An AI-generated risk assessment is legally valid in the UK if it meets the same standard as any other risk assessment: it must be suitable and sufficient under Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999, it must be based on actual workplace conditions, and it must be reviewed and signed off by a competent person. UK health and safety law does not prescribe how a risk assessment must be produced — only what it must contain and what decisions it must support.
What the Law Actually Requires
The legal duty to carry out risk assessments is set out in Regulation 3(1) of the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999). It requires every employer to make a suitable and sufficient assessment of the risks to the health and safety of employees and others affected by their work. Regulation 3(6) requires employers with five or more employees to record the significant findings in writing.
Nowhere in MHSWR 1999, or in any other UK health and safety statute, is there a requirement that a risk assessment must be handwritten, must be typed manually, or must be created using any particular tool or method. The law is outcome-focused: what matters is whether the assessment identifies the significant risks, enables the employer to prioritise control measures, and remains valid for the work being assessed.
This is consistent with HSE guidance, which has always emphasised that risk assessments should be proportionate and practical. HSE explicitly states that risk assessments do not need to be perfect — they need to be suitable and sufficient. An AI-generated document that accurately describes the hazards, identifies the relevant regulations, applies the hierarchy of controls correctly, and is based on a genuine description of the work is no less valid than one produced manually.
The 'Suitable and Sufficient' Standard
The phrase 'suitable and sufficient' appears in MHSWR 1999 Regulation 3(1) but is not defined in the legislation. HSE guidance and case law establish that a suitable and sufficient risk assessment must:
- Identify the significant risks arising from or in connection with the work — not every trivial hazard
- Enable the employer to identify and prioritise the measures needed to comply with statutory duties
- Be appropriate to the nature of the work and valid for a reasonable period
- Reflect the actual conditions of the workplace or activity being assessed
The final point is critical. A risk assessment that uses generic, template language such as "slips and trips may occur" without specifying the surfaces involved, the cleaning regime, the footwear required, or the lighting conditions is unlikely to meet the suitable and sufficient standard — regardless of whether it was produced by hand, by template, or by AI. Conversely, an AI-generated assessment that names the specific floor type, describes the actual cleaning procedure in place, identifies who is responsible, and references the relevant regulatory standard can be entirely suitable and sufficient.
What makes a risk assessment legally valid is not the method of production but whether it demonstrates a genuine, informed evaluation of the actual risks present in a specific workplace.
The Responsible Person Requirement
UK health and safety law requires that risk assessments are carried out by, or under the supervision of, a competent person. Regulation 7 of MHSWR 1999 requires every employer to appoint one or more competent persons to assist in undertaking the measures needed to comply with health and safety law. A competent person is defined as someone with sufficient training, experience, knowledge, or other qualities to enable them to properly assist.
In practice, this means that an AI tool can assist in the production of a risk assessment, but a human being must take responsibility for reviewing it, confirming it reflects actual site conditions, and signing it off. The competent person must:
- Verify that the hazards identified in the AI-generated assessment are accurate and complete for the work being assessed
- Confirm that the control measures listed are appropriate and are either already in place or will be implemented
- Check that the legal references and guidance cited are relevant to the activity
- Ensure that the people identified as at risk match the actual workforce and visitor profile
- Assign responsibilities for implementing and monitoring the controls
This is no different from the duty placed on an employer who uses a pre-written template or who commissions an external consultant to write a risk assessment. The employer cannot delegate the legal responsibility — only the task of drafting the document.
Why AI-Generated Assessments Can Be More Suitable Than Templates
Many businesses currently rely on downloaded templates or example risk assessments that were written for a different workplace, a different industry, or a different set of circumstances. These are routinely criticised by HSE inspectors for being too generic. The problem is not that they were produced by someone else — it is that they do not reflect the specific hazards and controls relevant to the employer using them.
A properly designed AI system, by contrast, generates an assessment based on a detailed description of the actual work activity. When a user describes the task, the location, the people involved, the equipment being used, and any known hazards, the AI can produce a document that references those specific details. The assessment describes the actual floor type in the actual building, the actual equipment brand and model, the actual cleaning regime that is followed, and the actual PPE that is issued.
