The Direct Answer: It Depends How the AI Was Built
AI risk assessments can be highly accurate — but only when the system has been purpose-built for UK health and safety compliance, trained on domain-specific data, and equipped with enriched hazard libraries and quality assurance layers. Generic large language models (ChatGPT, Claude, Gemini used without domain adaptation) routinely fail on the four criteria that define a legally compliant UK risk assessment: specificity to the actual work, correct citation of UK regulations, appropriate application of the hierarchy of controls, and completeness across all significant hazards. A purpose-built AI system designed specifically for risk assessment generation can meet all four criteria — and often does so more consistently than manually written assessments.
What Makes a Risk Assessment Accurate Under UK Law?
The legal standard for UK risk assessments is set out in the Management of Health and Safety at Work Regulations 1999 (MHSWR 1999) Regulation 3(1), which requires every employer to make a suitable and sufficient assessment of risks. The Health and Safety Executive (HSE) has clarified through guidance and enforcement that a suitable and sufficient assessment must be specific to the actual work being carried out, identify the significant risks rather than every trivial hazard, cite the relevant statutory provisions where applicable, and enable the employer to identify and prioritise the control measures needed to comply with the law.
Section 2(1) of the Health and Safety at Work Act 1974 places a duty on employers to ensure, so far as is reasonably practicable, the health, safety and welfare of employees. A risk assessment that is vague, generic, or omits significant hazards cannot satisfy this duty. Accuracy, in the legal sense, means the assessment reflects the real workplace conditions and provides actionable guidance for risk reduction.
Criterion 1: Specificity to the Actual Work
A suitable and sufficient risk assessment must be specific. HSE guidance makes clear that a generic document — one that could apply to any workplace in a sector — does not meet the legal standard. The assessment must reference the actual equipment used, the specific surfaces or environment where the work takes place, the training and competence of the workers involved, and the control measures already in place.
Example of a generic statement: "Employees may be injured by slips, trips and falls." This could apply to any workplace. Example of a specific statement: "Kitchen staff working on quarry-tiled floors wetted during dishwashing are at risk of slipping. Oil and fat residue from frying increases this risk during evening service. Staff wear non-slip footwear (Shoes for Crews style) and floors are mopped with degreaser solution every two hours during service." The second statement is specific, actionable, and directly linked to the actual workplace.
Criterion 2: Correct Citation of UK Regulations
Many workplace hazards are governed by specific regulations beyond the general duty under HSWA 1974. A legally accurate risk assessment cites the relevant regulation by name and, where appropriate, by regulation number. For example, work involving hazardous substances must reference the Control of Substances Hazardous to Health Regulations 2002 (COSHH) and confirm that a COSHH assessment has been carried out. Manual handling tasks that cannot be avoided must be assessed under the Manual Handling Operations Regulations 1992. Work at height must comply with the Work at Height Regulations 2005. Fire safety in non-domestic premises must comply with the Regulatory Reform (Fire Safety) Order 2005.
An AI system that has not been trained on UK health and safety law will often fail to cite the correct regulation, cite an outdated regulation, or omit the regulatory reference entirely. This undermines the legal defensibility of the assessment.
Criterion 3: Appropriate Application of the Hierarchy of Controls
Under MHSWR 1999 Schedule 1, employers must apply the hierarchy of controls when deciding how to reduce risk. The hierarchy, in order of preference, is: elimination, substitution, engineering controls, administrative controls, and personal protective equipment (PPE). A suitable and sufficient risk assessment must demonstrate that higher-order controls have been considered before relying on lower-order ones.
A common accuracy failure in AI-generated assessments is the recommendation of PPE as the primary control without first considering whether the hazard could be eliminated, substituted, or controlled through engineering measures. For example, recommending hearing protection for workers exposed to high noise levels is appropriate only if engineering controls (enclosing noisy machinery, using silencers, isolating the noise source) are not reasonably practicable. An assessment that jumps straight to PPE is not legally compliant.
Criterion 4: Completeness Across All Significant Hazards
A suitable and sufficient assessment must identify all significant hazards arising from the work. It is not necessary to list trivial risks (HSE guidance explicitly states this), but omitting a foreseeable hazard that could cause serious harm is a critical failure. Completeness requires the assessor — human or AI — to think systematically through the work activity: what physical hazards are present (moving parts, work at height, electricity, noise, vibration), what chemical or biological hazards exist (COSHH substances, Legionella, dust, fumes), what ergonomic hazards apply (manual handling, display screen equipment, repetitive tasks), and what organisational or psychosocial hazards are relevant (lone working, violence and aggression, work-related stress).
