Which client work can AI touch, and what should stay out of scope?

Where professional services firms should draw the AI scope line

For law firms, accountants, consultants and other professional services teams, the useful question is not whether AI is allowed. It is which parts of client work AI may support, which parts need human judgement, and which parts should be blocked completely until the firm has stronger controls.

A practical scope policy protects client confidentiality without freezing every productivity gain. The aim is to make good use easy, risky use visible, and prohibited use unambiguous.

The safest answer is a tiered scope model

AI can usually touch low-risk internal work where no confidential client data is exposed, outputs are checked by a competent person, and the tool has been approved by the firm. AI should not make final professional judgments, submit regulated advice, or process sensitive client information unless the use case has been approved, tested and logged.

A simple starting point is to split work into three groups: allowed, controlled and prohibited. That gives fee earners and delivery teams a fast decision route without asking them to interpret a long policy every time.

Map safe AI use cases before rollout

Work AI can normally support

AI is best used as a support layer for work that is reversible, reviewable and low-risk. Typical examples include:

• summarising public source material or non-confidential internal notes
• drafting first-pass outlines, checklists, meeting agendas and training material
• turning approved knowledge into plain-English internal guidance
• helping staff compare document versions, provided client confidentiality rules are respected
• creating internal templates where a qualified person reviews the final output

These uses still need guardrails. Staff should know which tools are approved, what data may be entered, how outputs must be reviewed, and where records of AI-assisted work are kept.

Work that should sit in a controlled approval lane

Some work can involve AI, but only after a use-case review. This includes any activity involving client-identifiable data, matter strategy, pricing, risk assessment, compliance analysis, due diligence, financial modelling, claims handling or advice preparation.

The review should answer four questions: what data is being used, what the tool does with it, who checks the output, and what happens if the output is wrong. If those answers are unclear, the work should stay out of scope until the control design is fixed.

Set up the governance lane for approved AI use

Work that should be out of scope by default

Until the firm has stronger assurance, AI should usually be prohibited from:

• making final decisions on client advice, eligibility, liability, audit opinion or claims outcome
• submitting work directly to clients, courts, regulators or counterparties without human approval
• processing special category data, privileged material or highly sensitive commercial information in unapproved tools
• using client documents to train, fine-tune or improve third-party models without explicit contractual permission
• operating without audit trails, version control or named human accountability

The point is not to ban useful tools. It is to stop the firm from accidentally outsourcing professional judgment, confidentiality duties or regulatory accountability to software that cannot carry them.

How to turn the boundary into an operating control

A scope policy only works if it becomes part of daily workflow. The firm should maintain an approved-tool list, a use-case register, plain-language staff guidance, and a route for teams to request new AI uses. Reviews should cover data protection, professional duties, vendor terms, security, quality assurance and client disclosure where relevant.

For higher-risk uses, require a short impact assessment before launch. That assessment should capture the purpose, data types, user group, output review process, failure mode, monitoring owner and approval date.

Conclusion

Professional services firms get the best results when AI scope is specific. Let AI help with low-risk, reviewable support work. Put client data and regulated work through an approval lane. Keep final judgment, unsupervised advice and sensitive data processing out of scope until the controls are proven.

Build the workflow and controls around approved AI use