This specificity is precisely what makes a risk assessment suitable and sufficient. An AI-generated assessment that incorporates site-specific information provided by the user is materially more compliant than a generic template downloaded from the internet and filled in with minimal thought.
What Makes an AI-Generated Assessment Legally Defensible
For an AI-generated risk assessment to be legally defensible in the event of an HSE investigation, a civil claim, or a prosecution, it must satisfy the following tests:
1. It must be based on accurate input data
The person using the AI tool must provide an honest, detailed description of the work activity and the workplace. An assessment generated from incomplete or inaccurate information will fail the suitable and sufficient test regardless of how sophisticated the AI is.
2. It must be reviewed and approved by a competent person
The output from the AI cannot be used without human oversight. The responsible person must read the entire document, verify that it matches the real-world conditions, and confirm that the control measures are appropriate and will be implemented.
3. It must identify the significant hazards
A defensible risk assessment does not need to list every conceivable hazard — but it must identify the significant risks that a reasonable employer would recognise. If the AI misses an obvious hazard because the user did not describe it, that is a failing of the input process, not the tool.
4. It must apply the hierarchy of controls correctly
Under MHSWR 1999 Schedule 1, control measures must follow the hierarchy: elimination, substitution, engineering controls, administrative controls, and finally personal protective equipment. An AI-generated assessment that defaults to PPE without considering higher-order controls will not meet the legal standard.
5. It must cite relevant legal requirements
A legally defensible risk assessment references the specific regulations that apply to the activity being assessed. For example, a manual handling assessment should reference the Manual Handling Operations Regulations 1992; a COSHH assessment should reference the Control of Substances Hazardous to Health Regulations 2002. An AI system that incorporates this knowledge produces a stronger, more defensible document than a generic template.
6. It must be implemented
The most common failing in UK health and safety is not the quality of the written risk assessment but the failure to implement its findings. A perfect AI-generated document is worthless if the control measures it identifies are not put in place. The responsible person must ensure that training is delivered, equipment is purchased, procedures are followed, and monitoring takes place.
HSE Enforcement Position
HSE does not have a published policy specifically on AI-generated risk assessments, but its general enforcement position is clear: inspectors assess whether a risk assessment is suitable and sufficient, not how it was created. During an inspection, an HSE inspector will ask to see the risk assessment, will compare it to the actual workplace conditions, and will question whether the employer has genuinely thought through the risks and controls.
If the assessment is clearly generic — using boilerplate language that could apply to any workplace — the inspector will issue an improvement notice regardless of whether it was handwritten, typed, or AI-generated. If the assessment is specific, accurate, and demonstrates that the employer has identified and controlled the significant risks, the inspector is unlikely to challenge it on the basis that AI was involved in its production.
What HSE does challenge is the practice of downloading a template risk assessment from the internet, changing the company name, and claiming it as compliance. This practice fails because the assessment does not reflect the specific workplace. An AI-generated assessment based on detailed user input is the opposite of this — it is a bespoke document tailored to the described activity.
Case Law and Precedent
There is no reported case law in the UK that specifically addresses the validity of AI-generated risk assessments. However, case law on the suitable and sufficient standard provides useful guidance. In cases such as R v Porter (2008) and R v Tangerine Confectionery (2011), courts have emphasised that what matters is whether the employer conducted a genuine evaluation of the risks and took reasonable steps to control them.
In both cases, employers were convicted not because their risk assessments were poorly written, but because the assessments did not reflect the reality of the workplace and the control measures identified were not implemented. The method of drafting the document was irrelevant — what mattered was whether it demonstrated a genuine attempt to manage risk.
This reinforces the principle that AI-generated risk assessments are judged by the same standard as any other: does the document reflect the real risks, and have the identified controls been put in place?
The Role of Professional Judgement
AI is a tool, not a substitute for professional judgement. A competent person reviewing an AI-generated risk assessment must apply their knowledge of the workplace, the workforce, and the specific hazards involved. They may need to add hazards that the AI did not identify, adjust control measures to suit the actual resources available, or re-order the priority of actions based on their understanding of the business.
