The proposal went out on a Friday afternoon. AI had drafted the commercial section, including a statistic to support the pricing recommendation. The following Monday, the client’s procurement lead queried it. The figure did not appear in any source her team could locate. Neither could the consultant who had signed the proposal off. The model had invented it, written it with complete confidence, and it had passed through without a second look.
This failure mode is predictable, not unusual. AI generates text with the same fluency whether a claim is accurate, outdated, or fabricated. The prose gives no signal that anything is wrong. Without a deliberate checking process in place, those errors reach clients.
What does a practical AI fact-checking workflow actually look like?
The standard approach is a three-pass review: factual correctness first, then regulatory and commercial compliance, then confidentiality and data safety. Running the passes in that order matters because AI can be factually plausible while still breaching an internal policy or exposing information your firm should not be sharing. A quick linear read, without this structure, routinely misses the second and third failure modes.
The first pass targets factual claims: statistics, dates, named references, quoted figures, and regulatory thresholds. Each one needs a traceable source, and if the model cannot name one, treat the output as unverified draft copy rather than publishable material. The second pass asks whether the content meets your regulatory or contractual obligations, particularly in client-facing documents. The third pass checks data sensitivity: was confidential client material included in what you fed the model, and if so, was that appropriate under your current policy?
Building the three-pass habit takes a few weeks of deliberate practice. The easiest way to start is to run each pass on a low-stakes piece of internal output before applying it to client work. Once the sequence is familiar, it takes roughly the same time as an attentive read of the document. The value is in the structure, not in the additional time it requires.
Why does unchecked AI output create risk for your business?
An AI error in a client proposal or a regulated submission creates two types of exposure. The first is reputational: a fabricated statistic or an invented reference damages the credibility of whoever signed the document. The second is legal, with the ICO able to issue fines of up to £17.5 million under UK GDPR for failures around personal data handling, and the FCA expecting regulated firms to maintain adequate controls over client communications.
The risk scales badly for small firms. A 10-person consultancy sending out an AI-drafted proposal with an invented figure has the same legal exposure as a larger organisation, but far less capacity to absorb a failed client relationship or a regulatory query. The marginal cost of a structured verification step is low compared to the cost of an incident, and building the process while your AI use is still modest is materially cheaper than retrofitting it after something goes wrong.
One area worth flagging specifically for UK services firms: AI can draft legal boilerplate, regulatory disclaimers, or compliance language that looks correct and is wrong for your firm, your client, or the applicable jurisdiction. An approved clause library, reviewed by a qualified person, is the only safe approach for that category of content.
Where in your work does AI output require a structured check?
The answer tracks with consequence. Anything client-facing, regulated, or commercially binding warrants a structured check every time: proposals, invoices, contract summaries, client updates, marketing claims, and content that touches pricing or legal obligations. Internal brainstorming, rough agendas, and creative drafts carry far less risk, and requiring full fact-checking on those would slow work without meaningful benefit.
The highest-risk outputs in a services firm are those where a wrong number or a fabricated reference has a direct downstream effect. A proposal citing an inflated market size, or a client update referencing a superseded regulation, is not just inaccurate. It can affect the client’s decision or their compliance posture. Those are the documents where the structured check earns its time.
A practical way to prioritise is to list the five or six AI outputs your firm produces most regularly, then mark each as external or internal, and factual or creative. The external-and-factual outputs are where the three-pass check belongs as a standing requirement. The rest can follow a lighter review until your team builds confidence in the process.
When is a lighter review enough, and when do you need all three passes?
The criterion is stakes, not content type. A three-pass review is warranted whenever the output is external, regulated, or could mislead a client or supplier. A lighter check, confirming the substance looks right and that no confidential information was included in the input, is usually sufficient for internal drafts, planning notes, or creative work where no specific factual claim is in play.
For a firm of 5 to 50 people, the realistic middle ground is a short claim-by-claim review that prioritises high-risk items: figures, dates, named obligations, and anything client-facing. A full manual rewrite of every AI output is rarely viable when the bottleneck is review capacity rather than drafting speed. A structured fast check is the practical standard; requiring one is very different from requiring a parallel authoring process on top of what AI has already produced.
A useful filter at the start of each review: if this claim turns out to be wrong, what happens? If the answer is “a client makes a different decision” or “a regulator queries us”, the full check is warranted. If the answer is “nothing much changes”, a lighter review is usually fine. This single question, applied consistently, saves the time spent on full checks where they are not needed.
What should you never ask AI to do with its own output?
Ask AI to verify something it wrote and it will typically confirm it. The model has no access to external truth, only its training data and whatever context you provided. The same reasoning that generated the claim is also evaluating it, with no independent evidence introduced. This creates a closed loop, and a closed loop is not a verification process.
Any claim that affects pricing, legal wording, a client recommendation, or a regulatory disclosure needs verification against a primary source by a person. That source should usually be the original study, regulator page, legislation, or company report, not a secondary explainer that may itself be drawing on unverified material. The ICO’s published guidance on generative AI, the NCSC’s advice on using AI safely in your organisation, and the FCA’s position on AI governance all point in the same direction: AI use in business requires clear ownership and documented controls, not informal deployment followed by informal review.
Building a repeatable checklist takes less than an hour. Start with the AI output your firm produces most frequently, identify the claims that typically appear in it, and list the primary source you would check each one against. That is the first version of your workflow. Run it consistently and the review becomes fast. Done well, it catches the errors that matter before they reach the people who notice them.
