Legal Guidance

Is an AI-Generated Risk Assessment Legally Valid in the UK?

Yes — if it reflects actual workplace conditions and is signed off by a responsible person. UK law regulates the content and suitability of risk assessments, not the tool used to create them.

Let's go
AI-generated risk assessment legal validity

An AI-generated risk assessment is legally valid in the UK if it meets the same standard as any other risk assessment: it must be suitable and sufficient under Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999, it must be based on actual workplace conditions, and it must be reviewed and signed off by a competent person. UK health and safety law does not prescribe how a risk assessment must be produced — only what it must contain and what decisions it must support.

What the Law Actually Requires

The legal duty to carry out risk assessments is set out in Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999). It requires every employer to make a suitable and sufficient assessment of the risks to the health and safety of employees and others affected by their work. Regulation 3(6) requires employers with five or more employees to record the significant findings in writing.

Nowhere in MHSWR 1999, or in any other UK health and safety statute, is there a requirement that a risk assessment must be handwritten, must be typed manually, or must be created using any particular tool or method. The law is outcome-focused: what matters is whether the assessment identifies the significant risks, enables the employer to prioritise control measures, and remains valid for the work being assessed.

This is consistent with HSE guidance, which has always emphasised that risk assessments should be proportionate and practical. HSE explicitly states that risk assessments do not need to be perfect — they need to be suitable and sufficient. An AI-generated document that accurately describes the hazards, identifies the relevant regulations, applies the hierarchy of controls correctly, and is based on a genuine description of the work is no less valid than one produced manually.

The 'Suitable and Sufficient' Standard

The phrase 'suitable and sufficient' appears in MHSWR 1999 Regulation 3(1) but is not defined in the legislation. HSE guidance and case law establish that a suitable and sufficient risk assessment must:

The final point is critical. A risk assessment that uses generic, template language such as "slips and trips may occur" without specifying the surfaces involved, the cleaning regime, the footwear required, or the lighting conditions is unlikely to meet the suitable and sufficient standard — regardless of whether it was produced by hand, by template, or by AI. Conversely, an AI-generated assessment that names the specific floor type, describes the actual cleaning procedure in place, identifies who is responsible, and references the relevant regulatory standard can be entirely suitable and sufficient.

What makes a risk assessment legally valid is not the method of production but whether it demonstrates a genuine, informed evaluation of the actual risks present in a specific workplace.

The Responsible Person Requirement

UK health and safety law requires that risk assessments are carried out by, or under the supervision of, a competent person. Regulation 7 of MHSWR 1999 requires every employer to appoint one or more competent persons to assist in undertaking the measures needed to comply with health and safety law. A competent person is defined as someone with sufficient training, experience, knowledge, or other qualities to enable them to properly assist.

In practice, this means that an AI tool can assist in the production of a risk assessment, but a human being must take responsibility for reviewing it, confirming it reflects actual site conditions, and signing it off. The competent person must:

This is no different from the duty placed on an employer who uses a pre-written template or who commissions an external consultant to write a risk assessment. The employer cannot delegate the legal responsibility — only the task of drafting the document.

Why AI-Generated Assessments Can Be More Suitable Than Templates

Many businesses currently rely on downloaded templates or example risk assessments that were written for a different workplace, a different industry, or a different set of circumstances. These are routinely criticised by HSE inspectors for being too generic. The problem is not that they were produced by someone else — it is that they do not reflect the specific hazards and controls relevant to the employer using them.

A properly designed AI system, by contrast, generates an assessment based on a detailed description of the actual work activity. When a user describes the task, the location, the people involved, the equipment being used, and any known hazards, the AI can produce a document that references those specific details. The assessment describes the actual floor type in the actual building, the actual equipment brand and model, the actual cleaning regime that is followed, and the actual PPE that is issued.

This specificity is precisely what makes a risk assessment suitable and sufficient. An AI-generated assessment that incorporates site-specific information provided by the user is materially more compliant than a generic template downloaded from the internet and filled in with minimal thought.

What Makes an AI-Generated Assessment Legally Defensible

For an AI-generated risk assessment to be legally defensible in the event of an HSE investigation, a civil claim, or a prosecution, it must satisfy the following tests:

1. It must be based on accurate input data

The person using the AI tool must provide an honest, detailed description of the work activity and the workplace. An assessment generated from incomplete or inaccurate information will fail the suitable and sufficient test regardless of how sophisticated the AI is.

2. It must be reviewed and approved by a competent person

The output from the AI cannot be used without human oversight. The responsible person must read the entire document, verify that it matches the real-world conditions, and confirm that the control measures are appropriate and will be implemented.

3. It must identify the significant hazards

A defensible risk assessment does not need to list every conceivable hazard — but it must identify the significant risks that a reasonable employer would recognise. If the AI misses an obvious hazard because the user did not describe it, that is a failing of the input process, not the tool.

4. It must apply the hierarchy of controls correctly

Under MHSWR 1999 Schedule 1, control measures must follow the hierarchy: elimination, substitution, engineering controls, administrative controls, and finally personal protective equipment. An AI-generated assessment that defaults to PPE without considering higher-order controls will not meet the legal standard.

5. It must cite relevant legal requirements

A legally defensible risk assessment references the specific regulations that apply to the activity being assessed. For example, a manual handling assessment should reference the Manual Handling Operations Regulations 1992; a COSHH assessment should reference the Control of Substances Hazardous to Health Regulations 2002. An AI system that incorporates this knowledge produces a stronger, more defensible document than a generic template.

6. It must be implemented

The most common failing in UK health and safety is not the quality of the written risk assessment but the failure to implement its findings. A perfect AI-generated document is worthless if the control measures it identifies are not put in place. The responsible person must ensure that training is delivered, equipment is purchased, procedures are followed, and monitoring takes place.

