AI governance checklist for professional services

A practical AI governance checklist for professional services firms handling client data, confidential information and regulated workflows.

Short answer

Good AI governance names the workflow, classifies the data, checks the supplier, defines human review, records evidence, assigns ownership and gives staff a clear route for questions or exceptions.

Start with where AI is already being used

Most firms already have some level of shadow AI. Staff may be using public tools for summaries, drafting, research, meeting notes or admin. The first governance step is to understand current behaviour without turning the exercise into a witch hunt. Ask which tools are being used, what data goes in, what outputs are relied on and where managers already feel uneasy.

Set the FCA, SRA or professional-body context

Regulated firms should connect AI use to existing duties around client outcomes, confidentiality, competence, records and oversight. The checklist does not replace FCA, SRA, ICAEW, ACCA or internal compliance guidance. It gives the firm an operating layer: which workflows need approval, what evidence is kept, who reviews outputs and what happens when a tool produces a poor answer.

Define acceptable and prohibited use

Teams need plain examples of what is allowed, what needs approval and what is prohibited. The guidance should mention client-identifiable data, confidential documents, legal privilege, regulated advice, personal data, contracts, credentials and commercially sensitive information. Staff should not have to guess whether a use case is safe.

Check suppliers before data is connected

Supplier review should cover where data is processed, whether prompts or files are used for model training, retention, access controls, audit logs, security terms, sub-processors and exit options. For sensitive workflows, do not rely on a sales page or a verbal assurance. Keep a short approval record that a partner, director or compliance owner can understand later.

Make human review explicit

Human-in-the-loop is only useful if the person knows what they are reviewing. Define which outputs must be checked, what examples are used for testing, what errors should be escalated and when the AI output must not be used. Review should be stricter where advice, client communications, legal judgement, financial recommendations or compliance evidence are involved.

Create evidence as the workflow runs

Governance becomes much easier when the workflow records purpose, owner, data type, tool, reviewer, decision and exceptions. Accountancy teams may need evidence for review quality and deadlines. Legal teams may need confidentiality and privilege controls. Financial advice and insurance firms may need clear oversight and client outcome evidence. Build the record into the process rather than asking staff to recreate it later.

Practical checklist

Turn the guide into an internal action.

Current AI use mapped

Workflow owner named

Data classified

Allowed uses written

Prohibited uses written

Supplier terms checked

Human review defined

Evidence route agreed

Exception process published

Review date set

How to use this inside the firm

Use this guide as a working note rather than a finished policy. Share it with the person who owns the process, the person who understands the risk, and at least one person who does the work every week.

The next useful step is usually a short workshop: pick one specific issue, write down the trigger, the inputs, the systems involved, the decisions made, the exceptions and the evidence that needs to be kept.

Warning signs to watch for

Be careful if the proposed answer depends on staff copying client data into unapproved tools, if nobody owns the output, if the supplier cannot explain data handling, or if the process has no clear review point.

Also be careful with projects that promise broad productivity gains but cannot name the process, the users or the measure of success.

Related Pattrn Data support

If this is an active issue inside your firm, the next step is usually to turn the guidance into a scoped process review, risk review or implementation plan.

AI Governance Consulting Shadow AI Policy Template Client-Confidential AI Tool Checklist Governance Retainers

Questions

What people usually ask next

Do professional services firms need an AI policy?

Yes, but the policy should be practical and connected to real workflows. A short policy with clear approval routes is usually more useful than a long document nobody follows.

Who should own AI governance?

Usually a named senior owner, supported by operations, compliance, IT or data owners, and the teams using the workflows. Each approved workflow should also have its own business owner.

How often should AI governance be reviewed?

Review it whenever tools, data access, suppliers or material workflows change, and at least quarterly while adoption is still developing.

What should be recorded for an approved AI workflow?

Record the purpose, owner, data type, supplier, access controls, review point, test examples, known limits, exception route and review date.

Want to apply this to your firm?

Start with the issue, the data and the risk. Pattrn Data can help you decide what is worth automating and what needs stronger controls first.