Should professional firms disclose AI use to clients?

Why AI disclosure needs a clear client policy

Professional firms should treat AI disclosure as part of client care, risk management and good governance. The question is not whether every spellcheck, search or formatting tool needs a dramatic notice. The question is whether AI is touching confidential client information, shaping advice, generating client-facing work or influencing a material decision.

For law firms, consultancies, accountants, insurers and other regulated or reputation-sensitive teams, silence creates avoidable risk. Clients do not need a technical essay. They need to know where AI is used, what safeguards apply and when a human professional remains accountable.

The safest default is proactive disclosure for material AI use

The safest operating model is proactive disclosure when AI has a material role in client work. That includes tools used to summarise documents, analyse sensitive data, draft client-facing outputs, support regulated advice or automate decisions that affect the client. Proactive disclosure gives the client a chance to ask questions before reliance, data exposure or expectation-setting becomes a problem.

Reactive disclosure, where the firm only explains AI use if asked, may work for low-risk internal productivity tools. It is fragile for client work because the firm is relying on the client to know what to ask. No disclosure at all should be reserved for genuinely incidental tools that do not process confidential data, do not shape advice and do not affect the final output.

Map where AI touches client work

A practical three-tier disclosure model

Most firms need a simple tiering model rather than a blanket notice on every document.

• Tier 1: no client disclosure normally needed. Internal productivity uses such as grammar checks, meeting administration or formatting, provided no confidential client data is submitted to an external model and the tool does not shape advice.
• Tier 2: policy-level disclosure. Approved AI tools support research, summarisation or internal drafting, with human review before anything reaches the client. This can sit in engagement terms, privacy notices or a client AI policy.
• Tier 3: matter-specific disclosure and consent. AI processes sensitive client data, automates analysis, supports regulated advice, creates a substantive client deliverable or uses a third-party vendor with material data-retention questions.

This model keeps disclosure useful. Clients get meaningful information when the risk changes, while teams avoid turning every routine workflow into a compliance theatre exercise.

What clients should be told

A good disclosure answers five practical questions:

• What type of AI tool is being used?
• What work is the tool supporting?
• Will client confidential data or personal data be processed?
• What human review, QA and accountability sit around the output?
• Can the client opt out, request more detail or require a different handling route?

The wording should be plain English. For example: "We may use approved AI tools to support document review and drafting. We do not rely on AI output without professional review, and we apply confidentiality, access control and data-retention checks before use on client material."

Governance controls that make disclosure credible

Disclosure only works if the firm can evidence its controls. A client notice that says AI is used responsibly is weak if the firm cannot show which tools are approved, what data is blocked, who reviewed the output and how exceptions are handled.

The minimum governance set should include an approved tool list, prohibited-use rules, vendor data-processing checks, matter-level risk flags, review standards and an audit trail for higher-risk use. Firms should also define who can approve exceptions and when client consent is required.

Create an AI governance operating model

How to implement this without slowing every matter

Start with a short AI use register. Record the tool, purpose, data type, owner, vendor terms, retention position and disclosure tier. Then connect that register to matter opening, project scoping or client onboarding. The aim is to make the right disclosure route obvious before work starts.

For client-facing teams, use approved snippets rather than letting every professional improvise. For risk teams, review exceptions and sample outputs. For leadership, report the number of high-risk AI uses, opt-outs, incidents, vendor exceptions and unresolved policy gaps.

Conclusion

Professional firms should not wait for clients to guess where AI is being used. Proactive disclosure for material AI use is the stronger default because it protects trust, consent and accountability. The practical answer is a tiered policy: low-risk incidental tools stay lightweight, material client work gets clear disclosure, and sensitive or regulated use gets specific consent and evidence.

Put AI disclosure controls into practice