1 min read
Outlook: AI in Safeguarding – What to Expect in KCSIE 2025
KCSIE is due to be published soon and, according to sources, is expected to undergo a significant upgrade, potentially even a complete rewrite. In...
7 min read
Mark Orchison
:
Updated on July 8, 2026
The finalised Keeping Children Safe in Education 2026 guidance is published and comes into force on 1 September 2026. For schools, the most significant development is this: the AI and technology requirements that appeared in the consultation draft have not been removed. They have been confirmed.
That matters. AI is no longer something schools can treat as a separate innovation project, a teaching and learning question, or something that sits solely with the IT team. KCSIE 2026 places AI directly within safeguarding, online safety, filtering and monitoring, staff training, curriculum, child-on-child abuse, sexual harassment and governance.
The challenge is that AI does not sit neatly in one department. It touches every part of the school that KCSIE already governs. That is why the 2026 update requires a joined-up, whole-school response, not a policy amendment or a single training session.
Here is what the confirmed guidance says, why it matters operationally, and what your school needs to do before September.
One of the most significant changes in KCSIE 2026 is the way the guidance defines nudes and semi-nudes.
The confirmed guidance now makes clear that images shared in a safeguarding context may be taken by the child, taken or created by another person, digitally altered, or wholly generated using artificial intelligence, including what are commonly described as deepfakes or deep nudes.
This is a major shift.
Schools can no longer assume that an image-based safeguarding incident only involves a photograph, a phone, or a pupil sharing an image they created themselves. A safeguarding concern may now involve an AI-generated image of a pupil, a manipulated image or a deepfake, created without the pupil ever having taken or shared an original photograph.
The implication is clear: if an AI-generated nude or semi-nude image involves a child, it is a safeguarding issue. It must be recognised, responded to, recorded and escalated appropriately. Schools that have not updated their child-on-child abuse procedures to reflect this are already out of step with what the confirmed guidance requires.
KCSIE 2026 also updates the online safety categories, the 4Cs framework of content, contact, conduct and commerce.
Under contact risk, the guidance now refers not only to harmful online interaction with other users, but also to generative AI applications that simulate this. Under conduct risk, it explicitly refers to making, sending and receiving explicit images, including those generated using AI.
This moves AI beyond content filtering. Schools now need to consider AI as an interactive safeguarding environment in its own right. That includes:
This changes the nature of online safety. It is no longer sufficient to ask whether a website is blocked. Schools now need to understand the AI functionality within every tool being used, whether it is teacher-facing or pupil-facing, what data it processes, what safety controls exist, and how concerns would be identified and escalated.
KCSIE 2026 is explicit that online safety should be a running and interrelated theme across the whole school's approach to safeguarding. It should be reflected in relevant policies, curriculum planning, teacher training, the role and responsibilities of the DSL, parental engagement, filtering and monitoring, and wider technology governance.
A school cannot meet this expectation by adding one paragraph on AI to its child protection policy. The requirement cuts across the entire safeguarding system. In practice, schools will need to consider:
The AI changes are the headline development, but KCSIE 2026 contains several other significant updates schools need to act on before September.
The 2026 version is considerably more specific than its predecessor. The review of filtering and monitoring effectiveness must now be carried out at least once every academic year, led by the SLT member responsible for filtering and monitoring, with the support of the school's DSL and IT support. The review must cover all internet-connected devices in all relevant locations, and a formal record of those checks must be kept.
This is an evidence requirement, not a policy one. Where AI is concerned, it matters even more: schools need to understand whether AI tools are accessible through their filtering, whether monitoring systems identify relevant concerns, and whether there is a clear escalation route from a technical alert to a safeguarding response.
Schools must implement robust cover arrangements when the DSL is unavailable, including, for example, a confidential shared mailbox, to ensure safeguarding concerns are received, monitored and acted on without delay.
KCSIE 2026 makes the link between cyber security and safeguarding explicit. Governing bodies and proprietors must take measures to safeguard children by protecting personal information and ensuring appropriate cyber security systems are in place. Cyber security is no longer just about protecting systems. If systems fail, data is exposed, monitoring is unavailable, devices are compromised or accounts are misused, there are direct safeguarding consequences for children.
