Most schools have started thinking about AI. Some have drafted a staff policy. A few have added a line to their assessment integrity documentation. But when you sit down and map out what current published guidance from the DfE, JCQ, and ICO actually expects, most schools find significant gaps — not through negligence, but because the guidance is spread across multiple bodies, multiple documents, and multiple policy areas.

This article walks through nine areas that a robust school AI policy position should cover, explains why each one catches schools out, and identifies the risks of leaving it unaddressed. It draws on current published guidance from DfE, JCQ, and ICO as of March 2026.

1. Leadership and ownership

The DfE's generative AI in education guidance is clear: schools need someone accountable for AI policy at a leadership level. In practice, most schools have no named owner. AI policy sits in a gap between the IT lead, the deputy head responsible for teaching and learning, and the data protection officer.

Without a named owner, there is no one responsible for deciding whether AI use is permitted in staff workflows, administrative processes, or pupil-facing contexts. There is no one ensuring the policy is reviewed and updated as guidance changes. And there is no one coordinating across the multiple policy areas that AI touches.

The risk: AI use grows informally across the school with no governance oversight. When something goes wrong — a data breach, an assessment integrity issue, a safeguarding concern — there is no clear chain of accountability.

2. Policy coverage

Many schools have a single AI policy document, or a paragraph added to an existing acceptable use policy. This is a start, but it rarely covers the full scope. A joined-up AI position needs to address staff acceptable use, student acceptable use, assessment integrity and malpractice, safeguarding, data protection, and online safety — at a minimum.

Schools often miss that AI has implications across policies they already maintain. The homework policy, the online safety policy, the data protection policy, the safeguarding policy, and the staff code of conduct may all need explicit AI references. Without these, staff are left to interpret whether existing rules cover new AI tools — and interpretations will vary.

The risk: inconsistent expectations across departments, confusion among staff about what is and is not permitted, and potential gaps that only surface when an incident occurs.

3. Staff expectations

The DfE guidance emphasises that AI does not replace professional judgement. Teachers remain responsible for any AI-generated content they use. But many schools have not translated this principle into practical, specific guidance for their staff.

Staff need to know, concretely: Can I use AI to draft lesson plans? Can I use it to write report comments? Can I use it to create assessment questions? Can I use it to generate feedback for students? For each of these, what are the expectations around checking, editing, and taking responsibility for the output?

Without clear examples of permitted and prohibited use, staff either avoid AI entirely (missing genuine productivity benefits) or use it without appropriate safeguards (creating risk). Neither outcome serves the school well.

The risk: a teacher uses AI to generate student reports without adequate review. A member of staff inputs sensitive pupil data into an unapproved AI tool. In both cases, the school has no documented position to fall back on.

4. Approved tools

Schools routinely approve educational software through procurement and IT processes. But AI tools often bypass these processes entirely. A teacher signs up for a free AI tool using their school email. A department head starts using an AI marking assistant. A teaching assistant uses a chatbot to help with SEND resources.

Without a clear register of approved and unapproved AI tools — and a process for reviewing new ones — schools cannot manage the data protection, safeguarding, and security implications. Each new tool should be assessed for its purpose, the data it processes, its security arrangements, its privacy terms, required permissions, and any safeguarding implications.

The risk: personal data is processed by tools that have not been assessed. The school cannot demonstrate to the ICO that it has adequate controls over data processing. Staff use tools with terms of service that grant the provider rights to use input data for training.

5. Candidate work and authenticity

JCQ's AI Use in Assessments guidance (Revision 2, April 2025) is detailed and specific. Students must be told clearly when they may and may not use AI in assessed work. All assessed work submitted for external qualifications must be the candidate's own. Where AI has been used as a permitted research or drafting aid, students must acknowledge this.

Most schools have communicated something about AI and coursework, but the message is often vague. "Don't use AI to cheat" is not the same as a clear policy that defines when AI use is permitted, when it is not, what acknowledgement looks like, and what happens if the rules are breached.

Staff also need to know what indicators to look for when reviewing student work for AI-generated content. JCQ expects teachers to apply their professional judgement, but this only works if staff have been given practical guidance on what to look for.

The risk: a student submits AI-generated work for a GCSE or A-level assessment. The school cannot demonstrate it had adequate measures in place to prevent and detect this. Under JCQ regulations, the Head of Centre carries personal responsibility for the integrity of the examination process.

6. Staff assessment duties

This area is closely linked to candidate work authenticity, but it focuses on the teacher's obligations rather than the student's. JCQ is explicit (AI Use in Assessments, Revision 2, April 2025): teachers must not accept candidate work for external assessment unless they are satisfied it is the candidate's own. AI must not be used as the sole means of marking or assessing student work for qualifications.

