How to Write an AI Policy for a Professional Services Firm (2026)

For Law Firms

ABA Formal Opinion 512 (2024) is the governing standard. It requires lawyers to understand AI tools well enough to use them competently, protect client confidentiality when using AI, and supervise non-lawyer use of AI in the same way lawyers supervise other non-lawyer work. A law firm that lets associates use any AI tool they want, with no oversight, is likely out of compliance with Opinion 512 today.

For Accounting Firms

The AICPA's 2025 guidance on AI use by CPAs makes clear that client data confidentiality obligations extend to AI tools. A CPA who inputs a client's unreported income, SSN, or financial statements into a non-enterprise AI tool without a data processing agreement is taking on personal liability exposure. The AICPA's guidance assumes the kind of documented oversight that only a policy can create.

For All Firms

The FTC's March 2026 guidance on AI and deceptive practices explicitly flags professional services contexts. If your firm uses AI to generate client analysis, recommendations, or reports and doesn't disclose that — or doesn't apply a meaningful human review — the FTC considers that a potential deceptive practice.

The Shadow AI Problem

The biggest risk isn't the AI tools you've approved. It's the ones you haven't — the ones your staff downloaded last Tuesday because they heard about them at a conference. A written policy with a clear approved/prohibited list closes that gap. Without it, you have no grounds to say anything to a staff member who's been pasting client financials into a free consumer AI tool for six months.

1. Approved Tool List with Account Tier Requirements

Name the specific tools your firm allows and specify which account tier is required for client-related work. The difference matters: a personal ChatGPT account offers no data protection; a ChatGPT Enterprise or Teams account includes data processing agreements and excludes your data from training.

The minimum bar for any AI tool used with client data: a Business Associate Agreement (BAA) for healthcare contexts, a Data Processing Addendum (DPA) for EU-adjacent work, and an enterprise-tier subscription that explicitly excludes your inputs from model training.

2. Prohibited Data Types

Be explicit. Staff need a clear list, not a vague “use good judgment.”

Categorically prohibited in any AI tool (consumer or enterprise):

• •Social security numbers and EINs
• •Privileged attorney-client communications (pre-privilege attachment)
• •Unpublished financial statements or unreported income figures
• •Non-anonymized client identifying information in free-tier tools
• •Information covered by an active NDA without the counterparty's written consent

3. Human Review Requirements Before Client Delivery

No AI output goes to a client without a qualified human reviewing it. This is non-negotiable in professional services contexts where you have a duty of care. Specify who must review (partner/principal level?), what the review must cover (accuracy of facts, completeness, appropriateness for this client situation), and whether the output must be documented as reviewed before delivery.

4. Client Disclosure Position

Does your firm disclose AI use to clients proactively, reactively (only when asked), or not at all? For law firms, ABA Opinion 512 and some state bar rules require disclosure of AI use in certain contexts. For all firms, the FTC March 2026 guidance makes non-disclosure of AI-generated work a potential deception issue. Your policy needs to take a clear position.

5. Compliance Owner Designation

Name a person who owns AI compliance at your firm. This doesn't have to be a new role — it's typically the managing partner, COO, or senior operations person. Their job is to approve new tools before adoption, review the policy annually, and be the point of contact if a client or regulator asks about your AI practices.

Client NDA Intersections

If your consulting firm operates under a non-disclosure agreement with a client — which most do — that NDA almost certainly covers confidential strategic information, unreleased financial data, and proprietary methodologies. Using AI to process that information without verifying your AI tool's data handling doesn't violate the NDA is a breach risk.

FCRA Compliance for Staffing Firms Using AI in Hiring

The Fair Credit Reporting Act (FCRA) applies to staffing firms using AI tools that compile, summarize, or score information about candidates. If your AI tool summarizes a candidate's background based on LinkedIn, professional records, or third-party data, and you use that summary to make a hiring or placement decision, you may have triggered FCRA's consumer reporting disclosure requirements. Illinois HB 3773 (live as of January 1, 2026) independently requires disclosure to candidates and employees when AI influences employment decisions.

Q: Does a small firm really need a written AI policy?

A: Yes — and especially a small firm. Large firms have compliance departments and general counsel to catch problems. A 10-person accounting or law firm doesn't. If a staff member inputs client tax data into a free AI tool, there's no enterprise data agreement protecting that data. A written policy — even one page — creates the guardrails that prevent that from happening. ABA Opinion 512 and AICPA AI guidance both assume competent supervision of AI tools, which requires documented standards.

Q: How often should an AI policy be updated?

A: At minimum, every six months. The AI tool landscape is changing fast enough that a policy written in January 2025 may not cover tools your staff adopted by July 2025. Build in a scheduled review — tie it to a date you already own, like a year-end planning session or mid-year team meeting. When a major new regulation lands (like Colorado's CPAIA June 2026 deadline), review immediately.

Q: What happens if staff use unapproved AI tools?

A: Absent a policy, probably nothing formal — but the data exposure risk is real and the liability follows the firm, not the employee. With a policy in place, you have clear grounds for a corrective conversation, and you can demonstrate good-faith compliance efforts if a client or regulator ever asks. The policy converts an ambiguous data security incident into a documented process violation you can actually manage.

Q: Does our AI policy need to address Colorado's AI Act?

A: If any of your clients, candidates, or customers are in Colorado, yes. Colorado's Consumer Protections for Artificial Intelligence Act (CPAIA) takes effect June 30, 2026 and requires firms deploying high-risk AI systems to document human oversight, maintain records, and provide disclosures. A firm AI policy that identifies your tools and designates a compliance owner is the foundation of CPAIA compliance. See our full guide to the June 30, 2026 AI compliance deadline.

Q: Can we use one policy for all firm types?

A: The core framework can be shared — approved tools, prohibited data types, human review requirements, and compliance ownership are universal. The firm-specific sections need to be tailored. A law firm's policy must address ABA 512 (competence, confidentiality, supervision) and include engagement letter language. An accounting firm's must address AICPA guidance and IRS e-file security. A staffing firm's must address FCRA. The template in this guide includes all four firm-type overlays so you can pull only what applies.