AI governance for professional services firms is the partner-level system that decides where AI may assist client work, who remains accountable, what evidence is kept, and how regulators, clients and insurers can verify that professional judgement has not been outsourced.
The useful question is not whether a solicitor, surveyor, auditor, adviser or consultant may use AI. The useful question is whether the firm can prove the AI was used inside the discipline of the profession. That means scope, supervision, confidentiality, disclosure, output assurance, incident handling and an audit trail that survives partner movement, file review and client challenge.
Key takeaways
- Partners should govern AI as a professional judgement risk, not as a generic IT tool or a productivity experiment.
- Sector rules differ: the SRA, RICS, ICAEW, FRC and ICO each frame the problem through their own duties, so one regulator's wording should not be treated as a universal rule.
- The common control is evidence: a named owner, approved use case, client or data boundary, output review, disclosure position and retained decision record.
- A defensible approach maps professional duties to ISO/IEC 42001, NIST AI RMF, UK data protection, cyber security guidance and the firm's own regulator.
- The board or partnership should decide risk appetite before procurement, because tool selection without evidence standards creates shadow AI by policy exception.
AI governance for professional services firms: the partner decision
A professional-services firm sells judgement. AI can help draft, search, summarise, test and compare evidence, but it cannot become the party that owes the duty. That is why the governing decision belongs with the board, partnership board, managing partner, risk committee or equivalent senior body, not only with IT.
The partner-level frame should answer six questions before a tool is approved:
- Which client work may AI touch, and which work is out of scope?
- Which client, matter, audit, valuation or advisory data may be entered into the system?
- Who is the named professional owner for output quality and client communication?
- What record will prove that a human reviewed the work and made the judgement?
- When does the client need to be told that AI was used?
- What happens when the tool fails, produces an unsafe answer or is used without authorisation?
Those questions extend the existing professional-services disclosure pattern set out in our article on AI disclosure for regulated professions. Disclosure is only one part of the system. The larger control is the ability to reconstruct who used AI, on what material, for which task, under which approval, with which review and with what final decision.
The UK's AI-regulation model reinforces that point. The government response to the pro-innovation AI regulation white paper set five cross-sector principles for existing regulators to interpret within their own remits: safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress (GOV.UK). For a professional-services firm, that means the governing body should translate those principles into the duties of the particular profession rather than waiting for a single AI Act-style UK rulebook.
Who this applies to, and where the line sits
This playbook applies to firms where advice, assurance, valuation, audit, legal analysis, expert evidence, compliance work or professional recommendations are provided under a regulated or reputation-sensitive duty. It is relevant to law firms, surveying practices, accountancy and audit firms, actuaries, architects, advisers, consultants and multi-disciplinary partnerships.
The line is material impact on professional work. RICS makes that distinction explicit in its responsible AI standard for surveying. The standard comes into effect on 9 March 2026 and focuses on AI use that has a material impact on surveying services, with requirements around knowledge, practice management, procurement, output reliability, client communication and records (RICS). That is a surveying standard, not a rule for every profession. The transferable lesson is narrower: when AI affects professional work, the firm needs an evidence record that shows control remained with the professional.
Legal services show the same shape through a different regulator. The SRA says solicitors and firms may use appropriate technology, including AI, but use remains subject to the SRA principles and standards; it also points to senior leadership, COLP responsibility for regulatory compliance when new technology is introduced, and board oversight of purchasing and ongoing use (SRA). For law firms, governance therefore has to cover confidentiality, supervision, competence and client interests as well as model performance.
Audit brings an even sharper accountability line. ICAEW's Audit Registration Committee said on 6 May 2026 that audit firms should establish policies and procedures for AI use, communicate them to staff, provide training and emphasise individual and audit-team responsibility (ICAEW). The FRC's 30 March 2026 guidance for generative and agentic AI in audit states that accountability for deployment of AI tools and the quality of audit outputs remains unchanged, with the human auditor always accountable (FRC).
The governance line is therefore not "AI is allowed" or "AI is banned". It is: AI may assist only where the firm can preserve the professional duty, protect client information, keep a usable record, and show that a named person made the final judgement.
Controls and evidence partners should ask for
Policy language is not enough. A partner should be able to ask for evidence and receive the same answer from risk, IT, the practice group and the file record. The table below is the minimum control set for a professional-services firm moving beyond informal AI use.
| Control | Evidence to retain | Owner |
|---|---|---|
| Approved use-case register | Use case, purpose, client data classification, approved tool, permitted outputs, prohibited uses and review date | Risk partner or AI governance lead |
| Professional owner | Named partner, responsible individual, engagement lead or matter owner for each AI-assisted workflow | Practice lead |
| Client and confidentiality boundary | Data-processing assessment, contractual terms, retention setting, prompt/data logging policy and client-specific restrictions | Data protection officer or COLP equivalent |
| Output review protocol | Reviewer role, review checklist, confidence threshold where relevant, exception log and sign-off timestamp | Engagement owner |
| Disclosure position | Matter or engagement rule for when clients are told AI was used, with wording derived from actual use rather than memory | Risk and client relationship owner |
| Decision ledger | Append-only record of AI suggestion, source material, model or tool, human decision, modification and final text or finding | Product owner and records manager |
| Procurement due diligence | Vendor security review, model/data handling terms, testing result, exit plan and contractual controls | IT, procurement and risk |
| Incident and challenge route | Route for hallucination, data leakage, unauthorised use, client complaint, regulator query and corrective action | General counsel or risk committee |
The decision ledger is the control most firms miss. If AI produces a draft clause, report paragraph, audit summary or valuation rationale, the file should show what the tool produced and what the professional did with it. Our append-only AI decision ledger article explains the engineering pattern behind that record: accept, modify or reject, with a named person and timestamp.
