Why this matters now
Staff in most professional firms are already using AI tools, whether or not the firm has decided they should. Accountants, solicitors and financial services teams are pasting text into ChatGPT, turning on Copilot and trying whatever their software vendors have added. The technology is genuinely useful. The difficulty is that it has arrived faster than most firms’ policies, and professional firms carry obligations around client confidentiality, regulatory duties and competence that make uncontrolled AI use a real risk.
AI governance is simply the firm deciding, on purpose, how AI may be used, rather than leaving it to individual habit.
The risks specific to professional firms
The first concern is confidentiality. Pasting client information into a public, consumer AI tool may place it outside the firm’s control and, depending on the tool, outside any agreement you would normally expect when handling client data. For a firm that holds confidential or regulated information, that is a serious exposure.
The second is accuracy. AI tools produce fluent answers that are sometimes wrong. Where output informs advice, accounts or legal work, an unchecked answer is a professional risk, not just a technical one.
The third is regulatory and reputational. Your regulator (for example the SRA, ICAEW or FCA) expects confidentiality, competence and proper supervision regardless of the tools involved. “The AI got it wrong” is not a defence a client or regulator will accept.
A practical starting point
You do not need a long policy document. For most firms the useful steps are:
- decide which AI tools are approved, and which must not be used with client or firm data;
- give staff a short, plain statement of what they can and cannot put into AI tools;
- be clear that AI output must be checked by a competent person before it informs advice or client work;
- prefer tools that keep data within your existing Microsoft 365 or other trusted environment over public consumer tools;
- make sure someone owns the topic, reviews it as the tools change and answers questions as they come up.
The aim is to let the firm get the benefit of these tools without quietly creating a confidentiality or quality problem.
How this connects to the rest of your security
AI governance is part of information governance, not separate from it. The same controls that protect client data generally, such as access management, sensitivity labelling and Microsoft 365 configuration, are what make tools like Copilot safe to adopt. Firms working towards Cyber Essentials or IASME Cyber Assurance already have much of the foundation in place.
How Be Secure Cyber can help
We can help your firm put a proportionate AI position in place (an approved-tools list, a short usage policy and sensible guardrails), as a one-off piece of work or as part of ongoing vCISO support . If Microsoft 365 Copilot is in the picture, see Is Microsoft 365 Copilot safe for business use? .
Speak to us about AI governance.