What should your AI policy with clients look like, and how do you disclose it?
The question is not coming from all clients yet. But it is coming from the careful ones; the general counsel reviewing the engagement letter, the CFO who reads the small print, the founder who used AI yesterday and is now wondering who else is using it on their account.
The firms that handle this question well have thought about it before it arrived. The ones that have not invent an answer on the spot and hope it holds.
Most professional services firms are using AI on client work and have no formal policy about it. This is not a sustainable position. Clients are starting to ask. Contracts are starting to include AI-related clauses.
A firm that has thought through its AI policy is in a position of confidence. One that has not is in a position of improvisation.
Map the practice before writing the policy
The AI policy must match the practice. A policy that says “AI is used only for initial research” when AI is also used for drafting deliverables is a liability, not a protection.
The first step is an honest inventory.
The practice mapping exercise (one hour):
For each service line or engagement type, answer five questions:
| Question | Purpose |
|---|---|
| What AI tools are used? (specific tools and tiers) | Ensures the policy covers all active tools, not just the obvious ones |
| What tasks does AI assist with? | The substance of the disclosure |
| What tasks does AI never touch? | Builds credibility; firms with explicit limits are more trustworthy than firms with none |
| Who reviews AI outputs before they reach the client? (specific role and review standard) | The accountability mechanism that makes the policy credible |
| How is client data handled by AI tools? | The data governance answer; the one clients and contracts care about most |
The answers to these five questions are the substance of the AI policy. The policy document is the formatted version of these answers.
The three-part AI policy structure
Part 1: What we use AI for
This section describes the specific AI applications in the firm’s work. Specific enough to be credible; general enough to cover normal variation in practice.
Example language:
“We use AI tools to assist with the following types of work in client engagements:
Research and synthesis: gathering and organizing relevant information, industry context, and reference material that informs our analysis.
First-draft production: producing initial drafts of reports, memos, proposals, and deliverables that are then reviewed, revised, and approved by a senior team member before delivery.
Documentation and summarisation: producing structured summaries of meetings, conversations, and source materials.
Quality review: using AI to check our work for consistency, completeness, and common errors before it is delivered.
All AI-assisted work is reviewed by a qualified professional before delivery to clients. AI does not determine our conclusions, recommendations, or strategic judgments; those remain exclusively with our team.”
Part 2: What we do not use AI for
This section builds credibility by naming specific limits. A firm that can articulate what AI does not touch is a firm that has thought carefully about the boundary.
Example language:
“We do not use AI for the following:
Final professional judgment: all conclusions, recommendations, and strategic decisions are made by our team, not generated by AI.
Client-specific confidential information in consumer AI tools: client data that is confidential or sensitive is processed only in tools with appropriate data processing agreements; or not processed through AI at all.
Replacing the qualified review step: no AI-assisted output reaches a client without review and approval by a senior team member who is professionally accountable for its content.”
Part 3: How we protect client data in AI workflows
This is the section clients with legal and compliance oversight care about most. It must be specific and accurate.
Example language:
“We protect client data in our AI workflows as follows:
Tool selection: we use [specific tools] for AI-assisted work. These tools operate under data processing agreements that prohibit training on client data and maintain data confidentiality standards consistent with our professional obligations.
Data minimization: we input the minimum client information necessary to complete the AI-assisted task. We do not input personally identifiable client information, confidential commercial terms, or proprietary client data into consumer-tier AI tools without explicit client consent.
Confidential information: information identified as confidential in our engagement agreement is handled in accordance with our confidentiality obligations, which take precedence over any efficiency benefit from AI processing.”
The three disclosure scenarios and how to handle each
Scenario 1: Proactive disclosure at engagement start
The best time to disclose is at the beginning of the engagement; in the proposal, the engagement letter, or the kickoff meeting. This prevents the discovery scenario and positions AI use as a quality feature, not a hidden practice.
Where to include it:
- In the proposal under “our approach” or “how we work”
- In the engagement letter as a standard clause
- In the kickoff meeting agenda as a standing item
What to say:
“I want to be upfront about how we work. We use AI tools to compress the research, documentation, and first-draft work in our process; which means our team’s time goes to the analysis and judgment that actually moves the needle for you. Every deliverable is reviewed and approved by a senior team member before it reaches you. Our AI policy, which covers what we use AI for, what we do not, and how we protect your data, is available on request. Is there anything specific about our AI use you would like to understand before we start?”
This framing does three things: names the practice, names the benefit to the client, and invites dialog rather than closing it down.
Scenario 2: Disclosure when asked during the engagement
When a client asks “are you using AI on my work?” during an engagement, the answer should be specific, direct, and confident; not defensive.
What to say:
“Yes, we do. Specifically, we use AI to [specific uses from Part 1 of the policy]; which is how we move fast without missing things. Everything that comes to you has been reviewed and approved by [specific role] before it leaves our team. If you would like to understand specifically how we handle your data in that process, I am happy to walk you through it. Is there a specific concern I can address?”
The question behind the question is almost always one of three:
- “Is my data safe?”
- “Did I pay for AI to do this work?”
