9ine Insights | Latest news from 9ine

KCSIE 2026 is confirmed: AI is now part of the safeguarding system

Written by Mark Orchison | Jul 8, 2026 9:57:21 AM

The finalised Keeping Children Safe in Education 2026 guidance is published and comes into force on 1 September 2026. For schools, the most significant development is this: the AI and technology requirements that appeared in the consultation draft have not been removed. They have been confirmed.

That matters. AI is no longer something schools can treat as a separate innovation project, a teaching and learning question, or something that sits solely with the IT team. KCSIE 2026 places AI directly within safeguarding, online safety, filtering and monitoring, staff training, curriculum, child-on-child abuse, sexual harassment and governance.

The challenge is that AI does not sit neatly in one department. It touches every part of the school that KCSIE already governs. That is why the 2026 update requires a joined-up, whole-school response, not a policy amendment or a single training session.

Here is what the confirmed guidance says, why it matters operationally, and what your school needs to do before September.

AI-generated imagery is now explicitly a safeguarding concern

One of the most significant changes in KCSIE 2026 is the way the guidance defines nudes and semi-nudes.

The confirmed guidance now makes clear that images shared in a safeguarding context may be taken by the child, taken or created by another person, digitally altered, or wholly generated using artificial intelligence, including what are commonly described as deepfakes or deep nudes.

This is a major shift.

Schools can no longer assume that an image-based safeguarding incident only involves a photograph, a phone, or a pupil sharing an image they created themselves. A safeguarding concern may now involve an AI-generated image of a pupil, a manipulated image or a deepfake, created without the pupil ever having taken or shared an original photograph.

The implication is clear: if an AI-generated nude or semi-nude image involves a child, it is a safeguarding issue. It must be recognised, responded to, recorded and escalated appropriately. Schools that have not updated their child-on-child abuse procedures to reflect this are already out of step with what the confirmed guidance requires.

The 4Cs now include generative AI

KCSIE 2026 also updates the online safety categories, the 4Cs framework of content, contact, conduct and commerce.

Under contact risk, the guidance now refers not only to harmful online interaction with other users, but also to generative AI applications that simulate this. Under conduct risk, it explicitly refers to making, sending and receiving explicit images, including those generated using AI.

This moves AI beyond content filtering. Schools now need to consider AI as an interactive safeguarding environment in its own right. That includes:

  • AI tools that simulate relationships or conversations with pupils
  • AI tools that may create dependency, manipulation or harmful interaction
  • AI-generated content used for bullying, harassment or coercion
  • AI image tools that can create deepfakes or explicit imagery involving children
  • AI-enabled misinformation, disinformation and conspiracy content
  • AI tools that pupils may access through personal devices, apps or features embedded in existing platforms already in use in school

This changes the nature of online safety. It is no longer sufficient to ask whether a website is blocked. Schools now need to understand the AI functionality within every tool being used, whether it is teacher-facing or pupil-facing, what data it processes, what safety controls exist, and how concerns would be identified and escalated.

Online safety is now a whole-school, cross-functional obligation

KCSIE 2026 is explicit that online safety should be a running and interrelated theme across the whole school's approach to safeguarding. It should be reflected in relevant policies, curriculum planning, teacher training, the role and responsibilities of the DSL, parental engagement, filtering and monitoring, and wider technology governance.

A school cannot meet this expectation by adding one paragraph on AI to its child protection policy. The requirement cuts across the entire safeguarding system. In practice, schools will need to consider:

  • How AI risks are addressed in the child protection policy
  • How AI-generated images are covered in child-on-child abuse procedures
  • How staff are trained to recognise and respond to AI-related safeguarding concerns
  • How pupils are taught about deepfakes, explicit images, consent, online harm and reporting
  • How parents are informed about the school's approach to AI and online safety
  • How filtering and monitoring arrangements apply to AI tools specifically
  • How governors and trustees receive assurance that the school has appropriate oversight

What else has changed: key operational updates

The AI changes are the headline development, but KCSIE 2026 contains several other significant updates schools need to act on before September.

Paragraph 171: filtering and monitoring reviews are now prescribed

The 2026 version is considerably more specific than its predecessor. The review of filtering and monitoring effectiveness must now be carried out at least once every academic year, led by the SLT member responsible for filtering and monitoring, with the support of the school's DSL and IT support. The review must cover all internet-connected devices in all relevant locations, and a formal record of those checks must be kept.

This is an evidence requirement, not a policy one. Where AI is concerned, it matters even more: schools need to understand whether AI tools are accessible through their filtering, whether monitoring systems identify relevant concerns, and whether there is a clear escalation route from a technical alert to a safeguarding response.

Paragraph 127: DSL cover arrangements strengthened

Schools must implement robust cover arrangements when the DSL is unavailable, including, for example, a confidential shared mailbox, to ensure safeguarding concerns are received, monitored and acted on without delay.

Cyber security is now part of the safeguarding obligation

KCSIE 2026 makes the link between cyber security and safeguarding explicit. Governing bodies and proprietors must take measures to safeguard children by protecting personal information and ensuring appropriate cyber security systems are in place. Cyber security is no longer just about protecting systems. If systems fail, data is exposed, monitoring is unavailable, devices are compromised or accounts are misused, there are direct safeguarding consequences for children.

For AI, this creates an additional layer of responsibility. Schools need to know what data AI tools process, whether staff or pupils are uploading personal information, whether suppliers are using data to train their models, and whether appropriate vendor due diligence has been completed.