An AI system trained on a narrow dataset may miss hazard categories entirely. For example, a model trained primarily on construction risk assessments may fail to identify psychosocial risks (such as lone working or exposure to aggressive clients) when generating an assessment for a home care worker.
How Generic AI Fails on Each Criterion
Failure Mode 1: Generic, Templated Language
General-purpose large language models have been trained on vast quantities of text from the internet, including thousands of poorly written, generic risk assessments. When asked to generate a risk assessment, these models often reproduce the vague, non-specific language they have seen most frequently. Phrases like "appropriate PPE must be worn," "staff must be trained," and "safe systems of work must be followed" appear in AI-generated assessments without any detail about what PPE is appropriate, what training is required, or what the safe system of work actually involves.
This language does not meet the suitable and sufficient standard. An HSE inspector reviewing such a document would immediately identify it as a generic template rather than a genuine assessment of the workplace.
Failure Mode 2: Incorrect or Outdated Legal References
General-purpose AI models are not continuously updated with changes to UK legislation, and their training data often includes outdated material. A model trained on internet text from 2020 or earlier may cite regulations that have been amended or revoked. For example, the Construction (Design and Management) Regulations 2007 were replaced by the Construction (Design and Management) Regulations 2015 — but many online documents still reference the 2007 version. An AI model without access to current HSE guidance and legislation databases will reproduce these errors.
More fundamentally, general-purpose models often fail to identify which regulations apply to a given activity. A risk assessment for spray painting in an automotive workshop must reference COSHH (for solvent exposure), the Control of Noise at Work Regulations 2005 (for spray gun noise), the Provision and Use of Work Equipment Regulations 1998 (for the spray equipment itself), and potentially the Dangerous Substances and Explosive Atmospheres Regulations 2002 (DSEAR) if flammable vapours are present. A generic AI will typically mention only one or two of these, if any.
Failure Mode 3: Misapplication of the Hierarchy of Controls
Generic AI models do not understand the legal requirement to work through the hierarchy of controls. When asked to suggest control measures, they often default to the most commonly mentioned controls in their training data — which are typically PPE and training, because these are the easiest to write about and the most frequently mentioned in low-quality risk assessments online. The result is an assessment that recommends, for example, "wear gloves" and "provide training" without first asking whether the hazardous substance could be substituted for a safer alternative, whether engineering controls (local exhaust ventilation, enclosed systems) could reduce exposure, or whether administrative controls (job rotation, reduced exposure time) are appropriate.
This misapplication is not merely a quality issue — it is a legal compliance failure. An employer who implements an AI-generated assessment that relies on PPE when engineering controls were reasonably practicable may face enforcement action following an accident.
Failure Mode 4: Incomplete Hazard Identification
General-purpose AI models generate text based on patterns in their training data. If a particular hazard category is underrepresented in that data, the model will systematically fail to identify it. Psychosocial hazards — lone working, exposure to violence and aggression, work-related stress — are significantly underrepresented in publicly available risk assessment templates compared to physical hazards. As a result, generic AI often omits these hazards entirely, even when they are clearly relevant to the work being assessed.
Biological hazards (Legionella in water systems, exposure to blood-borne pathogens in healthcare, zoonotic diseases in veterinary or agricultural work) are another category frequently missed by generic models, because the training data for these hazards is more specialised and less widely available online.
How Purpose-Built AI Achieves Accuracy
Domain-Specific Training and Fine-Tuning
A purpose-built AI system for UK risk assessment generation is trained — or fine-tuned from a base model — using curated datasets of high-quality, legally compliant risk assessments. These datasets are drawn from HSE guidance documents, enforced case studies, sector-specific assessment templates published by trade bodies and professional institutions, and real assessments that have been reviewed and approved by competent health and safety professionals. The training process teaches the model the structure, tone, and level of detail expected in a suitable and sufficient assessment.
Fine-tuning also enables the model to learn the specific legal language used in UK health and safety: "so far as is reasonably practicable," "suitable and sufficient," "significant findings," "hierarchy of controls." These phrases have precise legal meanings, and a model trained on general internet text may misuse them or omit them entirely.
Enriched Hazard Libraries and Regulation Mapping
Purpose-built systems incorporate structured hazard libraries that map specific activities and industries to the hazards most commonly associated with them, along with the applicable regulations. For example, a hazard library entry for "spray painting in an automotive workshop" would include: chemical hazards (solvent vapours, isocyanates in certain paints) linked to COSHH; physical hazards (noise from air compressors and spray guns) linked to the Control of Noise at Work Regulations 2005; fire and explosion hazards (flammable vapour accumulation) linked to DSEAR; and ergonomic hazards (repetitive arm movements, prolonged standing) linked to general MHSWR 1999 duties.
