Managing AI risks in surveying

Surveyors UK Avatar

Surveyors UK

  • Technology & AI

The UK has no AI law, and it has chosen not to write one.

Instead of a dedicated statute, the country set out its thinking in a 2023 white paper, “A pro-innovation approach to AI regulation”. It established five cross-sectoral principles and asked the regulators we already have to apply them within their own remits. Those five principles are safety, security and robustness, appropriate transparency and explainability, fairness, accountability and governance, and contestability and redress.

For a surveying firm, that is a map. Your AI risk does not sit in one place. It is spread across the law these principles draw on, with the RICS Professional Standard, mandatory since 9 March 2026, sitting on top and asking you to manage the risk in writing.

I have taken each of the five principles in turn, set out three risks that live under it, and show where each risk connects to law. If risk registers are new to you, the section after that explains the language plainly.

Safety, security and robustness

This principle asks that AI systems work reliably and securely, and do not cause harm through failure or attack.

  • Erroneous output. A tool produces something confident and wrong, and someone acts on it. This engages the duty of care you already owe your client, and the accuracy principle of the UK GDPR where the output is personal data. The 2025 court rulings against lawyers who cited fake AI-generated cases show how directly it now lands.
  • AI-specific cyber attack. Prompt injection, data poisoning and model compromise are new attack surfaces that traditional security does not cover. The National Cyber Security Centre guidelines for secure AI development set the expectation, and a resulting breach engages the security duty under the Data Protection Act 2018.
  • Unreliable performance. A tool that passed early testing degrades in live use, or was never fit for the task in the first place. The RICS standard’s due diligence and fitness-for-purpose testing requirement addresses this, alongside the same professional duty of care.

Appropriate transparency and explainability

This principle asks that you can see how a system works and explain the decisions it informs.

  • Unexplainable decisions. You cannot tell a client or a regulator how an AI-influenced output was reached. The UK GDPR rights to information in Articles 13 to 15 apply where personal data is involved, and the ICO and Alan Turing Institute guidance, “Explaining decisions made with AI”, sets the benchmark. RICS Section 4.4 requires you to explain on request.
  • Undisclosed AI use. The client does not know AI played a part in their service. RICS Section 4.3 requires disclosure in writing and in advance, and concealing it risks misleading the client.
  • Opaque vendor models. You are relying on a tool whose workings the supplier will not necessarily reveal. RICS vendor due diligence in Section 4.1 requires you to ask, in writing, and to record the gaps where answers do not come back.

Fairness
This principle asks that AI does not produce unjust or discriminatory outcomes.

  • Discrimination. Outputs disadvantage people with protected characteristics. The Equality Act 2010 applies, enforced by the Equality and Human Rights Commission, and the firm using the tool carries the liability, even where a vendor built it.
  • Unfair automated decisions. A decision with a legal or similarly significant effect is made by automated means without safeguards. The UK GDPR, as amended by the Data (Use and Access) Act 2025, requires you to inform the person, allow them to make representations, provide meaningful human intervention and let them contest the outcome.
  • Skewed training data. The data behind a tool is incomplete or unrepresentative, and the results come out distorted. This is one of the four risks the RICS standard requires you to record, and it can amount to indirect discrimination under the Equality Act.

Accountability and governance
This principle asks that someone owns the AI and can demonstrate control over it.

  • No responsible person. Nobody in the firm owns AI decisions. RICS Section 3.2 requires a named responsible person, and the UK GDPR accountability principle requires you to demonstrate compliance and show the evidence for it.
  • Shadow AI. Staff use tools the firm has never approved or recorded. This breaches the policy and approved-tool-list requirement in the standard, and risks unlawful processing of personal data under data protection law.
  • No human oversight. Outputs reach the client without a competent person reviewing and signing them off. RICS Section 4.2 requires a named qualified surveyor to take responsibility, with dip sampling permitted for high-volume use.

Contestability and redress
This principle asks that people can challenge AI outcomes and seek a remedy.

  • No route to challenge. A client cannot question a decision the firm reached with AI. RICS Section 4.3 requires your terms of engagement to set out both an internal contest process and a redress process.
  • No complaints handling. The firm has no process for an AI-related complaint. From 19 June 2026 the Data Protection Act requires every data controller to operate a complaints process, acknowledge a complaint within 30 days and respond without undue delay.
  • No way to put it right. A wrong AI-driven outcome cannot be corrected or reversed. The UK GDPR right to rectification applies to inaccurate personal data, and your professional duty requires you to communicate and remedy an unreliable conclusion.