The Head of Centre has a specific annual obligation to review and update the centre's malpractice and maladministration policy (JCQ General Regulations for Approved Centres 2025-26, §5.3). This is not optional. Yet many Heads of Centre are unaware that their malpractice documentation needs explicit AI coverage, or that they are personally accountable for this review.

The risk: JCQ sanctions. These can include the withholding of results, the requirement to re-enter candidates, and in serious cases, the removal of the centre's status as an approved examination centre. The Head of Centre can be personally named in sanction outcomes.

7. Learner-facing safeguards

Before any school allows pupils to interact with AI tools, several questions need answering. Which year groups? Which subjects? Which tools? Under what supervision? With what filtering and monitoring in place? How are age restrictions applied? What happens if a pupil encounters harmful, biased, or inappropriate AI-generated content?

Many schools have not made a deliberate decision about pupil AI use. Some have allowed it to develop organically. Others have issued blanket bans that are difficult to enforce. Neither approach addresses the underlying need for a risk-assessed, documented position.

Staff need to know how to escalate concerns about unsafe AI outputs. This connects directly to the school's broader safeguarding framework and should be reflected in safeguarding policy and training.

The risk: a pupil is exposed to harmful content generated by an AI tool used in a classroom context. The school cannot demonstrate that it had assessed the risks, put safeguards in place, and trained staff on escalation procedures.

8. Privacy and DPIA awareness

The ICO is clear (AI and data protection guidance, currently under review following the Data (Use and Access) Act 2025): where a school uses AI tools that process personal data, a Data Protection Impact Assessment (DPIA) may be required. This applies not just to school-wide platform decisions, but to individual tools used by staff in their day-to-day work.

The most common gap here is awareness. Staff do not always recognise when they are putting personal or confidential data into an AI tool. Typing a pupil's name, circumstances, or SEND information into a chatbot to help draft a report is a data processing activity. Staff need to know this, and they need to know who to consult internally before using AI tools with any personal data.

The risk: a data breach. Personal data is processed by an AI tool without a DPIA, without adequate security, and without the data subject's knowledge. The ICO can investigate and issue enforcement action. For schools, the reputational damage can be as significant as the regulatory consequence.

9. Communication and training

Even the best AI policy is ineffective if staff have not received training on it, if pupils do not understand the expectations, and if parents are unaware of the school's approach. Communication and training is the area most schools acknowledge they need to do more on, but it is consistently deprioritised in favour of more immediate pressures.

Staff need, at minimum, basic guidance on the school's AI position: what is permitted, what is not, and where to go with questions. Pupils need age-appropriate communication about expectations for assessed and non-assessed work. Parents and carers should be informed about the school's approach to AI, particularly around data protection and safeguarding.

A review cycle matters too. AI guidance is changing rapidly. A policy reviewed once and filed away will not reflect current expectations within twelve months. Schools need a defined point at which their AI position is reviewed and, if necessary, updated.

The risk: staff act in good faith but without adequate knowledge. The school has a policy on paper that does not match practice on the ground. When guidance changes, the school's position drifts out of alignment without anyone noticing.

What most schools discover

When schools work through these nine areas systematically, the finding is rarely that nothing is in place. Most schools have some coverage. The typical picture is partial: a staff AUP that covers some AI use but not assessment integrity. An assessment policy that mentions AI but does not set out clear rules. A safeguarding framework that has not been updated to address AI-specific risks. A general awareness of data protection obligations, but no specific DPIA process for AI tools.

The challenge is not starting from zero. It is joining up the pieces into a coherent, source-referenced position that covers all nine areas, is clearly communicated to staff and students, and can be demonstrated to governors, inspectors, and JCQ if needed.

This is the gap that free single-page templates do not fill. A one-page AI policy does not address JCQ assessment integrity requirements, ICO data protection obligations, and DfE safeguarding expectations simultaneously. Schools need a coordinated set of documents that work together.

Next steps

If you want to assess where your school stands across all nine areas, the AI Policy Checklist for School Leaders provides a structured self-assessment with source references to the relevant DfE, JCQ, and ICO guidance for each item.

If the checklist confirms gaps in your policy coverage, the AI Policy Starter Pack provides the core documents — Staff AUP, Student AUP, and Assessment Integrity Policy — source-referenced, customisable, and designed for school governance approval. Each document is aligned with current published guidance from DfE, JCQ, and ICO as of March 2026.

Related articles

• KCSIE 2026: New AI Safeguarding Rules for Schools
• DfE AI Guidance for Schools Explained
• JCQ AI Malpractice: Head of Centre Liability
• How to Write a School AI Acceptable Use Policy