This is identical to the role of a competent person reviewing a risk assessment written by an external consultant or a junior employee. The legal responsibility remains with the employer, and the duty to ensure the assessment is suitable and sufficient cannot be delegated.
Comparison to Other Compliance Software
AI-generated risk assessments are not fundamentally different from other forms of software-assisted compliance that are already widely accepted in UK industry. Businesses routinely use software to generate:
- Method statements and safe systems of work
- COSHH data sheets and exposure assessments
- Fire evacuation plans and emergency procedures
- Training records and competency matrices
In each case, the software assists in producing a document, but a responsible person must verify the content and confirm it is accurate. The same principle applies to AI-generated risk assessments. The technology accelerates the drafting process and ensures consistency in format and language, but it does not remove the duty to review and approve.
When AI-Generated Assessments Are Not Appropriate
There are some circumstances in which an AI-generated risk assessment may not be appropriate, or where additional expert input is required:
- Highly specialised or novel activities — work involving unusual hazards, experimental processes, or activities for which there is limited published guidance may require a bespoke assessment by a specialist consultant.
- Major hazard sites — sites regulated under the Control of Major Accident Hazards Regulations 2015 (COMAH) or involving large-scale chemical processes require detailed quantitative risk assessments that go beyond the capability of general-purpose AI tools.
- Where the user lacks the knowledge to provide accurate input — if the person using the AI tool does not understand the work activity well enough to describe it accurately, the output will be flawed. In such cases, employing a competent external consultant is more appropriate.
For the vast majority of UK workplaces — offices, retail premises, construction sites, schools, care homes, hospitality venues, and small industrial units — AI-generated risk assessments based on detailed user input are entirely appropriate and legally valid.
What Anyrisks Does Differently
Anyrisks generates risk assessments by asking the user to describe the specific work activity in detail. The AI then produces a document that incorporates that detail, references the relevant UK legislation, applies the hierarchy of controls, and structures the output in a format that meets HSE expectations. The user receives a PDF and an editable Word document within two minutes.
The Word document is fully editable, allowing the responsible person to adjust the content to reflect any site-specific details the AI may have missed or to add additional control measures. The assessment includes a signature section for the competent person to sign and date, confirming they have reviewed it and verified it reflects actual workplace conditions.
This process satisfies the legal requirement for a suitable and sufficient risk assessment under MHSWR 1999. The AI assists in drafting the document, but a human being takes responsibility for its accuracy and implementation — exactly as the law requires.
Common Misconceptions About AI-Generated Risk Assessments
Misconception: AI-generated documents are not accepted by HSE
Reality: HSE has no policy against AI-generated risk assessments. Inspectors assess whether the content of the assessment is suitable and sufficient, not the method used to create it.
Misconception: Only a qualified health and safety consultant can write a legally valid risk assessment
Reality: The law requires a competent person to carry out or supervise the risk assessment. A competent person is defined by knowledge, training and experience — not by holding a specific qualification. Many small business owners are competent to assess the risks in their own workplaces with appropriate guidance and tools.
Misconception: AI cannot understand the specific hazards in my workplace
Reality: AI does not need to visit the workplace if the user provides an accurate description. A detailed input describing the floor type, lighting, equipment, cleaning regime, and workforce profile allows the AI to generate a specific, tailored assessment that reflects those conditions.
Misconception: Using AI means I am not taking health and safety seriously
Reality: Using AI to draft a risk assessment is no different from using a word processor, a spreadsheet, or a template. What matters is whether the employer reviews the output, confirms it is accurate, and implements the control measures. AI can improve compliance by making it faster and easier to produce well-structured, regulation-referenced documents.
The Future of AI in Health and Safety Compliance
AI is already being used across UK industry to support health and safety compliance. Large organisations use AI to analyse incident reports and identify patterns. Construction companies use AI to monitor CCTV footage for unsafe behaviours. Facilities management firms use AI to schedule inspections and generate compliance reports.
The use of AI to generate risk assessments is a natural extension of this trend. As the technology improves, AI tools will become better at identifying hazards from images, recommending control measures based on best practice, and keeping assessments up to date as regulations change. The legal framework will not need to change — because the law already focuses on outcomes rather than methods.
