The UK's Information Commissioner's Office establishes itself as a de facto AI regulator by leveraging existing data protection laws to govern AI systems. This pragmatic, risk-based approach signals how regulators can address AI challenges without new legislation, particularly through enforcement actions on facial recognition technology and children's data protection. The strategy emphasizes collaborative regulation across sectors while maintaining the UK's pro-innovation stance, making it essential reading for organizations navigating AI compliance in jurisdictions adopting principles-based regulatory frameworks.