HSE Enforcement Position

HSE does not have a published policy specifically on AI-generated risk assessments, but its general enforcement position is clear: inspectors assess whether a risk assessment is suitable and sufficient, not how it was created. During an inspection, an HSE inspector will ask to see the risk assessment, will compare it to the actual workplace conditions, and will question whether the employer has genuinely thought through the risks and controls.

If the assessment is clearly generic — using boilerplate language that could apply to any workplace — the inspector will issue an improvement notice regardless of whether it was handwritten, typed, or AI-generated. If the assessment is specific, accurate, and demonstrates that the employer has identified and controlled the significant risks, the inspector is unlikely to challenge it on the basis that AI was involved in its production.

What HSE does challenge is the practice of downloading a template risk assessment from the internet, changing the company name, and claiming it as compliance. This practice fails because the assessment does not reflect the specific workplace. An AI-generated assessment based on detailed user input is the opposite of this — it is a bespoke document tailored to the described activity.

Case Law and Precedent

There is no reported case law in the UK that specifically addresses the validity of AI-generated risk assessments. However, case law on the suitable and sufficient standard provides useful guidance. In cases such as R v Porter (2008) and R v Tangerine Confectionery (2011), courts have emphasised that what matters is whether the employer conducted a genuine evaluation of the risks and took reasonable steps to control them.

In both cases, employers were convicted not because their risk assessments were poorly written, but because the assessments did not reflect the reality of the workplace and the control measures identified were not implemented. The method of drafting the document was irrelevant — what mattered was whether it demonstrated a genuine attempt to manage risk.

This reinforces the principle that AI-generated risk assessments are judged by the same standard as any other: does the document reflect the real risks, and have the identified controls been put in place?

The Role of Professional Judgement

AI is a tool, not a substitute for professional judgement. A competent person reviewing an AI-generated risk assessment must apply their knowledge of the workplace, the workforce, and the specific hazards involved. They may need to add hazards that the AI did not identify, adjust control measures to suit the actual resources available, or re-order the priority of actions based on their understanding of the business.

This is identical to the role of a competent person reviewing a risk assessment written by an external consultant or a junior employee. The legal responsibility remains with the employer, and the duty to ensure the assessment is suitable and sufficient cannot be delegated.

Comparison to Other Compliance Software

AI-generated risk assessments are not fundamentally different from other forms of software-assisted compliance that are already widely accepted in UK industry. Businesses routinely use software to generate:

In each case, the software assists in producing a document, but a responsible person must verify the content and confirm it is accurate. The same principle applies to AI-generated risk assessments. The technology accelerates the drafting process and ensures consistency in format and language, but it does not remove the duty to review and approve.

When AI-Generated Assessments Are Not Appropriate

There are some circumstances in which an AI-generated risk assessment may not be appropriate, or where additional expert input is required:

For the vast majority of UK workplaces — offices, retail premises, construction sites, schools, care homes, hospitality venues, and small industrial units — AI-generated risk assessments based on detailed user input are entirely appropriate and legally valid.

What Anyrisks Does Differently

Anyrisks generates risk assessments by asking the user to describe the specific work activity in detail. The AI then produces a document that incorporates that detail, references the relevant UK legislation, applies the hierarchy of controls, and structures the output in a format that meets HSE expectations. The user receives a PDF and an editable Word document within two minutes.

The Word document is fully editable, allowing the responsible person to adjust the content to reflect any site-specific details the AI may have missed or to add additional control measures. The assessment includes a signature section for the competent person to sign and date, confirming they have reviewed it and verified it reflects actual workplace conditions.

This process satisfies the legal requirement for a suitable and sufficient risk assessment under MHSWR 1999. The AI assists in drafting the document, but a human being takes responsibility for its accuracy and implementation — exactly as the law requires.

Common Misconceptions About AI-Generated Risk Assessments

Misconception: AI-generated documents are not accepted by HSE

Reality: HSE has no policy against AI-generated risk assessments. Inspectors assess whether the content of the assessment is suitable and sufficient, not the method used to create it.

Misconception: Only a qualified health and safety consultant can write a legally valid risk assessment

Reality: The law requires a competent person to carry out or supervise the risk assessment. A competent person is defined by knowledge, training and experience — not by holding a specific qualification. Many small business owners are competent to assess the risks in their own workplaces with appropriate guidance and tools.

Misconception: AI cannot understand the specific hazards in my workplace

Reality: AI does not need to visit the workplace if the user provides an accurate description. A detailed input describing the floor type, lighting, equipment, cleaning regime, and workforce profile allows the AI to generate a specific, tailored assessment that reflects those conditions.

Misconception: Using AI means I am not taking health and safety seriously

Reality: Using AI to draft a risk assessment is no different from using a word processor, a spreadsheet, or a template. What matters is whether the employer reviews the output, confirms it is accurate, and implements the control measures. AI can improve compliance by making it faster and easier to produce well-structured, regulation-referenced documents.

The Future of AI in Health and Safety Compliance

AI is already being used across UK industry to support health and safety compliance. Large organisations use AI to analyse incident reports and identify patterns. Construction companies use AI to monitor CCTV footage for unsafe behaviours. Facilities management firms use AI to schedule inspections and generate compliance reports.

The use of AI to generate risk assessments is a natural extension of this trend. As the technology improves, AI tools will become better at identifying hazards from images, recommending control measures based on best practice, and keeping assessments up to date as regulations change. The legal framework will not need to change — because the law already focuses on outcomes rather than methods.

Frequently Asked Questions