QuestionAI GovernanceLegal Servicesclient disclosure

When should professional services firms disclose AI use to clients?

2 July 2026
Answered by Rohit Parmar-Mistry

Short answer

A quick answer first, then the fuller context below.

Professional services firms should tell clients about AI use when it affects advice, judgement, confidentiality, privilege, regulated deliverables or agreed scope. Keep disclosure proportionate, but make sure the file records what was used, who reviewed it and why the final judgement stayed with the firm.

Detailed answer

The fuller context, trade-offs and practical steps behind the short answer.

When AI use needs to be part of the client conversation

Clients do not need a technical log of every AI-assisted step. They do need clear disclosure when AI use is material to the service they are buying, the data they have trusted to the firm, or the professional judgement they expect a qualified adviser to make.

For legal, audit, advisory, valuation and other professional-services work, the safest test is simple: if a reasonable client, regulator, insurer or partner would expect to know that AI influenced the work, record it and disclose it in plain language.

The practical answer is materiality, confidentiality and reliance

A professional services firm should tell the client when AI is used on client-confidential material, when it contributes to analysis or drafting that the client may rely on, when it changes the agreed scope of work, or when the engagement terms, regulator or client policy require disclosure.

Disclosure does not mean handing responsibility to the tool. The message should say what AI assisted with, what it did not decide, what data safeguards applied, and which human professional reviewed the output before it reached the client.

Check where AI disclosure is already a risk in your workflows

A useful disclosure threshold

Use a threshold based on the work, not the brand name of the tool. Disclosure is normally needed where one or more of these conditions apply:

  • Client data is entered into a third-party or embedded AI system. This raises confidentiality, privilege, data protection and retention questions.
  • AI contributes to professional analysis. Examples include legal research, audit evidence review, valuation assumptions, regulatory interpretation or advice drafting.
  • The client may rely on the output. If the AI-assisted work shapes a recommendation, filing, report, opinion or client decision, the firm should not hide the assistance.
  • The engagement terms say so. Some clients ban public AI tools, require prior consent, or specify approved systems.
  • The regulator, insurer or professional body would expect evidence. The firm should be able to reconstruct who used AI, on what material, under which approval and with what review.

What the client actually needs to hear

Good disclosure is short, specific and calm. It should avoid both alarm and sales language. A practical wording pattern is:

"We used an approved AI-assisted tool to support [specific task]. We did not use it to make the final professional judgement. No client-confidential material was entered into an unapproved public tool. The output was reviewed by [role/name] before being included in the advice."

If client-confidential data was used inside an approved system, add the basis for that use: contract terms, retention settings, access controls and any limits on training or onward use. If a public tool was used by mistake, treat it as an incident, not a copywriting problem.

Governance records matter as much as the wording

The disclosure question is part of a wider governance system. A partner should be able to show the approved use case, the tool, the data category, the reviewer, the quality check and the final decision. Without that record, the firm may struggle to answer later questions from a client, regulator, insurer or court.

This is why AI policy alone is not enough. Firms need a live register of approved tools and use cases, a review standard for client-facing work, and a route for staff to ask before using AI on unusual matters.

Put a working AI governance routine around client disclosure

Examples by work type

  • Low-risk admin: using AI to tidy an internal meeting note may not need client disclosure if no client data leaves approved systems and the note is not client advice.
  • Client-facing draft: using AI to produce a first draft of advice, a report section or a client email usually needs at least a record and often a proportionate disclosure.
  • Regulated judgement: using AI to support legal analysis, audit conclusions, claims assessment, valuation or compliance advice should be disclosed where it is material to the work or required by the engagement.
  • Confidential or privileged material: if privileged, personal, commercially sensitive or regulated data is involved, do not rely on informal disclosure after the event. Get the governance position right first.

Conclusion

Tell the client when AI use is material, data-sensitive, reliance-relevant or required by the engagement. Keep the explanation practical: what was used, for what task, under what controls and with which human review. The goal is not to make AI the story. The goal is to preserve trust in the professional judgement behind the work.

Build the disclosure and review workflow into day-to-day delivery

FAQs

Direct follow-up answers written for searchers, buyers and internal decision makers.

Does every AI-assisted task need client disclosure?

No. Internal admin may not need disclosure if it does not use client-confidential data and does not affect client advice. Material, client-facing or data-sensitive use should be recorded and disclosed where appropriate.

Can a firm say AI was used without naming the tool?

Often, yes. The client usually needs to know the nature of the assistance and the safeguards. Tool names matter when the engagement terms, data processing position or client policy depends on the specific system.

Who should decide whether disclosure is needed?

The accountable professional owner for the matter should decide, supported by the firm's AI policy, approved-use register and risk route. It should not be left to individual staff preference.

What if AI was used without permission?

Treat it as a governance incident. Preserve the facts, assess data exposure and client impact, involve the matter owner, and decide whether client, insurer or regulator notification is required.

Need More Specific Guidance?

Every organisation's situation is different. If you need help applying this guidance to a specific process, book a discovery call or take the assessment first.