Pattrn Data resources
Client-confidential AI tool approval checklist
A checklist for approving AI tools that may touch client data, confidential documents or sensitive professional services workflows.
You need a practical approval route before teams connect AI tools to sensitive information.
Short answer
Approval should cover purpose, data type, supplier terms, security, access controls, human review, retention, auditability and exit planning.
Define the use case
Do not approve a tool in the abstract. Approve a specific use case. A tool might be acceptable for internal drafting but unsuitable for client-identifiable document analysis. The approval record should state the intended workflow and the data involved.
Check the supplier and data position
Review where data is processed, whether it is used for model training, how long it is retained, what security controls exist, who can access it, and whether contractual terms match your client and regulatory obligations.
Set operating controls
Approval should include who can use the tool, what they can use it for, what must be reviewed by a person, how errors are reported and when the approval should be revisited.
Practical checklist
- Purpose documented
- Data classified
- Supplier terms reviewed
- Access controlled
- Human review defined
- Exit plan agreed
How to use this inside the firm
Use this guide as a working note rather than a finished policy. Share it with the person who owns the workflow, the person who understands the risk, and at least one person who does the work every week. Ask them where the guidance matches reality and where the current process is messier than the page suggests.
The next useful step is usually a short workshop. Pick one workflow, write down the trigger, the inputs, the systems involved, the decisions made, the exceptions and the evidence that needs to be kept. That gives you a much clearer view of whether AI should help, where a person must stay in control, and what would need to be true before anything goes live.
Warning signs to watch for
Be careful if the proposed answer depends on staff copying client data into unapproved tools, if nobody owns the output, if the supplier cannot explain data handling, or if the workflow has no clear review point. Those are not reasons to abandon AI completely, but they are reasons to slow down and design the controls before teams rely on the system.
Also be careful with projects that promise broad productivity gains but cannot name the workflow, the users or the measure of success. Pattrn Data usually looks for practical evidence: time saved, fewer handoffs, faster response, fewer missed steps, better management visibility or stronger governance evidence.
Sector notes
Accountancy firms should pay particular attention to document collection, client communications, deadline management and review quality. Legal teams should be stricter around confidentiality, privilege and the difference between drafting support and legal judgement. Financial advice and insurance firms should connect any AI use to evidence, oversight and client outcome responsibilities.
Smaller firms do not need enterprise-heavy governance, but they do need clear rules. Larger firms may need more formal approval routes, audit logs and supplier review. The principle is the same in both cases: match the control to the risk of the workflow, not to the excitement around the tool.
Related Pattrn Data support
If this is an active issue inside your firm, the next step is usually to turn the guidance into a scoped workflow, risk review or implementation plan.
Frequently asked questions
Can we approve a tool once for everything?
That is risky. Approval should be tied to use cases because the same tool can be low-risk in one context and high-risk in another.
Who should approve tools?
At minimum, the business owner, compliance or risk owner, and whoever manages systems or data access should be involved.
What if a supplier will not answer data questions?
Treat that as a risk signal and avoid sensitive use until the position is clear.