Written evidence by EDDS Institute (AIE0062)

Education Committee             

The use of Artificial Intelligence and EdTech in Education inquiry

 

Executive summary

 

This submission presents empirical findings from independent audit-based assessments of ten widely used edtech platforms in the United Kingdom, conducted using the EDDS verification framework between September and December 2025. The findings are supported by wider multi-stakeholder consultation evidence on governance, health and safeguarding in education systems. Full underlying evidence can be made available to the Committee.

 

The central finding is that the current approach to governing AI and edtech in education does not provide reliable assurance that systems are safe, lawful or appropriate for use with children.

 

Across the audited systems, compliance was typically demonstrated through documentation and policy statements, but not through verifiable operational controls. In multiple cases, systems processing children’s data could not evidence core requirements such as completed Data Protection Impact Assessments, clear governance structures, cybersecurity testing or safeguarding controls. Governance for AI-enabled features was often underdeveloped or entirely absent. This creates a systemic condition in which risks are not visible at the point of adoption. Schools and public authorities are required to make decisions about complex technologies without access to reliable, verifiable information about how those systems function in practice.

 

The result is a structural imbalance. Responsibility for safeguarding, legal compliance and risk management is placed on schools, while the systems themselves cannot consistently demonstrate that these requirements are met. This leads to inconsistent standards, duplicated effort across institutions, and unavoidable exposure to risks relating to privacy, safety and children’s rights.

 

The underlying issue is that current assurance models rely on vendor self-reporting, documentation, and alignment with high-level principles. These approaches do not test whether systems operate safely in real-world conditions.

 

The evidence indicates the need for a shift in approach. Governance frameworks should move from documentation-based compliance to verification-based assurance. This would include independent audit of system behaviour, validation of operational controls, and standardised, evidence-based risk disclosure to support informed decision-making.

 

Without this shift, the education system will continue to adopt technologies in conditions where safety and accountability are assumed, but not demonstrated.

 

  1. Introduction and status of evidence

 

The findings presented draw on (i) independent audit-based assessments of ten edtech platforms conducted by the EDDS Institute (EDDS Audit Report, 2025-2026), and (ii) a multi-stakeholder consultation on health, wellbeing and governance involving education, health and policy stakeholders across Europe (Hillman et al., 2026)

 

This submission is based on the EDDS Institute audit program, which applies a verification-based methodology to assess governance, legal compliance, cybersecurity, safeguarding, children’s rights and operational risk management across AI and edtech systems used in compulsory education (EDDS Audit Report, 2025-2026).

 

The evidence is drawn from structured audits of ten widely used edtech platforms conducted between September and December 2025, alongside ongoing audit activity across a broader cohort. All systems were assessed using consistent criteria, evidentiary thresholds and verification procedures.

 

The methodology combines documentary review, technical inspection, system walkthroughs and organisational assessment to evaluate whether systems can demonstrate lawful, safe, age-appropriate and accountable operation in practice. Claims made in documentation were tested against observed system behaviour and available technical evidence.

 

Vendor identities are anonymised due to legal and market sensitivity, and to preserve analytical independence. In several cases, the risks identified relate to areas of regulatory and safeguarding significance. Anonymisation allows the evidence to be presented without distorting markets or pre-empting regulatory processes.

 

Full underlying evidence, including the forthcoming consolidated audit report, can be made available to the Committee on request. The author would welcome the opportunity to provide further detail or oral evidence.

 

  1. Challenges and Opportunities

 

    1. Opportunities for improving educational outcomes

 

AI and edtech systems may support teaching and learning in several ways, including personalised learning pathways, administrative automation and new forms of feedback and assessment.

 

However, the audit evidence shows that these opportunities depend on systems being demonstrably safe, lawful and governable in practice. Where governance structures are clearly defined and operational, systems can support more efficient workflows and more responsive learning environments. These conditions were only observed in a limited number of cases.

 

Across the audited cohort, the benefits of edtech were closely linked to the maturity of governance, risk management and operational controls. Where these were weak or incomplete, the potential benefits were constrained or uncertain.

