Industry views
11 Mar 2026
by Tom Cowles

Navigating The Official Secrets Act, NCSC principles and AI in GovTech

Tom Cowles, Chief Compliance Officer at Box, explores how UK government can adopt AI securely while meeting Official Secrets Act and NCSC requirements.

The Evolving Landscape
The Official Secrets Act (OSA) remains central to UK national security, defining how sensitive government information must be protected. As public sector organisations accelerate cloud adoption and experiment with AI, the question is no longer whether to use these technologies-but how to do so while upholding OSA obligations.

For technology providers supporting government workloads, these duties shape service architecture, operations, and data governance end to end.

Understanding Classifications

The UK's classification model determines what can move to commercial cloud:

 

  • OFFICIAL - Routine government business, suited to appropriately secured cloud platforms.
  • OFFICIAL-SENSITIVE - Information requiring strengthened controls; cloud is appropriate only where assessed as adequate.
  • SECRET / TOP SECRET - High-threat data requiring restricted, often government-operated environments.
  • This tiered approach enables departments to exploit cloud innovation for most workloads while reserving stringent controls for the highest-impact data.

 

The NCSC 14 Cloud Security Principles

For OFFICIAL and OFFICIAL-SENSITIVE data, the NCSC 14 Cloud Security Principles provide the reference framework UK CISOs use to assess services. These cover data protection in transit, asset resilience, tenant separation, governance, operational security, personnel vetting, secure development, supply chain management, and audit provision.

Unlike fixed certification regimes, the UK model is outcome-based and risk-driven- helping decision-makers judge whether a service provides the isolation, resilience, and control required for specific workloads.

Data Sovereignty and the AI Opportunity

Data location remains a core concern. UK government organisations typically prioritise UK or UK/EU data centres, ensure UK GDPR alignment, and use procurement routes like G-Cloud for transparency.

These foundations are critical as AI becomes embedded in government workflows. Around 80-90% of government information exists as unstructured content-documents, emails, and records. AI offers significant potential for search, summarisation, and
automation. However, without strong controls, AI can amplify risk through data leakage or misclassification.

The NCSC principles provide essential guardrails, particularly around secure development, identity and authentication, external interface protection, and audit information.


Governance Before Generation

Modern AI is only as trustworthy as the content platforms beneath it. Organisations should adopt a pragmatic framework:

  • Governance before generation - Define policies for access, retention, and acceptable AI use before deployment.
  • Human-in-the-loop oversight - Maintain human review at critical decision points.
  • Composable architectures - Integrate vetted services via secure APIs.
  • Continuous assessment - Regularly re-evaluate against the 14 principles as threats evolve.

 

Enabling Secure Transformation
Far from being obstacles, the OSA, UK classification system, and NCSC principles form the conditions that make trustworthy innovation possible. By treating security and compliance as enablers-rather than afterthoughts-departments can protect sensitive information, uphold their duties, and unlock the value of their content assets.

 

box_blue (2).png

Authors

Tom Cowles

Tom Cowles

Chief Compliance Officer, Box

LinkedIn:
https://www.linkedin.com/in/tomcowles/

Read lessmore

Return to listing