When a user describes an activity, the system queries the hazard library to identify all relevant hazard categories, then generates assessment text for each. This approach ensures completeness and reduces the risk of omitting a significant hazard.
Regulation mapping ensures that the correct legal references are included. Each hazard category in the library is linked to the primary and secondary regulations that govern it. The system generates citations in the correct format, using the current regulation name and year, and includes regulation numbers where appropriate (e.g. "Regulation 6 of the Manual Handling Operations Regulations 1992 requires employers to avoid the need for manual handling so far as is reasonably practicable").
Hierarchy of Controls Enforcement
A purpose-built system is programmed to apply the hierarchy of controls in the correct order. The generation logic includes a rule layer that checks: has elimination been considered? If not feasible, has substitution been considered? If not feasible, have engineering controls been considered? Only after higher-order controls have been addressed (or explicitly ruled out as not reasonably practicable) does the system recommend administrative controls or PPE.
This is implemented through prompt engineering (instructing the model to follow the hierarchy explicitly) and post-generation validation (a rule-based system that checks whether the recommended controls are in the correct order and flags assessments that jump to PPE without justification).
Quality Assurance Layers and Human Review
The most robust purpose-built systems include quality assurance layers: automated checks that validate the structure of the generated assessment (does it include all required sections? are the hazards specific? are the controls actionable?), a review step where a competent person — typically a health and safety professional — checks a sample of generated assessments for accuracy and legal compliance, and user feedback loops that capture errors or omissions reported by customers and feed them back into the training process.
Even with these layers, the legal responsibility for the risk assessment remains with the employer. A purpose-built AI system produces a draft assessment that must be reviewed, customised to the specific workplace, and formally adopted by the employer. The system reduces the time and expertise required to produce a compliant assessment, but it does not eliminate the need for human oversight.
Real-World Accuracy: How Anyrisks Achieves the Legal Standard
Anyrisks was built specifically to meet the suitable and sufficient standard required under MHSWR 1999 Regulation 3(1). The system combines a fine-tuned language model trained on thousands of high-quality UK risk assessments, a structured hazard library covering over 200 common workplace activities and linked to the relevant regulations, a rule-based control hierarchy engine that enforces the legal order of controls, and a continuous quality assurance process where customer feedback and HSE guidance updates are reviewed monthly and incorporated into the training data.
When a user describes an activity — for example, "Kitchen staff using a commercial deep fryer in a restaurant kitchen" — the system identifies the relevant hazards (hot oil burns, slips from oil spillage, fire risk from overheating oil, manual handling of oil containers), cites the applicable regulations (MHSWR 1999 for general risk assessment, COSHH for cleaning chemicals used on the fryer, Manual Handling Operations Regulations 1992 for handling oil containers), applies the hierarchy of controls in order (engineering controls: thermostatic temperature controls, splash guards; administrative controls: training on safe operation, oil change procedures; PPE: heat-resistant gloves, closed footwear), and produces a specific, actionable assessment document.
The assessment is delivered in under two minutes, in both PDF and editable Word format. The employer reviews the document, confirms it reflects the actual workplace setup (for example, the make and model of the fryer, the specific flooring type, the training records in place), and implements the control measures identified. The legal duty to assess risk has been met — with significantly less time and cost than engaging a consultant or starting from a blank template.
What AI Cannot Do: The Limits of Accuracy
No AI system, no matter how well-designed, can fully replace a site visit and direct observation by a competent person. AI generates assessments based on the description provided by the user. If the user fails to mention a significant hazard — for example, an unmarked floor-level change, a damaged piece of equipment, or a known behavioural issue with a particular worker — the AI cannot identify it. The assessment is only as accurate as the information it is given.
AI also cannot make judgements about what is "reasonably practicable" in a specific financial or operational context. The legal standard of reasonable practicability requires balancing the level of risk against the time, cost, and difficulty of the control measure. A human decision-maker must make this judgement, taking into account the employer's resources and circumstances. AI can recommend control measures in order of effectiveness, but it cannot determine which are reasonably practicable for a particular employer.
Finally, AI cannot keep itself up to date without human intervention. UK health and safety law changes regularly: new regulations are introduced, existing regulations are amended, HSE guidance is updated, and case law evolves. A purpose-built system must be actively maintained — training data refreshed, hazard libraries updated, regulation mappings reviewed — to remain accurate over time. Employers using AI-generated assessments should ensure the provider has a documented process for keeping the system current.
