threshold was still developing as the rules took effect.
How do you build accountability into an AI system?By assigning a named owner before deployment, documenting what the system may and may not do, building exercisable human-oversight and contest routes that work in production, maintaining an evidence trail of decisions and interventions, and re-confirming all of it whenever the system materially changes.
Our in-person governance clinics take a real system you are deploying and close the ownership gap before it closes itself on you, including the operational safeguards now required for automated decisions. Aligne is an AI governance advisory and implementation partner for UK enterprises and a run-time governance specialist.
Stay Informed: Engage with our Blog for Expert Analysis, Industry Updates, and Insider Perspectives



let’s design the governance framework your AI strategy deserves
.webp)
Let's Talk