What the RICS standard requires of your risk register
The standard takes this wider landscape and turns it into a single obligation you can act on. Under Section 3.3, any RICS-regulated firm using AI that has a material impact on the delivery of surveying services must create and operate a risk register.

The register has to document four overarching risks: inherent bias in the system and its outputs, erroneous outputs, limitations in the quantity and quality of information available about the system and its training data, and retention or use of the data your firm inputs.

For each risk, the standard asks for six things:

  • a description of the risk
  • its likelihood and likely impact
  • the plan to mitigate and manage it
  • the risk appetite of the firm
  • regular updates on status and progress
  • a categorisation using a red, amber, green rating, or a similar method

The register must be reviewed at least quarterly by whoever in the firm is responsible for AI decisions. This is mandatory, and there was no transition period.

The language of risk
If this vocabulary is new, the terms are simpler than they sound.

A risk is something that could go wrong and affect your firm or your client. Likelihood is how probable it is. Impact is how serious the consequence would be if it happened. You weigh the two together, because a small chance of a severe outcome and a high chance of a minor one call for different responses. A standard way is to score the Likelihood and Impact from 1-5. So a high likelihood of 5 and an impact of 5 = 25. Red rating.

 

A red, amber, green rating is shorthand for that judgement. Red is serious and needs action now. Amber means watch it and control it. Green is tolerable for the moment. Risk appetite is how much risk the firm is willing to carry, and a small residential firm and a large commercial one will draw that line in different places.

Once a risk is on the register, you have four ways to respond:

  • accept it, where the risk sits within your appetite and you choose to carry it
  • mitigate it, where you put controls in place to reduce the likelihood or the impact
  • transfer it, where you move the risk elsewhere, for example through professional indemnity cover
  • avoid it, where you stop doing the thing that creates the risk

Most AI risks in a surveying firm will be mitigated. You keep using the tool, and you put oversight, training and sign-off around it so a wrong output is caught before it reaches a client.

Where this sits

The risk register is the R in the GUARD Framework I built to map the RICS standard requirement by requirement. I mention it only to place the register in context. The register is part of your AI governance, and managing risk well is a discipline in its own right, long before any framework is involved.

I spent a decade in risk management, governance and compliance in my early career as a Chartered Accountant running risk workshops for leadership teams, building risk-based internal audit programmes, and leading compliance and governance work for corporates and regulated firms. I also undertook the Certified Information Security Management Qualification (CISM). That is the lens I bring to AI, and it is why I stay calm amid the noise around it. With AI I take a balanced, pragmatic view. I see both risks and opportunities.

AI is moving faster than the guidance; your employees are already using tools the firm has not approved, and vendors are selling solutions without explaining how they meet the standard. A risk register will not make that pressure disappear. It will give you a clear, defensible record of the risks you saw and the decisions you made, which is exactly what the standard and your client will expect to see.

Start there. The rest is easier once the risks are written down.

AI in Surveying goes out every Monday. Signing up gives you access to the content, tools and resources I only share by email, written for firms working through the RICS standard without a compliance team. Join at https://surveyors-uk.kit.com/aisurveying.

If you would rather not start your risk register from a blank page, this is the workshop I built for exactly that. It walks through the RICS standard requirement by requirement, structured around the five GUARD pillars: governance, use, accountability, risk, and documentation.

Everyone who attends leaves with a compliance starter toolkit, and the risk register template is part of it. The four overarching risk categories from the standard are already set out, with the six required fields in place and worked examples included, so you begin from a working structure and shape it to your firm.

The toolkit also includes:

  • vendor due diligence questionnaires
  • client disclosure wording
  • the full session slides as a PDF

Learn more here

The live workshop is £79 plus VAT and runs for an hour and a half, with time for your questions at the end. It counts as formal CPD. If you would prefer it delivered privately to your team, I run the same session for individual firms on request.

You can book a place, or ask about a private session for your firm, on the GUARD workshop page.

As always, thank you for reading and following 🙂

Nina Young

Nina Young

Founder & CEO, Surveyors UK

What's new