How to Evaluate the Accuracy of an AI Risk Assessment
If you are considering using an AI-generated risk assessment, or reviewing one that has been generated, apply these four tests:
- Specificity test — does the assessment reference the actual equipment, environment, and workforce in your workplace, or could the same text apply to any business in your sector? If the language is generic, the assessment is unlikely to be suitable and sufficient.
- Regulation test — are the relevant UK regulations cited by name and year? Are the citations current (not superseded or revoked)? Are sector-specific regulations (COSHH, Manual Handling, Work at Height, etc.) included where applicable?
- Hierarchy test — are the recommended control measures in the correct order (elimination, substitution, engineering, administrative, PPE)? If the assessment recommends PPE as the primary control, does it explain why higher-order controls are not reasonably practicable?
- Completeness test — does the assessment cover all significant hazard categories relevant to the work: physical, chemical, biological, ergonomic, and psychosocial? Are there any obvious hazards missing?
If the assessment passes all four tests, it is likely to be legally compliant. If it fails any test, it must be revised before use.
The Role of the Competent Person
Under MHSWR 1999 Regulation 7, every employer must appoint one or more competent persons to assist with health and safety compliance. A competent person is defined as someone with sufficient training, experience, knowledge, and other qualities to properly assist the employer. In the context of risk assessment, the competent person is responsible for reviewing AI-generated assessments, confirming they are suitable and sufficient, customising them to the specific workplace, and ensuring the identified control measures are implemented.
The competent person does not need to be an external consultant. For many small businesses, the employer themselves or a senior manager with appropriate training can fulfil this role. The key is that the person reviewing the assessment understands the legal requirements, knows the workplace well enough to spot omissions or inaccuracies, and has the authority to implement the recommended controls.
AI is a tool that assists the competent person — it does not replace them. The legal duty under MHSWR 1999 remains with the employer, and that duty cannot be outsourced to a software system.
Case Study: Where Generic AI Failed and Purpose-Built AI Succeeded
A facilities management contractor used a generic AI chatbot (a well-known consumer model) to generate a risk assessment for a cleaning operative working alone in a client's office building outside normal working hours. The AI produced a two-page document that mentioned slips and trips (generic flooring reference), manual handling (generic "lift correctly" guidance), and exposure to cleaning chemicals (generic "read the label" advice). It did not mention lone working as a hazard, did not reference the HSE guidance on lone working (available on the HSE website since 2013), and did not recommend any control measures for emergency contact, check-in procedures, or access to first aid.
The contractor then used Anyrisks, describing the same activity in detail: "cleaning operative working alone in an office building between 18:00 and 22:00, using standard cleaning chemicals (floor cleaner, glass cleaner, toilet cleaner), manual handling of mop buckets and vacuum cleaners, lone working for the entire shift." The Anyrisks system produced a five-page assessment that included a dedicated section on lone working, cited the Corporate Manslaughter and Corporate Homicide Act 2007 (relevant because failure to protect lone workers has led to corporate manslaughter prosecutions), recommended a check-in system with a supervisor or automated system, included emergency contact procedures, specified that a mobile phone must be provided and kept charged, and recommended a personal safety alarm for high-risk environments.
The Anyrisks assessment also included specific COSHH guidance for each cleaning chemical (with space to record the product name and hazard classification), manual handling guidance specific to mop buckets (weight when full, technique for lifting over thresholds), and slip risk controls for wet floors in unoccupied buildings (warning signs, drying time, appropriate footwear). The contractor adopted the Anyrisks assessment, implemented the recommended controls, and the assessment was reviewed and accepted by the client's health and safety manager without amendment.
The Future of AI Accuracy in Risk Assessment
Purpose-built AI for UK risk assessment is still a maturing technology. The current generation of systems — including Anyrisks — can reliably generate suitable and sufficient assessments for common, well-documented activities. Accuracy is highest for sectors with extensive HSE guidance (construction, healthcare, education, hospitality) and lowest for niche or emerging industries where training data is scarce.
Future improvements are likely to include real-time integration with HSE guidance databases, so that assessments automatically incorporate the latest legal changes; image recognition to identify hazards from site photographs uploaded by the user; and predictive risk scoring based on historical accident data for similar activities. However, the core requirement — that a competent person reviews and adopts the assessment — will remain. AI will become faster, more comprehensive, and more accurate, but it will not eliminate the employer's legal duty to assess and manage risk.
