Pattrn Data resources
AI governance checklist for professional services
A practical AI governance checklist for professional services firms handling client data, confidential information and regulated workflows.
You need AI governance that people can use in live work, not a policy PDF that sits away from the workflows it is meant to control.
Short answer
Good AI governance names the workflow, classifies the data, checks the supplier, defines human review, records evidence, assigns ownership and gives staff a clear route for questions or exceptions.
Start with where AI is already being used
Most firms already have some level of shadow AI. Staff may be using public tools for summaries, drafting, research, meeting notes or admin. The first governance step is to understand current behaviour without turning the exercise into a witch hunt. Ask which tools are being used, what data goes in, what outputs are relied on and where managers already feel uneasy.
Set the FCA, SRA or professional-body context
Regulated firms should connect AI use to existing duties around client outcomes, confidentiality, competence, records and oversight. The checklist does not replace FCA, SRA, ICAEW, ACCA or internal compliance guidance. It gives the firm an operating layer: which workflows need approval, what evidence is kept, who reviews outputs and what happens when a tool produces a poor answer.
Define acceptable and prohibited use
Teams need plain examples of what is allowed, what needs approval and what is prohibited. The guidance should mention client-identifiable data, confidential documents, legal privilege, regulated advice, personal data, contracts, credentials and commercially sensitive information. Staff should not have to guess whether a use case is safe.
Check suppliers before data is connected
Supplier review should cover where data is processed, whether prompts or files are used for model training, retention, access controls, audit logs, security terms, sub-processors and exit options. For sensitive workflows, do not rely on a sales page or a verbal assurance. Keep a short approval record that a partner, director or compliance owner can understand later.
Make human review explicit
Human-in-the-loop is only useful if the person knows what they are reviewing. Define which outputs must be checked, what examples are used for testing, what errors should be escalated and when the AI output must not be used. Review should be stricter where advice, client communications, legal judgement, financial recommendations or compliance evidence are involved.
Create evidence as the workflow runs
Governance becomes much easier when the workflow records purpose, owner, data type, tool, reviewer, decision and exceptions. Accountancy teams may need evidence for review quality and deadlines. Legal teams may need confidentiality and privilege controls. Financial advice and insurance firms may need clear oversight and client outcome evidence. Build the record into the process rather than asking staff to recreate it later.
Practical checklist
- Current AI use mapped
- Workflow owner named
- Data classified
- Allowed uses written
- Prohibited uses written
- Supplier terms checked
- Human review defined
- Evidence route agreed
- Exception process published
- Review date set
How to use this inside the firm
Use this guide as a working note rather than a finished policy. Share it with the person who owns the workflow, the person who understands the risk, and at least one person who does the work every week. Ask them where the guidance matches reality and where the current process is messier than the page suggests.
The next useful step is usually a short workshop. Pick one workflow, write down the trigger, the inputs, the systems involved, the decisions made, the exceptions and the evidence that needs to be kept. That gives you a much clearer view of whether AI should help, where a person must stay in control, and what would need to be true before anything goes live.
Warning signs to watch for
Be careful if the proposed answer depends on staff copying client data into unapproved tools, if nobody owns the output, if the supplier cannot explain data handling, or if the workflow has no clear review point. Those are not reasons to abandon AI completely, but they are reasons to slow down and design the controls before teams rely on the system.
Also be careful with projects that promise broad productivity gains but cannot name the workflow, the users or the measure of success. Pattrn Data usually looks for practical evidence: time saved, fewer handoffs, faster response, fewer missed steps, better management visibility or stronger governance evidence.
Sector notes
Accountancy firms should pay particular attention to document collection, client communications, deadline management and review quality. Legal teams should be stricter around confidentiality, privilege and the difference between drafting support and legal judgement. Financial advice and insurance firms should connect any AI use to evidence, oversight and client outcome responsibilities.
Smaller firms do not need enterprise-heavy governance, but they do need clear rules. Larger firms may need more formal approval routes, audit logs and supplier review. The principle is the same in both cases: match the control to the risk of the workflow, not to the excitement around the tool.
Related Pattrn Data support
If this is an active issue inside your firm, the next step is usually to turn the guidance into a scoped workflow, risk review or implementation plan.
Frequently asked questions
Do professional services firms need an AI policy?
Yes, but the policy should be practical and connected to real workflows. A short policy with clear approval routes is usually more useful than a long document nobody follows.
Who should own AI governance?
Usually a named senior owner, supported by operations, compliance, IT or data owners, and the teams using the workflows. Each approved workflow should also have its own business owner.
How often should AI governance be reviewed?
Review it whenever tools, data access, suppliers or material workflows change, and at least quarterly while adoption is still developing.
What should be recorded for an approved AI workflow?
Record the purpose, owner, data type, supplier, access controls, review point, test examples, known limits, exception route and review date.