 

    1. Key challenges and risks shaping current use

 

The most significant challenge identified is the absence of verifiable assurance. Across the audited systems, compliance was based on documentation and policies, while operational controls were incomplete or not evidenced. Legal and ethical commitments were not consistently translated into measurable safeguards, and risk management processes were often reactive, fragmented or entirely absent.

 

In several cases, systems processing children’s data did not demonstrate core governance requirements in practice. These included incomplete or absent Data Protection Impact Assessments, unclear allocation of responsibility for data governance, limited evidence of cybersecurity testing, and weak or undocumented safeguarding controls. Governance for AI-enabled features was also often underdeveloped.

 

These are not isolated issues. The audit findings indicate that these risks are structural and recur across different types of platforms.

 

    1. Variation across educational stages and settings

 

The audit evidence relates primarily to systems used in compulsory education. The risks identified are not specific to particular Key Stages but arise from system design, governance maturity and organisational capacity.

 

These risks may have greater impact in earlier stages of education, where children are less able to understand or challenge how systems operate or how their data is used. However, the underlying governance issues are consistent across contexts.

 

Importantly, the educational purpose of a system does not in itself ensure that it is safe or appropriate. Systems designed for learning can still introduce significant risks where governance and safeguards are not in place.

 

    1. Regulatory framework and quality assurance

 

The current regulatory and quality assurance landscape does not provide reliable assurance that edtech systems are safe, lawful or appropriate in practice.

 

Existing approaches, including certification schemes and procurement frameworks, rely heavily on vendor-provided documentation, policy statements and alignment with high-level principles. Independent verification of system behaviour, data practices and operational controls remains limited.

 

Comparative analysis of emerging global certification frameworks shows a consistent pattern: strong commitments to ethics, safety and children’s rights are expressed in principle, but mechanisms for independent verification and enforcement are weak (Hillman, Holmes & Mavrikis, in review; pre-print available on request).

 

Procurement research similarly indicates that decisions are often made without clear benchmarks or independent evaluation, meaning that vendor claims are not systematically verified (Hillman, 2022; Hillman et al., 2024).

 

The audit evidence demonstrates that systems presenting strong compliance narratives may lack operational safeguards, while technically robust systems may lack adequate governance structures. As a result, there is no reliable mechanism for distinguishing between safe and unsafe systems at the point of adoption.

 

    1. Digital infrastructure and institutional capacity

 

The current model places responsibility on schools and educational institutions to assess and manage complex technological risks.

 

The audit findings show that this expectation is not realistic. In many cases, vendors themselves do not demonstrate fully institutionalised governance systems, and key information required for due diligence is incomplete or unavailable.

 

This creates a structural imbalance. Schools are expected to make high-stakes decisions about systems that they cannot independently verify. This reflects a wider systemic issue. Institutions are required to assess complex technologies without clear standards, consistent evaluation criteria or reliable mechanisms for verifying vendor claims (Hillman et al., 2026).

 

Digital infrastructure should therefore be understood not only in terms of access and capability, but also in terms of verifiability and accountability. These elements are currently underdeveloped.

 

    1. Ethical, safeguarding and learning implications

 

The integration of AI and edtech introduces additional ethical and safeguarding challenges, particularly where systems process behavioural or developmental data or generate automated interpretations.

 

The audit evidence identified recurring risks, including limited transparency in data processing, unclear safeguards around AI-generated outputs, and weak mechanisms for monitoring and mitigating harm. These risks arise from observed system behaviour and governance gaps. They are consistent with wider stakeholder evidence on the impact of AI-mediated systems on relationships, judgement and safeguarding in educational settings (Hillman et al., 2026), as well as broader research highlighting limitations in current governance approaches (Hillman, Holmes & Mavrikis, in review).

 

While the audit evidence does not directly measure learning outcomes, it shows that governance conditions influence how systems shape learning environments. AI-enabled features such as automated summarisation, feedback and behavioural interpretation can affect how teaching and learning processes unfold. Where oversight is limited, these effects may not be transparent, evaluated or aligned with educational objectives.

