Ofcom's Strategic Approach to AI, 2026/27

Ofcom published its annual strategic approach to AI document setting out how the UK's converged communications regulator will govern AI across its sectors for 2026/27. The document responds to the UK Government's request for regulators to demonstrate support for the AI Opportunities Action Plan and discloses that 'over half of adults (54%) report using AI tools such as ChatGPT, Copilot, or Gemini — a rapid increase compared to the 31% of adults who said the same in 2024.' Substantively, the document covers Ofcom's work on deepfake defences, its coordination with AISI and NCSC following the release of Claude Mythos, the first formal regulatory investigation into X's Grok chatbot, and preparatory work for new data centre oversight responsibilities under the Cyber Security and Resilience Bill. An annex maps current and anticipated agentic AI use cases across Ofcom's regulated sectors (broadcast, telecoms, postal, online safety). The report is explicit that 'AI Security Institute's evaluation of AI cyber capabilities found that models were capable of completing expert-level tasks (typically requiring 10+ years of experience) in 2025, up from apprentice-level (less than a year of experience) in 2023' — signalling that Ofcom's 2026/27 work programme is calibrated around frontier cyber risk, not just consumer harms.

For enterprises operating in UK communications, media, or online services, this document signals Ofcom's enforcement and oversight priorities for the coming year: agentic AI governance, deepfake defences, AI-enabled cyber threats, and incoming data-centre oversight powers. It also establishes that a major national regulator is now explicitly synchronising its work programme with AISI's frontier capability evaluations — a governance integration model other regulators will likely follow.

UK-regulated communications, media, and online-service businesses should map Ofcom's stated 2026/27 AI priorities — agentic AI governance, deepfake defences, and forthcoming data-centre regulation — against current compliance postures and flag any gaps to legal and regulatory affairs teams before Q3.