AboutBlogBusiness First AIFounder FreedomBook a conversation

The professional indemnity line AI cannot cross

A professional reviewing a printed document at a desk with a pen, laptop open nearby
TL;DR

In law and accountancy, the regulator and the insurer draw the same line: a qualified professional must own and sign off every client-facing output. Blind reliance on AI output can void professional indemnity cover. The governance question is not which tools to use, but where in each workflow a named, qualified human is accountable for what the client receives.

Key takeaways

- The SRA and ICAEW both place full responsibility for AI outputs on the qualified professional, regardless of which tool produced the first draft. - A professional indemnity insurer can argue that no professional service was rendered if a practitioner accepted AI output without validation, which can void or limit cover. - Higher-risk workflows including contract review, legal advice memos, and accountancy opinions need a named reviewer and a completed sign-off record before any client-facing output leaves the building. - The minimum audit trail for each AI-assisted client output is four items: tool used, reviewer named, checklist completed, and corrections logged. - Feeding confidential client data into public AI tools without safeguards is a separate liability that professional indemnity cover may not extend to.

The brief landed in the new year. Roll out the AI drafting tool across the practice by the end of Q1, track adoption, report back. It seemed straightforward enough until someone on the team asked a question nobody had anticipated. What happens if one of these outputs gets to a client without a qualified person reviewing it first?

That question has a specific answer. Both the SRA and the firm’s professional indemnity insurer have given it.

What is the professional indemnity line AI cannot cross?

In law and accountancy, the qualified professional retains full responsibility for every output leaving the firm, regardless of who or what produced the first draft. An insurer can argue that no professional service was rendered if a practitioner relied on AI output without reviewing it. The line is drawn at accountability. A named, qualified person must own every piece of advice before it reaches a client.

The SRA’s 2026 compliance guidance is explicit on this. Solicitors must maintain overall responsibility for all technology outputs and keep client best interests at the centre of every technology decision. The guidance also requires that the Compliance Officer for Legal Practice (COLP) holds regulatory accountability when new technology is introduced. The SRA permits AI use. The condition it places around that permission is that the solicitor’s accountability does not transfer to the tool.

ICAEW’s 2026 guidance takes the same position for accountants. Even when an agentic AI system handles analysis and drafting, the accountant remains responsible for the output. The question the firm must answer before any tool goes live is not whether the AI can do the work, but who in the firm is signing off that it is accurate and that the professional judgement behind it is theirs.

Why does this matter if you’re rolling out AI across the firm?

A single unsupervised output carries three overlapping stakes. A regulator referral, a professional indemnity dispute, and reputational damage in a sector built on client trust. The duty of care runs alongside the AI mandate, not beneath it. Getting governance right from the start is more urgent than the brief made it sound.

The Utah Bar’s analysis of professional liability in the generative AI era makes the exposure mechanism clear. Professional liability policies typically do not exclude AI-related claims outright, but coverage depends on whether the lawyer exercised reasonable care and due diligence. A practitioner who accepted AI output without checking it gave the insurer a credible argument that no professional service was performed. That is not cover reduced. That is a claim that may not be paid.

The risk does not rest with the tool vendor. US federal courts have sanctioned attorneys for submitting AI-generated case citations that did not exist. In those cases, liability sat with the lawyers and their firms. The AI provider was not in the frame. Professional liability guidance from state bar associations and the SRA’s 2026 guidance reach the same conclusion. Where AI-generated content reaches a client and turns out to be wrong, the exposure rests with the professional. A delegate rolling out AI firm-wide needs governance in place before the first output goes anywhere.

Where in your workflows does the line actually sit?

The line sits differently depending on what the AI is doing. Extraction and summarising carry lower risk, because the professional can check accuracy against the source document before anything goes anywhere. Drafting, analysis, and any output forming the basis of advice to a client carry higher risk. These need a named reviewer before they leave the building.

A useful test is whether the output could reach a client without anyone reading it first. If that can happen by accident, the process is wrong. If the workflow requires a sign-off step to prevent it, the process is defensible.