Regulated activity: the supervision exemption is removed

Via the Crime and Policing Act 2026, the supervision exemption from regulated activity has been removed. Any person volunteering in a role involving teaching, training, instructing or supervising children on more than three days in a month, or overnight, is now in regulated activity regardless of whether supervised. DBS check requirements change accordingly.

Information sharing and child protection policy

Paragraphs 138–150 have been substantially expanded on information sharing. Paragraph 191 updates the list of factors a school's child protection policy must include. Schools should review their existing policy against the updated list before September.

Where the Diamond Formation fits

KCSIE 2026 does not use the phrase Diamond Formation. That is 9ine's model.

However, the confirmed guidance clearly describes the need for the same structure. KCSIE expects online safety to be connected across safeguarding policy, curriculum planning, teacher training, DSL responsibilities, parental engagement, filtering and monitoring, and technology governance. It also expects the SLT member responsible for filtering and monitoring to work with the DSL and IT support.

That is the Diamond Formation in practice. The four areas are:

  • Safeguarding: the DSL, deputies and safeguarding team understanding AI-enabled harm, incident response, escalation, recording and support.

  • Technology: IT and digital leads understanding filtering, monitoring, devices, systems, cyber security, access controls, applications and vendor risk.

  • Academic: teaching and learning leaders ensuring staff and pupils understand safe, responsible and age-appropriate use of AI, including deepfakes, online harm, consent and reporting routes.

  • Privacy: SLT, governors and trustees ensuring oversight, accountability, evidence, policy alignment and a clear risk-based approach.

KCSIE 2026 cannot be implemented properly by one person or one department. It requires all four of these areas working together, identifying, managing, evidencing and reporting on technology-related safeguarding risk as a connected system.

What schools should do now

Schools should not wait until September. The work required is practical, but it needs structure and the right people involved. Before September, schools should:

  • Review child protection, online safety, acceptable use, behaviour and staff conduct policies against the KCSIE 2026 requirements, including the updated paragraph 191 checklist
  • Update child-on-child abuse procedures to explicitly address AI-generated nudes, semi-nudes and deepfakes
  • Map where AI is already being used by staff, pupils and suppliers, including AI tools embedded within existing EdTech platforms
  • Identify which AI tools are teacher-facing, pupil-facing or both, and review vendor due diligence and AI product safety information for each
  • Review filtering and monitoring effectiveness and retain a formal record of checks covering all internet-connected devices in all relevant locations, the paragraph 171 requirement
  • Ensure the DSL, SLT member responsible for filtering and monitoring, and IT support have a documented, shared escalation process
  • Train staff on recognition and response to AI-related safeguarding concerns, not just awareness
  • Review how pupils are taught about deepfakes, explicit images, consent, online harm and reporting routes
  • Prepare governor and trustee reporting on AI and technology safeguarding risk
  • Engage parents with a clear explanation of how the school is managing AI and online safety
  • Confirm DBS and safer recruitment records for volunteers following the removal of the supervision exemption

How 9ine helps

The obligations in KCSIE 2026 require a governance model, not a policy update. Schools need a way to assign responsibilities, conduct structured reviews, keep records and evidence their compliance position across safeguarding, technology, AI use, vendor risk and data protection.

The 9ine Platform is built around the Diamond Formation, bringing together the four areas that KCSIE 2026 now explicitly requires to work in concert.

The Governance module turns KCSIE 2026 obligations into structured, assigned and trackable work. Schools can run the paragraph 171 filtering and monitoring review as a governed project, assign it to the right roles, record the findings and produce evidence of completion. The same module supports schools in mapping AI-related risks, managing escalation processes and preparing trustee and governor reporting.

Vendor Management provides independent, structured intelligence on third-party risk across privacy, AI, digital safety and safeguarding. For schools now required to assess the AI functionality and safeguarding risks of every tool in use, this provides the structured framework to do so, including AI product safety information and data processing detail.

The Application module gives schools a structured inventory of approved EdTech, with AI-use flags and safeguarding classifications for each tool. It provides the visibility schools need to answer the question KCSIE 2026 now asks: do we know what AI tools our staff and pupils are using, and have we assessed them appropriately?

The Academy LMS provides on-demand training for DSLs, IT leads, governors and senior leaders across safeguarding, privacy and technology governance, supporting the staff training obligations alongside KCSIE 2026.

The Diamond Sprint

For schools that want to move quickly and practically, the 9ine Diamond Sprint brings together the right people from safeguarding, technology, academic and leadership teams to work through KCSIE 2026 in a structured session. During the sprint, we help schools:

  • Understand the confirmed KCSIE 2026 AI and technology requirements
  • Map where AI, online safety, filtering and monitoring sit across current policies and practice
  • Identify gaps in safeguarding, IT, curriculum, training and governance
  • Review how AI tools are being approved, used and monitored
  • Consider how deepfakes, AI-generated images and simulated AI interactions would be handled under current procedures
  • Align filtering and monitoring evidence with the paragraph 171 requirements
  • Define roles and responsibilities across the Diamond Formation
  • Produce a practical action plan for compliance before September 2026

The outcome is not just a policy update. It is a clear, evidenced and joined-up approach to governing AI and technology risk with confidence.

To find out more about the Diamond Sprint or to see how the 9ine Platform supports your school's KCSIE 2026 compliance, book a meeting with our team.

You can also join our webinar on 15 July 2026, "KCSIE 2026: what your school must do before September". The link will also work to watch on-demand after the webinar ends.