A consultancy sends a client report with several AI-assisted sections. The account manager reads through it, improves a few sentences, and sends it across. Three weeks later the client queries a statistic. The year attributed to the dataset is wrong. The AI had drawn on two editions of the same source and combined them: the figures were plausible, the dates were not. The correction took ten minutes. Recovering the client’s confidence took considerably longer.
This kind of incident is not rare. A 2023 Microsoft and YouGov survey found that 48 per cent of businesses in the UK were already using AI tools in their operations. Only 32 per cent had formal policies governing how those outputs were reviewed before use. The gap between adoption and oversight is where the exposure sits.
What does checking AI output actually involve?
A quality check on AI output is a three-stage discipline: verify the facts against original sources, review the tone against how your firm actually communicates, and screen for legal, data protection, and reputational risk before the content leaves your building. Reading through once and approving on instinct covers none of those three reliably. Each stage requires a deliberate pass.
The ICO has confirmed under UK GDPR that organisations deploying generative AI remain responsible for the accuracy of their outputs, particularly where those outputs affect individuals or inform decisions. The NCSC takes a parallel position: AI outputs should be treated as untrusted by default and reviewed by competent staff before operational or client-facing use. These are not aspirational standards. They are the baseline every UK firm using these tools is already expected to meet.
Why do the stakes go up for regulated and client-facing work?
The consequences of skipping output checks cluster into three categories: accuracy failures that damage credibility, tone failures that create misunderstandings or legal risk, and data or confidentiality failures that create regulatory exposure. In an owner-managed business of 5 to 50 people, one significant incident in any of those categories can outweigh months of productivity gains from using the tools at all.
The accuracy risk is the most documented. In 2023, two US lawyers were sanctioned in the Mata v. Avianca case after submitting court filings containing AI-fabricated case citations. They had not checked the cited cases against primary legal databases before filing. The court found they had made consciously false statements of fact. That is an extreme version of a pattern that appears at lower stakes in owner-managed businesses regularly: AI produces confident-sounding output, no one verifies the underlying claims, and the error travels outward.
For UK firms in regulated sectors, the FCA has been clear that accountability for client communications cannot be transferred to an AI vendor. Senior management remains responsible for ensuring communications are fair, clear, and not misleading, including tone and overall impression. A BCG field experiment published in 2023 found that professionals using AI completed tasks 25 per cent faster and produced 40 per cent higher-quality outputs when tasks matched model strengths. Outside those domains, performance deteriorated, which is why task-appropriate oversight matters.
Where in your workflows does checking matter most?
A proportionate checking approach maps review intensity to the stakes of the output. Client proposals, legal and compliance-related copy, pricing documents, and HR communications all sit in the higher-risk tier and need a full three-stage check. Internal brainstorming notes, first drafts of blog content, and internal meeting summaries carry lower risk but still need a human to approve before any onward use.
The NCSC adds a specific caution about technical outputs. AI-generated code or configuration advice can be plausible-sounding but operationally insecure. For any owner-managed business using AI to assist with systems, integrations, or data handling, technical outputs need review by someone with the domain knowledge to spot the problem, not just acceptance because the explanation seemed coherent.
A separate data protection risk arises when staff use third-party AI tools for tasks that involve client or staff personal data. The ICO has confirmed that entering personal data into a third-party AI tool constitutes a transfer of that data to the provider, requiring a lawful basis and an appropriate contract. For firms that handle client personal information as a routine part of their work, the data handling implications of which tools staff use, and for which tasks, deserve explicit attention in the firm’s AI use policy.
What does a practical three-pass check look like?
The accuracy pass checks every factual claim against an original source: a regulator’s guidance, the applicable legislation, or your client’s actual data. The tone pass compares the output to approved examples from your firm. The risk pass screens for personal data, confidentiality exposures, and unverified statements about third parties. Each pass takes a few minutes once your team has the reference materials ready.
For the accuracy pass, the NCSC specifically advises against using a second AI tool to verify the first. Similar models tend to reproduce each other’s errors because they share training patterns and often share training data. Go to the original source rather than asking a different AI to confirm what the first one said.
For the tone pass, three to five tone archetypes stored in a shared document give your team something concrete to check against: a formal client advisory, a marketing communication, an internal staff update. AI tools frequently default to a confident register that can come across as over-certain or slightly impersonal. A brief comparison with an approved example from your firm catches the most common misalignments before they reach a client.
The risk pass runs a short screen before any external content goes out. Does the output name individuals? Has it included client-identifiable or confidential details? Does it make statements about competitors or third parties that have not been verified? UK defamation law applies equally to AI-generated content, and the firm that publishes the output carries the liability.
What needs to be in place for checks to become a habit?
The UK Government’s AI Playbook recommends naming one person in your firm accountable for the AI review process, responsible for maintaining the approach, approving new use cases, and keeping the checklist current. In a firm of 5 to 50 people, that is typically the founder, an operations lead, or whoever manages compliance. The title matters less than the accountability being explicit.
Alongside the named lead, a simple AI use register supports the process. A spreadsheet or Notion table listing which tools are in use, for which tasks, what types of data they involve, and who is responsible for reviewing the output takes a few hours to build. It provides the audit trail that makes oversight real rather than assumed, and it lets you scale quickly if use cases expand. The NCSC also recommends configuring AI tools to limit data retention where the platform allows it, disabling training-on-content settings as a baseline precaution.
The last element is a feedback loop. Log errors and near-misses when they occur. If AI outputs consistently produce a particular pattern of failure, jurisdiction errors in regulatory copy, predictions offered as established facts, or tone that reads as dismissive, work that learning back into your prompt instructions and review checklist. A checking system that improves from what it catches is more reliable than one that treats every review as a fresh start.
If you’d like to think through what a proportionate AI review process looks like for your specific operation, book a conversation.
