Public Policy & Governance

The UK government will now refer all water sector takeovers for mandatory national security screening, while simultaneously removing commercially available AI systems from the mandatory investment screening list, according to Financial Times. This dual-track approach represents a significant policy articulation distinguishing physical infrastructure risks from technology sector oversight. The move comes as part of a broader government initiative to reduce regulatory burden on technology investment while tightening controls on strategic physical assets. Water sector screening had previously been discretionary, but concerns over critical infrastructure vulnerability — particularly following repeated cyber incidents and quality failures — have prompted mandatory review.

The removal of commercial AI from screening suggests the government is attempting to signal openness to AI investment while maintaining control over genuinely sensitive capabilities. However, the policy creates ambiguity around what constitutes 'commercially available' versus custom or dual-use AI systems. Defence and intelligence AI applications presumably remain subject to screening, but the boundary is not clearly delineated in available reporting. This distinction matters as companies increasingly offer both commercial and bespoke AI services, and as foundation models trained for civilian use are routinely adapted for sensitive applications. The policy adjustment appears designed to address investor concerns about regulatory friction in AI development, but may create implementation challenges for the Investment Security Unit tasked with making case-by-case determinations.

Eleven African governments have collectively spent over $2 billion acquiring Chinese-built AI-powered mass surveillance infrastructure, including facial recognition systems and tracking technology, according to a new report cited by The Guardian. Human rights and technology experts characterise the deployments as 'invasive' and warn they violate citizens' privacy rights while producing chilling effects on civil society activity. The report — timing and authoring organisation not specified in available coverage — represents the first comprehensive accounting of surveillance infrastructure investment across the continent, revealing a pattern of technology transfer that has received minimal legislative oversight or public consultation in recipient countries.

The systems predominantly involve Chinese vendors and technology platforms, suggesting these deployments are part of broader technology export relationships rather than procurement from diverse international suppliers. This raises questions about interoperability, data sovereignty, and whether surveillance capabilities are bundled with other infrastructure projects under frameworks like the Belt and Road Initiative. Critically, the report's authors assert that surveillance measures are not 'necessary or proportionate' — invoking language from international human rights frameworks that require justification for rights limitations. However, no specific enforcement mechanisms or international accountability processes are identified in available reporting, indicating these systems operate in a governance vacuum where domestic checks are weak and international norms lack enforcement.

UK communications regulator Ofcom has formally requested Instagram, Snapchat, TikTok, YouTube, and Roblox to strengthen age verification systems for users under 13, according to BBC News. The regulator stated these platforms are not 'putting children's safety at the heart of their products' — unusually direct language indicating Ofcom may be preparing enforcement action under the Online Safety Act. This marks the transition from rule-making to active regulatory enforcement, as Ofcom moves beyond consultation to demanding concrete compliance measures. The timing is significant: the Online Safety Act's children's safety provisions came into force for the largest platforms in late 2025, meaning companies have had several months to implement required protections.

The demand for 'tougher' age checks suggests Ofcom has determined current verification methods are insufficient, though specific technical requirements are not detailed in available reporting. Age verification remains technically and politically contentious, with industry arguing that effective verification requires collecting additional personal data or implementing government identification checks that themselves raise privacy concerns. Australia recently implemented a social media age ban for under-16s, and Bloomberg reports teenagers are circumventing those restrictions using VPNs and by deceiving age verification systems. This demonstrates the enforcement challenges Ofcom will face even if it mandates stricter technical measures. The UK regulator has enforcement powers including substantial fines, but this is the first major test of whether the Online Safety Act's regulatory architecture can compel behavioural change from dominant platforms.

UK fraud cases reached a record 444,000 in 2025, driven substantially by criminals using AI technology to execute account takeover scams at what fraud prevention organisation Cifas characterises as 'industrialised' levels, according to The Guardian. The fraud prevention body, which maintains the UK's national fraud database, specifically identified AI tools as enabling large-scale deception through automated targeting of mobile, banking, and online shopping accounts. The characterisation of fraud as 'industrialised' suggests criminal operations have moved beyond individual scam attempts to systematic, automated exploitation of identity verification and authentication systems.

AI is reportedly being used to enhance multiple fraud vectors: generating convincing phishing content, automating credential stuffing attacks against accounts with reused passwords, creating synthetic identities that pass initial verification checks, and potentially defeating voice-based authentication through deepfake audio. Separately, The Guardian reports authors are being targeted by AI-powered accounts promising exposure and reviews, while another Guardian article details publishing scams using AI to automate literary fraud operations. The fraud ecosystem is clearly adapting AI tools faster than defensive measures are being implemented. Cifas has no regulatory authority — it is an industry membership organisation — meaning its findings carry weight for identifying trends but do not trigger direct enforcement action. The scale of reported fraud suggests existing authentication and verification systems designed for human-speed attacks are failing against AI-accelerated operations.