For AI, this creates an additional layer of responsibility. Schools need to know what data AI tools process, whether staff or pupils are uploading personal information, whether suppliers are using data to train their models, and whether appropriate vendor due diligence has been completed.
Via the Crime and Policing Act 2026, the supervision exemption from regulated activity has been removed. Any person volunteering in a role involving teaching, training, instructing or supervising children on more than three days in a month, or overnight, is now in regulated activity regardless of whether supervised. DBS check requirements change accordingly.
Paragraphs 138–150 have been substantially expanded on information sharing. Paragraph 191 updates the list of factors a school's child protection policy must include. Schools should review their existing policy against the updated list before September.
KCSIE 2026 does not use the phrase Diamond Formation. That is 9ine's model.
However, the confirmed guidance clearly describes the need for the same structure. KCSIE expects online safety to be connected across safeguarding policy, curriculum planning, teacher training, DSL responsibilities, parental engagement, filtering and monitoring, and technology governance. It also expects the SLT member responsible for filtering and monitoring to work with the DSL and IT support.
That is the Diamond Formation in practice. The four areas are:
Safeguarding: the DSL, deputies and safeguarding team understanding AI-enabled harm, incident response, escalation, recording and support.
Technology: IT and digital leads understanding filtering, monitoring, devices, systems, cyber security, access controls, applications and vendor risk.
Academic: teaching and learning leaders ensuring staff and pupils understand safe, responsible and age-appropriate use of AI, including deepfakes, online harm, consent and reporting routes.
Privacy: SLT, governors and trustees ensuring oversight, accountability, evidence, policy alignment and a clear risk-based approach.
KCSIE 2026 cannot be implemented properly by one person or one department. It requires all four of these areas working together, identifying, managing, evidencing and reporting on technology-related safeguarding risk as a connected system.
Schools should not wait until September. The work required is practical, but it needs structure and the right people involved. Before September, schools should:
The obligations in KCSIE 2026 require a governance model, not a policy update. Schools need a way to assign responsibilities, conduct structured reviews, keep records and evidence their compliance position across safeguarding, technology, AI use, vendor risk and data protection.
The 9ine Platform is built around the Diamond Formation, bringing together the four areas that KCSIE 2026 now explicitly requires to work in concert.
The Governance module turns KCSIE 2026 obligations into structured, assigned and trackable work. Schools can run the paragraph 171 filtering and monitoring review as a governed project, assign it to the right roles, record the findings and produce evidence of completion. The same module supports schools in mapping AI-related risks, managing escalation processes and preparing trustee and governor reporting.
Vendor Management provides independent, structured intelligence on third-party risk across privacy, AI, digital safety and safeguarding. For schools now required to assess the AI functionality and safeguarding risks of every tool in use, this provides the structured framework to do so, including AI product safety information and data processing detail.
The Application module gives schools a structured inventory of approved EdTech, with AI-use flags and safeguarding classifications for each tool. It provides the visibility schools need to answer the question KCSIE 2026 now asks: do we know what AI tools our staff and pupils are using, and have we assessed them appropriately?
The Academy LMS provides on-demand training for DSLs, IT leads, governors and senior leaders across safeguarding, privacy and technology governance, supporting the staff training obligations alongside KCSIE 2026.
For schools that want to move quickly and practically, the 9ine Diamond Sprint brings together the right people from safeguarding, technology, academic and leadership teams to work through KCSIE 2026 in a structured session. During the sprint, we help schools:
The outcome is not just a policy update. It is a clear, evidenced and joined-up approach to governing AI and technology risk with confidence.
To find out more about the Diamond Sprint or to see how the 9ine Platform supports your school's KCSIE 2026 compliance, book a meeting with our team.
You can also join our webinar on 15 July 2026, "KCSIE 2026: what your school must do before September". The link will also work to watch on-demand after the webinar ends.
1 min read
KCSIE is due to be published soon and, according to sources, is expected to undergo a significant upgrade, potentially even a complete rewrite. In...
1 min read
KCSIE has been edging towards “technology-first safeguarding” for years, but the KCSIE 2026 draft for consultation (12 February 2026) makes the...
1 min read
June 2025 saw a change to the data protection landscape in the UK, with the Data (Use and Access) Bill becoming law, to update the UK GDPR and Data...