 

  1. The impact on teaching

The audit evidence does not directly measure the impact of AI and edtech on teaching practices, workload or professional development. However, it identifies the conditions under which such impacts arise. Current expectations place significant burden on schools and teachers. In practice, educators are expected to assess legal compliance, consider data protection obligations, evaluate cybersecurity risks and manage the use of AI systems in line with safeguarding duties. These expectations are reflected in existing guidance (ICO, n.d., UK Government, 2025a, 2025b, 2025c; NCSC, n.d.).

 

The audit findings show that these responsibilities are not matched by the information or systems available to schools. In many cases, vendors do not demonstrate fully institutionalised governance, documentation is incomplete or not aligned with UK requirements, and critical information required for due diligence is not available (EDDS Audit Report, 2025-2026).

 

As a result, teachers may be required to make professional judgements about systems whose behaviour, limitations and risks are not fully transparent or independently verified. This includes interpreting outputs, managing uncertainty and making decisions about how systems are used in teaching and assessment. In this context, the introduction of AI and edtech does not necessarily reduce workload. It can shift responsibility to educators without providing the necessary means visibility or assurance. This has implications for consistency, safeguarding and professional accountability.

 

The evidence also indicates that teacher confidence in using AI tools depends on access to clear, reliable information about how systems function, what data they process and how risks are managed. Where this information is limited, training and professional development alone are unlikely to be sufficient. The impact on teaching therefore needs to be understood in relation to system transparency and governance.

 

The presence of pedagogical features or intended educational benefits does not in itself ensure that systems are safe, reliable or appropriate for use in teaching.

 

  1. The impact on learning

 

This submission does not directly assess the impact of AI and edtech on learning outcomes, cognitive development or skill acquisition. However, the audit evidence identifies the conditions that shape how such impacts arise in practice.

 

AI-enabled systems introduce new forms of data processing, automation and interpretation into learning environments. These include automated feedback, summarisation, profiling and adaptive content. Where system behaviour is not transparent or independently verifiable, it becomes difficult for schools to determine how these tools influence learning processes or whether they align with educational objectives (EDDS Audit Report, 2025-2026).

 

The audit findings show that most systems do not provide clear information about how outputs are generated, what data is used, or how decisions are made. This limits the ability of educators to evaluate their impact on learning, identify potential errors or bias and understand how students are being assessed or guided.

 

Wider research indicates that digital platforms can shape learning in ways that are not always visible. This includes the use of data to model behaviour, the standardisation of interaction and the prioritisation of measurable outputs (Bulathwela et al., 2024). These dynamics may influence how learning is structured, how progress is defined and how students engage with content.

 

There is also growing evidence that AI systems can embed assumptions about learning and performance into their design, which may affect how students are supported or evaluated (Bommasani et al., 2021). Where these assumptions are not transparent, they may influence learning in ways that are difficult to detect or challenge.

 

These findings indicate that the impact of AI on learning cannot be assessed independently of governance, system design and accountability. Where systems are not transparent, not verifiable and not subject to ongoing oversight, their effects on learning processes and outcomes remain uncertain.

 

  1. Children’s digital rights

 

The audit findings raise questions about whether current uses of AI and edtech in compulsory education are compatible with established legal and rights frameworks.

 

Systems observed in practice process large volumes of sensitive and granular data about children. This includes behavioural observations, developmental indicators, educational performance, interaction data, and, in some cases, special category data such as disability status or medical information. These data are often collected continuously, aggregated over time, and in some systems further processed through AI-enabled features that generate summaries or interpretations about children’s behaviour and development (EDDS Audit Report, 2025-2026).

 

This level of data processing raises concerns for children’s right to privacy. Core data protection principles, including data minimisation, purpose limitation and proportionality, are not consistently demonstrated in practice (UK GDPR, 2018). In several audited cases, it was not possible to verify that the data collected was necessary for the stated educational purpose, or that its use was clearly defined and limited.

 

These practices also have implications for other rights. Where systems shape how information is presented, interpreted or prioritised, they may influence children’s ability to form views freely and to express themselves (UNCRC, 1989). Where interaction, feedback or behavioural cues are mediated through platforms, there may also be implications for how children engage with others and participate in learning environments, including their ability to associate and interact freely (UNCRC, 1989). In addition, the use of behavioural data and automated interpretation raises concerns about the potential for undue influence or manipulation, particularly where system design and underlying assumptions are not visible to users.