Conflict-of-interest screening, routine document classification, and internal research summaries sit at the lower end. A qualified professional should still spot-check, but a missed error is recoverable before it has client impact. Contract review output, legal advice memos, accountancy opinions, and any client-facing draft sit at the higher end. These need a named reviewer, a completed check, and a record that the review happened.

The Clio 2025 Legal Trends Report found that smaller law firms are adopting generic AI tools at a higher rate than sector-specific platforms, often because of cost and ease of access. Generic tools do not prompt for sign-off. The compliance gap that creates sits precisely at this difference, and it is the gap a delegate rolling out AI firm-wide is responsible for closing.

What does a review protocol look like in practice?

A review protocol that satisfies both the SRA and a professional indemnity insurer needs four things logged against every AI-assisted output with client impact. The tool used, the name of the qualified reviewer, the checklist completed before sign-off, and any corrections made between the AI draft and the version sent. The audit trail is what the regulator and the insurer are both looking for.

The CPA.com 2025 AI in Accounting framework describes this as a human-in-the-loop model where every AI-driven decision is logged, timestamped, and attributed to a named reviewer. The value extends beyond compliance. When a client challenges advice or an insurer reviews a claim, the firm can reconstruct what the AI produced, who reviewed it, and what changed before it went.

A practical starting point is a single-page checklist attached to every client-facing AI output as a required step in the matter management workflow. The questions are narrow. Did a qualified person read the output and check it against the source material? Were corrections logged before it went? Those records are what the regulator and the insurer both look for when a complaint arrives. The AICPA’s guidelines for responsible AI use in professional services reach the same conclusion. The professional must validate findings and attest to the quality of work. The AI produces the draft; the professional owns the output.

The SRA is also explicit on a separate but connected point. Solicitors must not feed confidential client information into public cloud-based AI tools without safeguards in place. A confidentiality breach arising from a deliberate upload of client data to an unsecured platform may fall outside professional liability cover entirely, which makes the tool choice part of the governance question, not separate from it.

What else connects to the PI question?

Three related governance areas come up regularly when professional services firms formalise their AI use. Data confidentiality, senior accountability assignment, and the distinction between regulated and unregulated tasks all connect directly to the professional indemnity question. Getting the sign-off protocol right is the most urgent step, but these three areas determine whether the protocol holds under pressure.

Data confidentiality and public AI tools

The SRA is clear that client confidential information must not go into public AI tools without proper safeguards confirmed. A firm that has its sign-off protocol in place but is still allowing fee earners to paste client matter details into an unprotected model has a different problem, and one that PI cover may not address. The ACCA’s AI governance framework flags this as a distinct risk layer. Data handling controls and model vendor agreements sit upstream of the sign-off question and need to be in place first.

COLP and senior accountability

The SRA places regulatory accountability for technology use with the COLP, not with whoever chose the tool or drafted the rollout plan. If the delegate is building the governance framework, the COLP needs to be part of the design conversation from the start. A framework handed to the COLP for sign-off at the end is not the same as one built with them. The distinction matters when a complaint arrives.

Regulated versus unregulated tasks

Not every AI task in a professional services firm sits inside the regulated service. Marketing copy, internal reports, administrative drafts, and general research sit outside the chain that creates professional liability. Knowing which tasks need the sign-off requirement and which do not keeps the protocol proportionate and keeps adoption moving. Applying the full checklist to a staff newsletter is waste. Missing it on a client advice memo is exposure. The difference between the two is the governance framework the delegate builds.