Data protection needs its own evidence, not a footnote. The ICO's guidance on AI and data protection is under review because the Data (Use and Access) Act became law on 19 June 2025, but the current guidance still organises AI compliance around data protection principles including accountability, governance, transparency, lawfulness, accuracy, fairness, security, data minimisation and individual rights (ICO). Where client or personal data is involved, the file should show the lawful basis, data minimisation decision, DPIA position where needed, and human review for significant decisions.
Security evidence should also be visible to the partnership, not buried in a vendor deck. The NCSC's secure AI system development guidance says AI systems should be developed, deployed and operated securely and that security should remain a core requirement throughout the lifecycle, including systems built on hosted models or external APIs (NCSC). For professional firms, that turns into threat modelling, access control, logging, supplier review, prompt and output handling, and a clear rule on what client information may leave the firm's environment.
How the main frameworks and regulators map
The control map should be readable by partners. ISO/IEC 42001 and NIST AI RMF give structure; sector regulators decide the professional consequence.
| Source | What it contributes | What partners should do |
|---|---|---|
| ISO/IEC 42001 | A management-system structure for establishing, maintaining and improving AI governance across policies, objectives, processes and controls, explained in our ISO/IEC 42001 guide | Use it to assign roles, maintain the AI system inventory, manage risk treatment and review control effectiveness |
| NIST AI RMF | A voluntary framework to manage risks to individuals, organisations and society from AI systems (NIST) | Use govern, map, measure and manage as the operating cycle for each approved use case |
| UK AI principles | Cross-sector principles for regulators to interpret within existing remits (GOV.UK) | Translate safety, transparency, fairness, accountability and redress into the firm's professional duties |
| Sector regulator | Profession-specific duties, such as SRA oversight, RICS material-impact controls, or audit quality expectations | Keep a regulator-by-regulator register rather than copying one profession's wording into another |
| UK data protection | AI governance for personal data, including accountability, transparency, fairness, security and individual rights (ICO) | Require DPIA screening, data minimisation and lawful-basis evidence before client data is used |
| Cyber security | Secure design, development, deployment and operation of AI systems (NCSC) | Treat AI procurement as a security decision, not only a licensing decision |
This mapping also keeps the sector hub honest. A professional-services firm reading our AI governance hub for professional services should be able to move from principle to control: partner accountability, client disclosure, data protection, secure use, evidence and escalation.
Common mistakes in professional-services AI
The first mistake is treating AI use as a training problem. Training matters, but it does not decide where client data may go, what evidence is retained, or who answers a regulator's question. Training without a use-case register usually becomes informed improvisation.
The second mistake is approving a tool and assuming the work is governed. A vendor's security answers do not tell the firm whether a trainee may use the tool on a live client matter, whether an auditor may rely on a summary of board minutes, or whether a surveyor's report needs a client-facing AI statement. Procurement is one control, not the control system.
The third mistake is importing one profession's rule into another. RICS disclosure expectations are relevant to surveyors; SRA supervision and COLP expectations are relevant to legal services; audit quality obligations are relevant to audit. Multi-disciplinary firms need a matrix, not a single paragraph.
The fourth mistake is leaving no evidence of the human decision. A partner saying "we reviewed it" is weak after the event. A file showing the AI output, the review checklist, the modification and the named sign-off is stronger. That is also where professional responsibility becomes visible rather than asserted.
The fifth mistake is letting shadow AI define the real policy. If staff can get useful answers faster from an unauthorised tool than from the approved process, they will. The governing body should make the approved path easy enough to use and strict enough to evidence. Our guide to a UK AI governance framework sets out the wider control architecture for that work.
Next step: test the evidence before procurement
Before buying another AI tool, ask for a live evidence sample from one real workflow: a client matter, valuation file, audit workpaper, advisory report or internal risk review. The sample should show the approved use case, data boundary, professional owner, AI output, human decision, disclosure position and retained record.
If that evidence does not exist, start with the Board AI Scorecard to identify the gaps in oversight, data protection, accountability and assurance. If the firm already has tools in use and needs a partner-level control design, the AI Governance Diagnostic is the more direct route.
The test is simple: if a client, insurer, regulator or court asked tomorrow how AI was used on a file, could the firm answer from evidence rather than recollection? If not, the governance work has not yet reached the professional standard the service requires.
Sources: SRA compliance tips for solicitors using AI and technology · RICS responsible use of AI in surveying practice · ICAEW artificial intelligence in audit work · FRC guidance on generative and agentic AI in audit · ICO guidance on AI and data protection · NCSC secure AI system development guidelines · GOV.UK pro-innovation AI regulation response · NIST AI Risk Management Framework