- “Is the quality actually good if AI was involved?”
The response above addresses all three implicitly. If the client asks one explicitly, answer it explicitly.
Scenario 3: Discovery without prior disclosure
This is the scenario to avoid. A client discovers AI was used on their work without being told; through a visible AI artifact, a metadata issue, or a third party’s mention.
Immediate response:
“You’re right to ask, and I should have been more upfront about this at the start. We do use AI in our process; specifically for [specific uses]; and every output you receive is reviewed by a senior team member before it gets to you. I should have walked you through this when we started the engagement. I am sorry for the lack of transparency. Can we take 15 minutes to go through our process and how we protect your data so you have the full picture?”
What this response does: it acknowledges the failure of disclosure, not the use of AI. The AI use is not the problem. The lack of proactive disclosure is.
Do not conflate them by apologising for using AI. That undermines the firm’s confidence in its own practice.
The contract consideration: what AI clauses actually say
AI-related clauses are appearing with increasing frequency in client engagement letters, master service agreements, and vendor contracts. Three common types:
Clause type 1: AI prohibition
“The supplier shall not use AI tools to produce deliverables under this agreement without prior written consent.”
What to do: this clause requires either a negotiated exception defining approved AI use, explicit consent before the engagement begins, or declining the engagement. Do not sign this clause and continue AI use without addressing it; the discovery scenario is significantly more damaging when there is a contractual prohibition.
Clause type 2: AI disclosure requirement
“The supplier shall disclose any use of AI tools in producing deliverables, including the specific tools used and the data protection measures in place.”
What to do: the firm’s AI policy, formatted as a disclosure document, satisfies this clause. Provide it at engagement start and update if tools or practices change.
Clause type 3: Data processing restriction
“No client data shall be processed by third-party AI tools without prior written consent and a data processing agreement in place.”
What to do: review the firm’s AI tool data processing terms. Major tools (Claude Teams, ChatGPT Enterprise) have data processing agreements available. Confirm the terms match what the clause requires, provide the DPA to the client, and document the consent.
The practical implication: before signing any engagement agreement that includes AI-related clauses; review the clause against the actual practice, confirm the practice complies or amend the clause, and document the agreement. This takes 30 minutes. The alternative takes considerably longer.
Common questions on AI client disclosure
”Is there a legal requirement to disclose AI use to clients?”
In most jurisdictions and most business contexts: no general legal requirement exists to disclose AI use in business communications, proposals, or client deliverables. Specific regulated contexts (financial advice, legal opinions, medical guidance) have their own requirements that govern content regardless of how it was produced. Check with legal counsel for any specific regulated context.
”What if a client refuses to allow AI use in their engagement?”
Accept the constraint or decline the engagement. If the firm’s standard practice includes AI and the client’s prohibition makes the engagement uneconomical at the expected fee level, that is a scope and pricing conversation; not a reason to agree and proceed secretly.
”How do I handle a client who is anxious about AI generally?”
Focus the conversation on the data governance and quality review mechanisms; not on the AI capability. A client who is anxious about AI is almost always anxious about one of three things: their data, the quality of the output, or the feeling of being underserved. Address those specifically. The technology is not the concern.
”Does the policy need to be in the engagement letter or can it be a separate document?”
Either works. A reference in the engagement letter (“our AI usage policy, attached as Appendix B”) is the cleanest approach for ongoing client relationships. For a new client or a high-value engagement, a brief verbal walk-through at the kickoff and the policy on file is sufficient.
”What data governance terms should I verify before using a specific AI tool on client work?”
At minimum, verify:
- Does the tool offer a data processing agreement (DPA) or business associate agreement (BAA)?
- Does the DPA confirm data is not used to train the model?
- What is the data retention policy and can it be adjusted?
- Is the tool’s compliance certification (SOC 2, ISO 27001) current?
For any tool used on sensitive client work: verify these before first use, not after a client asks.
”Should the AI policy differ by client type?”
The core policy should be consistent; it reflects the firm’s practice, which does not change by client. The disclosure approach may vary: a brief verbal mention at kickoff for a long-standing client versus a written appendix in the engagement letter for a new client with a legal or compliance function that is likely to scrutinise it.
Want help building an AI practice that is designed to be disclosed, not hidden?
The AI policy is not a document to avoid writing. It is a statement of professional standards; what the firm commits to in how it uses AI, how it protects client data, and who is accountable for what reaches the client.
The firms that write it clearly, disclose it confidently, and update it as the practice evolves turn a potential trust risk into a differentiating quality signal.
Path one: map the practice this week. Run the five-question inventory above for each of your service lines. The policy writes itself from the answers. Four to six hours produces a policy document that is ready to include in your next engagement letter.
Path two: bring in a partner. If you want the AI practice built with the quality standards explicit from the first engagement review; the kind of embedded work where the AI policy is never a surprise because the practice was designed to be disclosed from day one; that is the work Phos AI Labs does. In 400+ AI implementations, the companies that get this right all did the same thing first. The fastest way to know if it is the right fit is a conversation. Thirty minutes, no deck. Start here.