A UK recruitment agency added a chatbot to handle candidate questions in late 2023. Basic stuff: application steps, pay scales, working arrangements. A candidate relied on what the chatbot said about a salary band, took the role on that basis, and raised a claim when the actual offer came in significantly lower. The AI vendor’s terms ran to 34 pages and said outputs were not guaranteed accurate. The firm’s professional indemnity policy had a carve-out for AI-assisted communications. The settlement came out of the owner’s pocket.
That scenario is composite, but every element comes from patterns documented in UK legal commentary and published case law. The AI gave wrong information. The firm paid.
What counts as bad AI advice?
Bad AI advice is any output that is wrong, incomplete, or misleading on something a person actually relies on. The problem for service business owners is that it rarely reads like nonsense. AI tools produce confident, professional-sounding text even when the underlying facts are wrong. Vodafone’s SME research puts AI hallucination rates between 3% and 27% depending on the system, a wide band for any client-facing deployment.
In practice, the patterns cluster around a few types. Wrong factual information: an AI tool drafts a client email stating incorrect HMRC filing deadlines, and the email goes out unchecked. Misleading explanations: AI-generated proposal text oversimplifies a regulatory requirement in a way that sounds right but skips a legal step. Biased outputs: a hiring tool scores candidates in ways that disadvantage women or minority groups because of what the training data reflected. Advice that encourages non-compliance: an AI-drafted privacy policy that skips mandatory UK GDPR disclosures. The common thread is that the content looks authoritative enough to be passed on without a second check.
Why does the legal risk land on you, not the vendor?
UK law does not recognise AI tools as legal persons. There is no mechanism to claim against a chatbot. When AI advice causes harm under your brand, any legal or regulatory action is directed at your business. Many AI vendor contracts disclaim accuracy, and the ICO confirms that the business deploying AI is the data controller, accountable for outputs even when using a third-party provider.
The Air Canada case is the clearest illustration in published case law. In 2023, a Canadian tribunal found the airline responsible for misleading information its chatbot gave a passenger about bereavement fares. Air Canada argued the chatbot was a separate entity. The tribunal rejected the argument and ordered compensation. Press coverage ran internationally for months after the original mistake.
UK legal commentary consistently confirms the same position. The business owner is responsible for what a chatbot says on their website, regardless of who built the model underneath it. If the firm is FCA-regulated, the duty runs further. The FCA’s Consumer Duty requires firms to ensure AI outputs are fair, clear, and not misleading, and to avoid foreseeable customer harm. Choosing a third-party AI tool does not delegate that duty away.
Where does it actually show up in service firms?
The three spots where bad AI advice causes real problems in service businesses are: customer-facing chatbots answering queries about products, prices, or processes; AI-drafted proposals and client documents where a staff member reviewed the format rather than the substance; and AI-assisted decisions about candidates or customers, such as hiring tools or credit-scoring that reflect biases from the training data.
The chatbot risk is well-documented. Vodafone’s research found that 50% of consumers feel frustrated by chatbot interactions, and nearly 40% describe their experiences as negative overall. Consumer frustration is manageable. The deeper problem is when a customer acts on wrong chatbot information: a wrong cancellation policy, a deadline that no longer applies, a safety procedure that was out of date. That is the moment the claim arrives.
The proposal risk is less visible. AI-drafted documents move through approval workflows quickly because they look right. The issue arises when the content is wrong in ways that require sector-specific knowledge to catch. A small consultancy drafting a proposal for a client in a regulated sector, with AI filling the compliance sections and no one with regulatory expertise reviewing it, is an exposure waiting to happen.
Hiring is where the legal teeth are sharpest. AI tools used in recruitment can embed historic biases and produce discriminatory outcomes that breach the Equality Act 2010, even when the employer had no discriminatory intent. The ICO and the Equality and Human Rights Commission have jointly warned about exactly this pattern.
When does the risk actually bite, and when can you relax?
The risk is highest when three things coincide: the AI output informs a decision about real money or real people, the customer reasonably believes the output represents your professional opinion, and the output is materially wrong or discriminatory. When all three are present, you are in the territory of contract claims, potential ICO or FCA scrutiny, and reputational damage that can outlast the original error by some distance.
Lower-risk territory is when AI stays internal and low-stakes. Drafting meeting summaries, brainstorming marketing ideas, cleaning up internal documents: all of these carry limited client exposure, provided nothing reaches a customer without a substantive human review. A clear disclaimer on a customer-facing tool also reduces the reasonable-reliance argument, though it does not eliminate it.
One risk that is easy to overlook is internal drift. The NCSC has flagged that staff over-reliance on AI outputs can lead people to treat confident-sounding suggestions as verified fact. A UK consultancy study found that AI tools performing well 18 months ago may be delivering poorer results today without anyone noticing, if performance is not monitored. Wrong advice gets logged, sent, and relied on before anyone catches it.
What do you put in place to stay on the right side of this?
You do not need a legal team or an AI governance committee to manage this sensibly. Three things reduce your exposure quickly: a one-page internal policy that names what AI can and cannot draft for clients, a sign-off rule requiring a named person to review AI output before it touches a customer, and a conversation with your insurer about whether professional indemnity and cyber cover extends to AI-related errors.
Red-list the uses where AI should not generate client-facing content without expert review: legal advice, contract clauses, regulatory interpretations, financial or tax advice, and anything that could affect a hiring decision. These need a competent person to own the content, not just approve the layout.
Amber-list where AI can draft but a named team member must review before sending: client emails, proposals, reports, marketing copy. The review should check facts, tone, and whether the promises made are ones you can actually keep.
On data protection, keep personal data out of public AI tools where you can. If your workflow requires it, put a data-processing agreement in place with the provider and verify that data is not used for model training. The ICO is clear that where AI output has a significant effect on an individual, that person must be able to contest the decision and receive an explanation. Getting this wrong is not a minor procedural issue.
On insurance, the conversation with your broker matters. Hiscox UK’s guidance flags that professional indemnity and cyber policies may exclude losses caused by unvetted use of third-party AI tools. That gap is worth closing before something goes wrong, not after.
Firms get into trouble with AI advice across the complexity spectrum. The Air Canada chatbot was handling routine queries. The problem was a working assumption that it probably knew what it was talking about. Checking that assumption takes an afternoon. Replacing a damaged client relationship takes considerably longer.