Sources

- SRA (2026). Compliance tips for solicitors: AI and technology use. Mandates solicitor responsibility for all AI outputs, COLP accountability, and client confidentiality requirements when using AI tools. https://www.sra.org.uk/solicitors/resources/innovate/compliance-tips-for-solicitors/ - Utah Bar (2024). Insurance coverage issues for lawyers using generative AI. Covers professional liability exposure when AI output is accepted without validation, and the "no professional service rendered" argument available to insurers. https://www.utahbar.org/insurance-coverage-issues-for-lawyers-in-the-era-of-generative-ai/ - ICAEW (2026). Generative AI guide: regulatory compliance risks with AI agents. States that accountants remain responsible for AI outputs even when delegated to agentic systems; requires testing, bias audit, and monitoring before deployment. https://www.icaew.com/technical/technology/artificial-intelligence/generative-ai-guide - AICPA-CIMA (2024). Guidelines for responsible use of AI in forensic and valuation services. Non-authoritative but signals expected practice: accountants must not delegate final professional judgement to AI. https://www.aicpa-cima.com/resources/download/guidelines-for-responsible-use-of-artificial-intelligence-ai-in-forensic-and - ACCA Global (2024). AI assessments: enhancing confidence. Governance, conformity, and performance assessment frameworks for AI systems in professional services. https://www.accaglobal.com/content/dam/ACCA_Global/professional-insights/ai-assessments/AI-assessments-enhancing-confidence-2.8.pdf - Clio (2025). Legal Trends Report 2025. Found 79% of legal professionals use AI, but smaller firms favour generic tools over sector-specific platforms, creating a compliance gap at the sign-off layer. https://www.2civility.org/2025-clio-legal-trends-report/ - CPA.com (2025). AI in Accounting Report. Describes the human-in-the-loop governance model for agentic AI in accountancy, audit trail requirements, and privacy-by-design standards for client data. https://www.cpa.com/sites/cpa/files/2025-06/2025_AI_in_Accounting_Report.pdf - American Bar Association (2025). 2024 Legal Technology Survey Report. Found AI adoption in 10-49 attorney firms rose 36% year-on-year, amplifying the governance gap between tool adoption and sign-off protocol. https://www.msba.org/site/site/content/News-and-Publications/News/General-News/ABAs_2024_Legal_Technology_Survey_Report_Trends_in_Online_Research.aspx

Frequently asked questions

Does using AI tools for client work void our professional indemnity cover?

Not automatically. Professional liability policies typically do not exclude AI-related claims outright, but cover depends on whether a qualified professional exercised reasonable care. If a practitioner accepted AI output without validation and that output reached a client, an insurer can argue that no professional service was rendered. A logged review protocol, with a named reviewer and completed checklist for every AI-assisted client output, is the most direct protection against that argument.

What is the minimum the SRA expects when AI is used in client work?

The SRA's 2026 guidance requires solicitors to maintain overall responsibility for all technology outputs and to have a governance framework covering leadership oversight, risk assessment, policies, training, and monitoring. For individual outputs, that means a named qualified reviewer, a completed check before the document goes to the client, and a record that the review happened. The COLP carries regulatory accountability for how new technology is introduced, so any governance framework needs to be built with them, not handed to them at the end.

Can fee earners use public AI tools like ChatGPT for client work?

Only with specific safeguards confirmed. The SRA is clear that client confidential information must not be fed into public cloud-based AI tools unless those safeguards are in place, meaning a data processing agreement with the vendor, confirmation that client data is not used to retrain the model, and appropriate data handling controls. Using a public model without those protections is a confidentiality risk as well as a PI risk, and professional indemnity cover may not extend to a deliberate upload of client data to an unsecured platform.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two people at a desk reading a short printed document together, one pointing at the page

Write an AI acceptable-use policy your team will actually follow

A sixty-page enterprise template sits unread. Here is how to write an AI acceptable-use policy that is short, default-allow, and genuinely followed.

Two colleagues at a meeting table reviewing a printed contract, one pointing to a section on the page

Who owns the AI in your agency, and what do you tell the client?

Two questions decide whether agency AI is an asset or a liability, and neither is technical.

Business owner in conversation at a boardroom table with colleagues, natural light from windows

What your board actually wants when it asks about AI

When your board raises AI, the question underneath is almost always about risk, accountability, and competitive standing. Here is how to read what they are actually asking.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd