Skip to content

Board pack · Professional services

The AI questions for your next board meeting.

Six questions for the boards of professional services firms, with the regulators and duties they answer to. Table it, ask each question, and note which answers your organisation could evidence today.

The six questions.

  1. Which client matters and data types are AI tools permitted to touch, and how do we guarantee privileged or confidential material never leaves systems we control or trains a third-party model?
  2. How do we evidence that a competent professional has reviewed and takes responsibility for every AI-assisted output before it reaches a client or court, and how is that supervision recorded?
  3. Does our conduct meet our regulator's expectations on disclosing AI use to clients across the RICS standard and SRA, ICAEW and ICO guidance?
  4. Have we confirmed with our PII insurer that AI-assisted work is disclosed and covered, and that our cover stays adequate and appropriate given our AI risk profile?
  5. What is our process for catching hallucinated authorities, false figures and biased outputs before they cause client harm, and who owns that control?
  6. Do we have a DPIA, a lawful basis and senior sign-off in place for any AI system processing personal or special-category client data under the UK GDPR?

What your board answers to.

  • Solicitors Regulation Authority (SRA) Standards and Regulations

    The Codes of Conduct impose competence, confidentiality and supervision duties on AI-assisted legal work, and the SRA's Risk Outlook confirms solicitors stay personally accountable for AI outputs.

  • ICAEW Code of Ethics

    Binds chartered accountants to competence, due care, confidentiality and objectivity, and requires a member to judge whether an AI tool and its data are sufficient before relying on the output.

  • RICS Responsible Use of AI professional standard

    Requires human oversight, professional scepticism, disclosure of AI use to clients in writing, and documented AI governance including risk registers.

  • Information Commissioner's Office (ICO) and UK GDPR

    Governs AI processing of personal and special-category client data, requiring a lawful basis, DPIAs, explainability and senior sign-off, with the firm as controller accountable for compliance.

  • SRA Indemnity Insurance Rules and Minimum Terms and Conditions

    Require qualifying professional indemnity cover on minimum terms, so the board must ensure AI-driven errors and disclosed AI use fall within adequate and appropriate cover.

Want to know how your board would answer before the meeting? The Board AI Scorecard scores the five areas these questions test, in about two minutes.