 

The audit evidence also identifies risks to children’s right to protection from harm (UNCRC, Article 19). Systems that process behavioural and developmental data, particularly where combined with AI-generated outputs, may enable profiling, misclassification or over-interpretation. Where governance and oversight are incomplete, these risks cannot be reliably identified or mitigated. This is consistent with wider concerns about AI-mediated decision-making and safeguarding in education (Hillman et al., 2026).

 

The continuous recording and interpretation of children’s activity also has implications for the right to development (UNCRC, 1989). Systems that record, categorise and interpret behaviour may shape how children are understood and supported within educational settings. Where these processes are not transparent or independently evaluated, it remains unclear whether they support children’s developmental interests or constrain them through fixed or premature categorisation.

 

The audit findings also indicate limited visibility for children and their families into how data is collected and used. This affects children’s ability to exercise rights of participation and agency, including understanding and challenging how they are represented within these systems.

 

Common safeguards such as contractual terms, parental consent and de-identification are not sufficient on their own. The audit evidence shows that these measures do not replace the need for operational controls and ongoing oversight. De-identification does not remove risk where data remains detailed and linkable, and consent does not address the imbalance in knowledge and power between providers and users.

 

These findings indicate that risks to children’s rights arise from the routine and large-scale use of data-intensive systems without demonstrable safeguards, independent verification or continuous monitoring. The educational purpose of these systems does not in itself ensure that children’s rights are protected in practice (Hillman et al., 2026).

 

  1. Cross-cutting systemic findings 

 

The evidence presented in this submission, drawn from independent audit assessments and supported by cross-sector consultation findings, indicates that the risks associated with AI and edtech in education are systemic. They arise from structural features of the current governance and deployment model, not from isolated failures or individual products (EDDS Audit Report, 2025-2026; Hillman et al., 2026).

 

    1. Structural gap between compliance and operational reality

 

Across the audited systems, a consistent gap was observed between declared compliance and operational practice. Legal, ethical and safeguarding commitments were commonly set out in policies and documentation but were not consistently supported by verifiable controls, monitoring systems or sustained organisational processes.

 

This gap is not captured by existing evaluation mechanisms, which rely heavily on documentation and self-reporting. As a result, systems may appear compliant, yet lacking the capacity to deliver these commitments in practice.

 

At the same time, the current decentralised approach to assurance places responsibility on individual schools, trusts and local authorities to assess the same systems independently (Hillman, 2022). This leads to duplicated effort, inconsistent judgements and variable safeguarding standards, often without access to the necessary technical or legal expertise (Hillman et al., 2026).

 

    1. Absence of verifiable assurance mechanisms

 

A central finding is the absence of independent and enforceable assurance mechanisms.

Current approaches to evaluation and procurement do not include direct inspection of system behaviour, verification of data processing practices or validation of security and risk controls. Continuous monitoring of system performance and risk is also limited.

 

As a result, safety, lawfulness and accountability cannot be reliably established at the point of adoption or maintained over time.

 

    1. Systemic imbalance of responsibility and visibility

 

The current model creates a structural imbalance in which schools and educators are expected to take responsibility for systems they cannot meaningfully evaluate or control. The audit evidence shows that critical information is often unavailable, governance structures within vendors are not fully institutionalised and system behaviour is not transparent or auditable in practice.

 

At the same time, these systems increasingly shape how learning, behaviour and performance are interpreted through the collection and processing of behavioural and interaction data. This introduces forms of influence that are not always visible or contestable within existing institutional frameworks (Hillman et al., 2026).

 

As a result, responsibility for safeguarding, legal compliance and decision-making is transferred to institutions without the authority, expertise or evidence required to discharge it.

 

    1. System-level risks and the inversion of the assurance model

 

The audit findings show that risks to children’s rights, including privacy, protection from harm and autonomy, are systemic. They arise from gaps in governance, weak safeguards, lack of oversight and reliance on unverified claims. These risks may accumulate over time and across systems, with potential implications for wellbeing, attention and relationships in educational settings (Hillman et al., 2026).

