Client-confidential AI tool approval checklist

A checklist for approving AI tools that may touch client data, confidential documents or sensitive professional services workflows.

Short answer

Approval should cover purpose, data type, supplier terms, security, access controls, human review, retention, auditability and exit planning.

Define the use case

Do not approve a tool in the abstract. Approve a specific use case. A tool might be acceptable for internal drafting but unsuitable for client-identifiable document analysis. The approval record should state the intended workflow and the data involved.

Check the supplier and data position

Review where data is processed, whether it is used for model training, how long it is retained, what security controls exist, who can access it, and whether contractual terms match your client and regulatory obligations.

Set operating controls

Approval should include who can use the tool, what they can use it for, what must be reviewed by a person, how errors are reported and when the approval should be revisited.

Practical checklist

Turn the guide into an internal action.

Purpose documented

Data classified

Supplier terms reviewed

Access controlled

Human review defined

Exit plan agreed

How to use this inside the firm

Use this guide as a working note rather than a finished policy. Share it with the person who owns the process, the person who understands the risk, and at least one person who does the work every week.

The next useful step is usually a short workshop: pick one specific issue, write down the trigger, the inputs, the systems involved, the decisions made, the exceptions and the evidence that needs to be kept.

Warning signs to watch for

Be careful if the proposed answer depends on staff copying client data into unapproved tools, if nobody owns the output, if the supplier cannot explain data handling, or if the process has no clear review point.

Also be careful with projects that promise broad productivity gains but cannot name the process, the users or the measure of success.

Related Pattrn Data support

If this is an active issue inside your firm, the next step is usually to turn the guidance into a scoped process review, risk review or implementation plan.

Secure AI Implementation AI Governance Consulting Governance Retainers

Questions

What people usually ask next

Can we approve a tool once for everything?

That is risky. Approval should be tied to use cases because the same tool can be low-risk in one context and high-risk in another.

Who should approve tools?

At minimum, the business owner, compliance or risk owner, and whoever manages systems or data access should be involved.

What if a supplier will not answer data questions?

Treat that as a risk signal and avoid sensitive use until the position is clear.

Want to apply this to your firm?

Start with the issue, the data and the risk. Pattrn Data can help you decide what is worth automating and what needs stronger controls first.