Selling AI to a UK public body bears almost no resemblance to selling to a private enterprise, and suppliers who approach it as a sales process rather than a procurement process lose to competitors who understand the frameworks. Central government, the NHS, local authorities and arm's-length bodies buy most of their cloud and AI services through the Crown Commercial Service frameworks, principally G-Cloud, accessed via the Digital Marketplace. If your service is not on the relevant framework, the buyer you are courting frequently cannot purchase from you at all, however much they want to.
This essay sets out how the path actually works and where AI suppliers specifically stumble. The procurement mechanics are public and stable; what changes for AI is the layer of transparency and accountability obligations sitting on top, most visibly the Algorithmic Transparency Recording Standard. Suppliers who treat that standard as a deliverable to be produced with the buyer, rather than a form to be avoided, are markedly more successful, because they are solving the problem the public body is actually accountable for.
How G-Cloud actually works
G-Cloud is a framework agreement, refreshed roughly annually, with the current iteration being G-Cloud 14. Suppliers apply to be listed during an open application window, describing their services and pricing against defined lots, principally Cloud Hosting, Cloud Software and Cloud Support. AI services almost always sit under Cloud Software or Cloud Support. Being on the framework is not winning work; it is becoming eligible to be bought. Miss the application window and you wait for the next iteration, which is why timing your listing matters more than most suppliers expect.
Buyers then search the Digital Marketplace, shortlist against published criteria, and award a call-off contract. The rules require that they evaluate fairly against their stated requirements and that they can justify the award, which means a clear, specific service description on your G-Cloud listing does more for your pipeline than any amount of relationship-building. Vague listings that promise AI-powered everything are filtered out early, because the buyer cannot map them to a requirement and cannot defend selecting them.
One structural point suppliers miss: G-Cloud is designed for off-the-shelf services with standard terms, with call-off contracts typically capped at 24 months for most lots. Genuinely bespoke development sits awkwardly here and may belong under a different route, such as the Digital Outcomes provisions or an open procurement. Choosing the wrong route delays the award by months and is one of the more common avoidable mistakes.
The Algorithmic Transparency Recording Standard
The Algorithmic Transparency Recording Standard, developed by the Central Digital and Data Office and the Responsible Technology Adoption Unit, is the mechanism by which UK public bodies publish information about the algorithmic tools they use in decision-making. As of early 2024 its use is expected across central government departments, and an ATRS record covers what the tool does, why it is used, the data it relies on, the human oversight in place and the risk mitigations applied. For AI suppliers this is not a compliance footnote, it is a description of what the buyer will have to publish about your system.
The practical consequence is that a public body cannot adopt an AI tool it cannot explain. A model you describe as proprietary and decline to characterise is a model the buyer cannot complete a transparency record for, and so cannot deploy in a covered decision process. The suppliers who win provide the substance of the record as part of the offer: a clear account of the tool's purpose, its data, its limitations and its oversight design. You are not filling in a form, you are giving the public body the evidence it is accountable for publishing.
This connects to wider obligations. The Equality Act 2010 public sector equality duty requires bodies to consider discriminatory effects, which for an AI tool means evidence on differential performance across protected groups. Data protection law requires a Data Protection Impact Assessment for high-risk processing, which most consequential public-sector AI will trigger. A supplier who arrives with performance evidence across groups and a DPIA-ready data description has removed the buyer's two largest blockers before they are raised.
What UK public bodies require in practice
Beyond the frameworks and the transparency standard, public buyers apply a consistent set of expectations that private clients often do not. They expect data residency and processing to be specified, frequently requiring UK or at minimum European processing. They expect alignment with the National Cyber Security Centre's cloud security principles, and for some work they expect specific assurance levels and personnel clearances. They expect accessibility to WCAG 2.2 AA for any user-facing component, as a legal requirement under the public sector accessibility regulations, not a nice-to-have. None of these is negotiable late in a procurement, so they must be addressed in the offer.
The suppliers who do well in UK public-sector AI treat the constraints as the specification rather than as friction. They list precisely on the right framework lot, they bring the transparency record substance and the equality evidence to the table unprompted, and they can speak credibly to data residency and the NCSC principles on the first call. This is slower and more demanding than enterprise sales, and it produces longer, more durable contracts with a buyer who, once satisfied, does not casually switch. The barrier to entry is the moat.