 

These findings indicate that the current system operates in an inverted assurance model. Technologies are introduced before safety, legality and accountability are demonstrated. Risks are often identified after deployment, frequently by end-users, and responsibility is distributed across schools and educators instead of being established at system level. This differs from established practice in other high-risk sectors (medicine, architecture, aviation), where verification and oversight are required before systems are deployed.

 

The overall conclusion is that the current governance framework does not provide reliable assurance that AI and edtech systems are safe, lawful or aligned with children’s rights in practice.

 

For the Committee, the key question is whether this model of assurance is sufficient. The evidence presented here indicates that it is not. A shift towards verification-based governance, including independent audit, continuous oversight and enforceable standards, is required to ensure that safety, legality and accountability can be demonstrated in practice.

 

References

Bommasani, R., Hudson, D.A., Adeli, E., Altman, R., Arora, S., von Arx, S. and Liang, P. (2021) ‘On the opportunities and risks of foundation models’, arXiv. Available at: https://doi.org/10.48550/arXiv.2108.07258

Bulathwela, S., Pérez-Ortiz, M., Holloway, C., Cukurova, M. and Shawe-Taylor, J. (2024) ‘Artificial intelligence alone will not democratise education: On educational inequality, techno-solutionism and inclusive tools’, Sustainability, 16(2), p. 781. Available at: https://doi.org/10.3390/su16020781

Chen, X., Xie, H., Zou, D. and Hwang, G.J. (2020) ‘Application and theory gaps during the rise of artificial intelligence in education’, Computers and Education: Artificial Intelligence, 1, 100002. Available at: https://doi.org/10.1016/j.caeai.2020.100002

EDDS Institute (2025-2026) AI & edtech system quality: Audit report. Available at: https://07858dda-cc83-4787-b0d0-fbb388cf9a0b.filesusr.com/ugd/7d9146_e06e41e078ed421797b1fb369eee3dfb.pdf

Gilliard, C. and Selwyn, N. (2023) ‘Automated surveillance in education’, Postdigital Science and Education, 5(1), pp. 195-205. Available at: https://doi.org/10.1007/s42438-022-00295-3

Hankerson, D.L., Venzke, C., Laird, E., Grant-Chapman, H. and Thakur, D. (2021) Online and observed: Student privacy implications of school-issued devices and student activity monitoring software. Center for Democracy & Technology. Available at: https://cdt.org/insights/report-online-and-observed-student-privacy-implications-of-school-issued-devices-and-student-activity-monitoring-software/

Hillman, V. (2022) Edtech procurement matters: it needs a coherent solution, clear governance and market standards. Social Policy Working Paper 02-22. London: LSE Department of Social Policy. Available at: https://www.lse.ac.uk/social-policy/Assets/Documents/PDF/working-paper-series/02-22-Hillman.pdf

Hillman, V. (2023) ‘Bringing in the technological, ethical, educational and social-structural for a new education data governance’, Learning, Media and Technology, 48(1), pp. 122–137. Available at: https://doi.org/10.1080/17439884.2022.2052313

Hillman, V., Holmes, W. and Mavrikis, M. (in review) ‘Making markets of edtech certifications’. Pre-print available upon request.

Hillman, V., Hwang, J., Foljambe, R., Holly, L., Pierlejewski, M., Hawley, S., Wisniewski, D., Podevijn, B. and Tuckett-Jones, R. (2026) AI and edtech in education: health, well-being and governance findings from a pan-European multi-stakeholder consultation. Available at: https://07858dda-cc83-4787-b0d0-fbb388cf9a0b.filesusr.com/ugd/7d9146_8d243abe4b7c470da627d52f7711f5c8.pdf

Hillman, V., Hwang, Y., Walker, S., Wilson, P. (2024) AIED and EdTech Procurement: Challenges for Policy and Governance, Social Policy Working Paper 04-24, London: LSE Department of Social Policy. Available at https://www.lse.ac.uk/social-policy/Assets/Documents/PDF/working-paper-series/WPS-10-24.pdf

Holmes, W. (2023) The unintended consequences of artificial intelligence and education. Education International. Available at https://www.ei-ie.org/en/item/28115:the-unintended-consequences-of-artificial-intelligence-and-education  

Holmes, W., Bialik, M. and Fadel, C. (2019) Artificial intelligence in education: Promises and implications for teaching and learning. Center for Curriculum Redesign.

