Sixteen weeks of external counsel
The quoted manual review would have missed the Office for Students' compliance window by eight weeks.
450 policy documents, reviewed against new freedom of speech law — in six working days.
A UK university faced a statutory deadline and 450 policies that needed stress-tested against the recent Higher Education (Freedom of Speech) Act changes. We built a human-in-the-loop AI review pipeline that delivered marked-up Word documents - every change cited, every decision defensible - in six working days.
Higher Education
6 working days
450 policies
Office for Students
450
Policy documents reviewed
6 days
End-to-end turnaround
£50k+
Avoided external legal spend
100%
Changes cited to source
The Client
A mid-sized UK university under new statutory duty.
The Higher Education (Freedom of Speech) Act 2023 reshaped what universities must document, publish and defend. Codes of conduct, event-booking rules, complaints procedures, staff guidance, student union agreements - all now sit inside a named regulatory perimeter enforced by the Office for Students.
Our client - a research-intensive UK university with roughly 20,000 students - had a body of 450 live policies accumulated over two decades. Governance, Legal and the Vice-Chancellor's office needed a defensible answer to a simple board-level question: where are we exposed, and what has to change?
A traditional external legal review was quoted at roughly 1,200 hours of counsel time across sixteen weeks. The statutory deadline was sooner than that.
The Challenge
Manual review was too slow, too costly, and too opaque for the board.
~£50,000+ of external legal spend
A like-for-like sweep through a magic-circle firm, before any internal rework cost.
No audit trail the board could trust
Ad-hoc review memos, with no consistent framing of why each clause was flagged or left alone.
What the Client Received
Marked-up Word documents. Every change explained.
Policies came back in native .docx format with tracked changes, inline rewrites and a margin comment on every edit. Each comment named the specific clause of the Act or OfS guidance that drove the change, along with the reasoning.
Legal and Governance could accept, reject or amend each change in their usual review workflow. No new tools. No retraining.
- Tracked changes in native Microsoft Word
- Margin comment on every single edit
- Citation to named Act clause or OfS guidance
- Plain-English reasoning in every comment
- Severity flag: required, recommended, observational
Code of Practice — External Speakers.docx
Section 4 — Consideration of Event Requests
4.1 The University will consider all requests to host external speakers submitted through the Events Office. Consideration is conducted by the Events Committee on a rolling basis.
4.2 Requests may be declined at the discretion of the Events Committee where the subject matter is considered controversial or potentially reputationally damaging must be assessed against the criteria in Section 5; a request may only be declined where doing so is reasonably practicable and consistent with the University's duty under s.A1 of the Higher Education (Freedom of Speech) Act 2023.
4.3 Where a request is declined, the Committee will record its reasoning in writing and notify the requester within 10 working days. Requesters may appeal to the Vice-Chancellor's nominated officer.
4.4 The University will not impose security costs on event organisers solely on the basis of the anticipated views of the speaker or the anticipated response to those views.
4.5 This Code will be reviewed annually and published on the University's website in accordance with the Office for Students' regulatory requirements …
RequiredAI · 14:22
s.A1(2), HE(FoS)A 2023
Original wording grants broad discretion to decline on reputational grounds — no longer lawful. Rewritten to tie refusal to the statutory ‘reasonably practicable' test.
RequiredAI · 14:22
OfS Regulatory Advice 24, §3.4
OfS guidance requires reasons to be given in writing and a clear appeal route. Added explicit timeframe (10 working days) to match internal SLA.
RecommendedAI · 14:22
HE(FoS)A 2023, s.A2(8)
Prohibition on viewpoint-based security costs. Not strictly required in a Code of Practice, but including it removes a known enforcement risk flagged in the OfS's first complaints case.
Illustrative extract. Actual deliverables were tracked-change .docx files returned for human review via the client's existing document workflow.
Our Approach
A review pipeline designed for governance, not speed alone.
AI does the reading; humans own the decision. The pipeline is deliberately auditable - every edit in every document is traceable back to a named clause, a named rubric test and a named reviewer sign-off.
01
Ingest & classify
450 policies pulled from SharePoint, Confluence and the policy library. Each document classified by type, scope and regulator touchpoint before review.
02
Build a defensible rubric
Working with the Legal team, we translated the Act and OfS guidance into a reviewable rubric - a named set of tests each policy had to pass.
03
AI review at scale
Documents run through a purpose-built pipeline. Every suggested change carries a citation to the rubric and a plain-English reasoning comment.
04
Human sign-off
Marked-up .docx files returned to Legal and Governance. Reviewers accepted, rejected or amended in Word - no new tools, no new training.
How It Works
Humans in the loop. By design.
Policy documents flow through a four-stage pipeline. The AI never touches the client's canonical policy store; the output is always a proposed change, never a committed one.
01
Policy library
SharePoint / Confluence / legacy Word. No system integration required.
02
Compliance rubric
Co-authored with the university's Legal team. Versioned and signed off before use.
03
Review engine
Each proposed change anchored to rubric test and source clause. Zero-retention inference.
04
Marked-up .docx
Legal and Governance accept, reject or amend inside Word. Nothing ships without human sign-off.
Who It Helped
A single deliverable, four stakeholder problems solved.
A board-ready answer to a regulator-ready question.
Within a week, the exec team had a defensible map of compliance exposure across the entire policy estate - not a sample, not a selection. The VC went into the next OfS engagement with evidence.
Legal expertise focused on judgement, not drafting.
Legal time was spent reviewing and ratifying AI suggestions rather than reading 450 policies from scratch. Counsel retained full sign-off authority; their hours were spent on the 18% of changes that were genuinely contested.
An audit trail the regulator would accept.
Every accepted change links to a named clause and a named reviewer. When the regulator asks ‘why did you change this', the answer is a single click.
No disruption to academic governance cycles.
Because the output was native Word, policy changes flowed through Senate and Council in the usual format. No new approval process. No new risk committee.
Outcomes
Measurable compliance, on a board-credible timeline.
6working days
From brief to marked-up deliverables — against a 16-week manual quote.
~£50k+avoided
External legal spend that did not have to be committed, on like-for-like scope.
0policies
Shipped without a named human reviewer signing off the final copy.
100%traceability
Every proposed change cited to the Act or OfS guidance, reviewable in Word.
“What would have taken a quarter took a week. More importantly, we walked into the next regulator conversation with a complete, citable answer — not a sample.”
[Client contact — awaiting approval]
Director of Governance, UK university client
Risk & Governance
AI that a regulated institution can actually defend.
Speed is not the headline. Defensibility is. The pipeline is engineered so that every step of the review would survive scrutiny from the Office for Students, internal audit, or a Freedom of Information request.
No autonomous changes
The AI proposes. A named human reviewer disposes. Every committed change has a human signature against it.
Zero-retention inference
Policy content was processed in an enterprise inference tier with no training retention. Nothing entered a public model.
Citation as a contract
A suggested change without a cited clause is rejected at pipeline level. No citation, no suggestion.
Versioned rubric
The compliance rubric itself is a versioned document. If guidance changes, we re-run - and the diff is transparent.
Next Steps
Facing a policy review of your own?
We run this pipeline for regulated organisations across higher education, healthcare and financial services. Book a 30-minute intro call to walk through your policy estate.