Ask most independent school headteachers whether their staff are using AI tools, and they’ll tell you there’s no policy for it. What they usually mean, without realising it, is that there’s no official permission.
A National Literacy Trust survey found the proportion of 13 to 18-year-olds using generative AI rose from 37% in 2023 to 77% in 2024. It’s happening in coursework and in class, and in most schools, it’s happening without any oversight, audit trail, or clear position from leadership. Separately, the same Ofsted research found that half of teachers in England now use generative AI tools, while many say they don’t know enough about AI to use it responsibly and are concerned about the risks around data privacy and safeguarding.
Independent schools operate in a market where reputation means everything. Parents choose based on outcomes, culture, and the perception that a school is ahead of the curve rather than trailing it. By the time most schools address AI, the schools competing for the same pupils, parents, and staff will already have turned it into an advantage.
What AI Actually Looks Like Inside a School Today
The version of AI that is mostly talked about – fully integrated, purpose-built, and used institution-wide – is still relatively uncommon. According to Bett analysis in 2025, nearly half of schools have not officially implemented AI, though this is an improvement from 2024 when the figure was 69%. But the absence of official implementation means AI is present without structure.
Shadow AI is the more honest description of what most schools are dealing with. Staff use ChatGPT to draft reports, write cover work, or plan lessons, whilst students submit AI-assisted work with varying degrees of clarity. Some teachers are ahead of any policy, only because the tools are genuinely useful and the school hasn’t given them anywhere else to turn. But it is happening quietly. No one has established which tools are approved, what data can be shared with external systems, or what the school’s actual stance is.
Microsoft Copilot for Education sits inside the M365 environment, giving staff the ability to draft communications, summarise documents, generate lesson resources, and pull insight from school data all within the Microsoft compliance boundary rather than through an unmanaged external tool. However, when a teacher pastes a pupil’s name, learning notes, or SEND information into a public AI chatbot, they’ve potentially created a data protection problem the school doesn’t even know about. When the equivalent task runs through a properly configured Copilot deployment, the school retains governance over what happens to that data.
AI-assisted assessment is a more deliberate use of the technology, one that some schools are already putting into practice. Rather than treating AI as a threat, teachers are designing coursework around it. This can be done by setting time-limited tasks where pupils work alongside AI tools under supervised conditions, with the process and outputs both forming part of the assessment. It shifts the measure away from whether a pupil can produce a piece of work without AI towards whether they can use it critically, evaluate what it produces, and apply their own judgement to the result. The gains from putting these structures into place are practical and immediate.
When Something Goes Wrong, Who Carries It?
Liability tends to come up only after something has gone wrong, but by then the options narrow considerably.
The Government’s Cyber Security Breaches Survey 2025 found that 60% of secondary schools identified a cyber security breach or attack in the previous twelve months, which is a higher rate than the average UK business. The dominant attack type across the sector is phishing, which means human behaviour is nearly always the point of entry. This is usually done by a staff member clicking the wrong link or accessing a compromised tool.
AI makes this exposure more complex. When staff use unauthorised tools, they often input information that has no business leaving the school’s systems, such as pupil names, assessment data, safeguarding notes, and medical details. KCSIE 2025, as analysed by Farrer & Co, now explicitly references generative AI under online safety, directing schools to the DfE’s product safety expectations and requiring that filtering and monitoring requirements address AI tools.
Under UK GDPR, a school’s liability for how pupil data is processed doesn’t dissolve because an unsanctioned AI tool was involved or because a vendor’s terms were clicked through by an individual member of staff. The ICO’s guidance on AI and data protection makes the school’s obligations clear regardless of how the data reached the third-party system. For independent schools, which frequently hold sensitive information on pupils with additional needs, complex family situations, or specific medical requirements, a breach in this area is a direct hit to the trust parents place in the institution.
What the Schools Pulling Ahead Are Doing Differently
The practical difference between schools that are managing AI well and those that aren’t tends to show up well before the technology does.
That means having a written AI policy that staff know the ins and outs of. It covers which tools are sanctioned, what data can and cannot be shared outside school systems, and how the school handles AI-assisted pupil work. Without it, every individual decision about AI use defaults to whoever’s making it that day, with no consistency and no record. It also means taking training seriously before rolling out tools, not after. As one independent school headteacher told Ofsted researchers, “The biggest risk is doing nothing and assuming that you can just continue as is.” The early adopters in that same report consistently prioritised staff understanding over deployment speed, as they wanted their teachers to grasp the risks and possibilities before anyone logged in.
Underpinning all of it is infrastructure. A school can’t be GDPR-compliant if their IT is managed reactively – where no one has mapped what data lives where or established which third-party tools have access to pupil records.
Bickley Park School is a practical example of what it looks like when a school takes its technology infrastructure seriously. As headmaster Tom Quilter put it, “Outsourcing our IT was a strategic move. Platform 365 made it work.”
The starting point is an honest assessment of what is already happening inside your own buildings, with the right controls put around it and the habits built to absorb whatever comes next. Platform 365’s Cyber Risk Assessment starts from £1,950 and gives senior leaders a clear picture of where the gaps are.