Information Commissioner’s Office (ICO) (n.d.) Guide to accountability and governance: Data protection impact assessments. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/

Malik, M.M. (2020) ‘A hierarchy of limitations in machine learning’, arXiv. Available at: https://doi.org/10.48550/arXiv.2002.05193

National Cyber Security Centre (NCSC) (n.d.) Cyber security for schools. Available at: https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools

UK GDPR (2018) Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

UK Government (2025a) Keeping children safe in education (September 2025). Available at: https://assets.publishing.service.gov.uk/media/68add931969253904d155860/Keeping_children_safe_in_education_from_1_September_2025.pdf

UK Government (2025b) Meeting digital and technology standards in schools and colleges. Available at: https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/cyber-security-core-standard

UK Government (2025c) Generative artificial intelligence (AI) in education. Available at: https://www.gov.uk/government/publications/generative-artificial-intelligence-in-education/generative-artificial-intelligence-ai-in-education

United Nations Convention on the Rights of the Child [UNCRC] (1989) https://www.ohchr.org/en/instruments-mechanisms/instruments/convention-rights-child

Veale, M. and Borgesius, F.Z. (2021) ‘Demystifying the draft EU Artificial Intelligence Act: Analysing the good, the bad, and the unclear elements of the proposed approach’, arXiv. Available at: https://arxiv.org/abs/2107.03721


Annex A| Audit methodology and evidence generation approach

 

This annex summarises the methodology used to generate the audit findings presented in this submission.

 

A1. Methodological approach All systems were assessed using a verification-based audit methodology (EDDS Institute, 2023). This approach evaluates whether AI and edtech systems can demonstrate lawful, safe and governable operation in practice. The methodology goes beyond documentation review and includes direct verification of organisational capacity and system controls. All systems were assessed using consistent criteria, evidentiary thresholds and procedures.

 

A2. Multi-source evidence model Assessments were based on triangulated evidence, including:

Claims made in documentation were tested against observed practices and technical evidence where available.

 

A3. Core assessment domains Each system was evaluated across eight governance domains:

These domains reflect minimum conditions for lawful, ethical and safe deployment in education settings.

 

A4. Risk-based and non-compensatory assessment Assessments are non-compensatory. Strength in one domain does not offset failure in another, particularly in relation to children’s data, safeguarding and security. Findings are expressed as demonstrated (implemented and evidenced), partial (inconsistent or incomplete) and not evidenced (absent or unverifiable).

 

A5. Audit outputs Each audit produces a categorical outcome (pass/conditional pass/fail), identified governance risks, required remediation actions and a structured summary of governance capacity. These outputs form the basis for the standardised disclosure labels presented in Annex B.

 

A6. Scope and limitations Assessments reflect system and organisational capacity at the time of audit. Where access to systems or documentation was restricted, this was treated as a governance risk.

Audit outputs provide an evidence base for comparing systems and supporting decision-making. They also enable complex governance findings to be translated into accessible summaries for schools and public authorities.


 

Annex B | Example audit-based risk disclosure labels

 

This annex presents examples of standardised governance, risk disclosures and data collection and processing derived from audit-based assessments of edtech systems used in the UK. The labels (Examples 1 and 2) show how audit findings can be translated into clear, comparable summaries. These include audit status, data collection and sensitivity, risk exposure, safeguarding implications, security assurance, governance maturity and AI-related risks where applicable. All examples are anonymised but based on verified audit evidence.

 

B1. Purpose of the labels The labels are designed to (1) provide immediate visibility of key risks and safeguards, (2) enable comparison across different systems, (3) support informed procurement and oversight decisions (while not replacing schools’ own governance responsibilities), (4) reduce reliance on vendor claims and marketing materials, (5) function as a regulatory-style disclosure mechanism, and not as a rating or endorsement.

 

B2. How label information is derived All information presented in the labels is derived from verified audit findings, triangulated evidence sources (see Annex A), observed system behaviour and documented controls. Labels do not rely on vendor self-reporting alone. The label represents a structured synthesis of audit findings across governance, legal, technical, and operational domains.

 

B3. Core dimensions Each label presents a consistent set of dimensions:

 

B4. Interpretation The labels should be interpreted as a snapshot of governance capacity at the time of assessment, an indicator of whether systems can demonstrate operational compliance in practice, and a tool to support risk-aware decision-making. These do not substitute for professional judgement and each label is time-stamped (based on when the audit was conducted), which allows tracking of development over time. The label does not simplify or replace the underlying audit; rather, it provides a decision-facing representation of verified evidence.

 

B5. Role in a national assurance model If implemented at system level, such labels could support:

B6. Illustrative examples from audited systems The following two examples present anonymised labels derived from real audit assessments. They illustrate how complex governance findings can be translated into standardised, comparable disclosures for schools, regulators and policymakers.
 


Example 1: Vendor A operates a digital learning platform designed to support foundational maths and spelling practice for children aged approximately 5-14 through personalised, game-based learning. The system tailors practice questions to each learner’s level and provides engaging, interactive games integrated with diagnostic assessments and automated reporting. The platform’s curriculum content is aligned with recognised standards in the UK and international contexts, and it offers tools for both in-school and home use.

A screenshot of a computer

AI-generated content may be incorrect.A screenshot of a computer

AI-generated content may be incorrect.

The scorecard summarises Vendor A’s governance maturity and evidentiary status for safe and lawful deployment.

────────────────────────────────────────────────────────────────────────

EDDS DOMAIN CONTROL MATRIX | Vendor A

────────────────────────────────────────────────────────────────────────

DOMAIN                          STATUS CONTROL STRENGTH

Organisational governance              Moderate

Legal & regulatory compliance          Strong

Data governance & privacy              Strong

Cybersecurity & infrastructure         Strong

AI & algorithmic governance            Moderate (Limited AI exposure;

governance artefacts incomplete)

Safeguarding & wellbeing               Strong (Low interaction risk)

Operational maturity                   Moderate

Transparency & accountability          Moderate

────────────────────────────────────────────────────────────────────────

GOVERNANCE RISK INDICATORS

────────────────────────────────────────────────────────────────────────

Limited independence of oversight functions

Incomplete ROPA and DPIA documentation

Limited documented penetration testing

Remediation cycles not fully institutionalised

────────────────────────────────────────────────────────────────────────

 


Example 2: Vendor B operates a cloud-based platform used in early years and primary education to document children’s attendance, daily routines, developmental progress and safeguarding information, alongside communication with parents. The system processes a wide range of child-level data, including behavioural observations and media content. The platform includes AI-assisted features that generate summaries of activity logs, produce structured developmental reports, support assessment processes and provide teacher-facing chatbot functions. These features rely on AI processing through external cloud infrastructure in EU regions. Given the volume and sensitivity of data collected, and the use of AI to generate interpretations of children’s behaviour and development, the system presents a higher governance and safeguarding risk profile than platforms focused solely on instructional delivery.

 

A screenshot of a computer

AI-generated content may be incorrect.A white paper with black text

AI-generated content may be incorrect.

The scorecard summarises Vendor B’s governance maturity and evidentiary status for safe and lawful deployment.

────────────────────────────────────────────────────────────────────────

EDDS DOMAIN CONTROL MATRIX | Vendor B

────────────────────────────────────────────────────────────────────────

DOMAIN                          STATUS CONTROL STRENGTH

Organisational governance              Strong

Legal & regulatory compliance          Strong

Data governance & privacy              Moderate

Cybersecurity & infrastructure         Strong

AI & algorithmic governance            Moderate (AI inference)

Safeguarding & wellbeing               Moderate-to-High (AI influence)

Operational maturity                   Moderate

Transparency & accountability          Moderate

────────────────────────────────────────────────────────────────────────

GOVERNANCE RISK INDICATORS

────────────────────────────────────────────────────────────────────────

AI-generated interpretive summaries of children’s behaviour

Behavioural and developmental observation data at scale

DPIA documentation incomplete in audit evidence

Accessibility compliance not yet achieved

End-user authentication limited to single factor

────────────────────────────────────────────────────────────────────────

 

 

May 2026

15