Only one in five professional services firms has anything resembling a mature AI governance framework. And yet 79% of legal professionals are already using AI tools in their work. Let those two numbers sit next to each other for a moment. Four out of five of your fee earners are using AI. One in five firms has governance around it.
That's not a gap. That's a liability in motion.
I'm not saying this to scare anyone into building a 40-page policy document and a standing committee that meets monthly. Quite the opposite. The firms that respond to this gap with bureaucracy will produce governance structures that satisfy an audit but don't protect anyone. The firms that respond with something practical - something that actually changes what happens on a Tuesday afternoon when a junior associate uses ChatGPT to draft a client memo - those are the firms that will adopt AI faster and more safely than everyone else.
We'll deal with governance when it becomes an issue. Right now we're just trying to get a few tools working.
I hear this constantly. And I get it - governance feels like the brakes when you're trying to accelerate. But the tools your people are already using are the issue. Every unreviewed AI output that goes to a client, every piece of client data pasted into a tool without checking the data processing terms, every AI-assisted work product that nobody flagged as AI-assisted - that's risk accumulating right now. Not theoretical risk. Actual, today, already-happening risk.
So let's talk about what governance actually needs to look like. Not the academic version. The version that a managing partner can implement in two to four weeks with no dedicated team and no new hires.
Before we get to the framework, it's worth being specific about what you're governing for. Professional services firms face AI risks that are distinct from other sectors, and each one is real enough to warrant attention.
Regulatory risk first. If you're in financial services, the FCA and PRA already expect you to manage model risk, maintain audit trails, and demonstrate explainability for automated decision-making. The FCA's 2024 AI Update made clear that existing regulatory principles - including Consumer Duty obligations - apply to AI-influenced client outcomes. If you're in legal, the SRA's position is that its existing Code of Conduct applies to AI just as it applies to any other tool or process. The ICAEW has published similar guidance for accountancy. None of these regulators have created entirely new AI-specific rules. They've said: the rules you already follow? They apply here too. Which means if you're not governing your AI use, you're not meeting obligations you already have.
Then there's reputational risk. I sat with a senior partner at a mid-sized law firm earlier this year - good firm, careful people, the sort of practice that takes its obligations seriously. An associate had used an AI tool to draft a section of advice. The tool hallucinated a case reference. The advice went out to the client. They caught it because the client's in-house counsel happened to check the citation. The partner's exact words were: "If that client had been less diligent, we'd have been in front of the SRA." What struck me wasn't just the near-miss. It was that the associate wasn't being reckless - they were trying to be efficient, using a tool that had worked fine a dozen times before. Nobody had told them what to check for, or what the firm's position was on AI-assisted drafting. That's a governance failure, not a people failure.
The reputational damage from an AI error isn't proportionate to the error itself, either. It's amplified by the client's feeling that they weren't told AI was being used in the first place. That's the bit that really stings.
Client trust risk is subtler but arguably more corrosive. Your clients engage you because they trust your judgement, your expertise, and your discretion with their information. If a client discovers that their confidential data was processed by an AI system they didn't know about - even if nothing went wrong - the trust relationship shifts. Not because AI is inherently untrustworthy, but because the client wasn't given the choice. In professional services, the relationship is the product. Anything that erodes it without the client's knowledge is a problem.
And then there's internal risk - the one that's already happening in your firm, whether you know it or not. I was doing an engagement review for a consulting client last year and asked, fairly casually, which AI tools their team was using. The list that came back was... illuminating. Free-tier tools with no enterprise agreements. Consumer versions of products that explicitly use your inputs for model training. One person had built an entire workflow around a tool that had quietly changed its data processing terms three months earlier. Nobody knew. Nobody had checked. The firm had no approved list, no guidance, and no process for finding out what was actually in use. That's not unusual. That's the norm.
None of these risks is a reason to avoid AI. All of them are reasons to govern it before your first official deployment. Because unofficial deployments are already happening.
The governance framework that works in professional services has four dimensions. I've deliberately kept this simple because the moment governance becomes complicated, it stops being used. Think of these as the four questions you need to be able to answer.
The first is oversight: who decides? Before any new AI application goes live, someone needs to approve it. Not a committee - a named person or a defined process. The test is: if a partner wants to use a new AI tool for client work next Monday, who do they ask? If the answer is "nobody" or "I'm not sure," you don't have oversight.
The minimum viable version is a single named person - your AI lead - who reviews new AI tool requests against a simple checklist: data handling, client confidentiality, regulatory implications, output quality. Four fields. The approval process should take no more than a week. If it takes longer, people will skip it. And then you're back to the Wild West.
The second is accountability: who's responsible? For each AI application you deploy, someone needs to own the quality and compliance of its outputs. The principle that makes this straightforward: it should be the same person who'd be responsible if a human did the work. If a partner is responsible for the accuracy of client advice, they're responsible for that advice whether it was drafted by a trainee, a paralegal, or an AI tool. The technology changes; the accountability doesn't.
Where firms get this wrong is by creating a separate AI accountability structure - an "AI governance committee" that reviews outputs independently from the practice. That creates a gap. The person closest to the client and the matter is always the right accountability owner.
The third is transparency: who needs to know? This isn't about disclosing everything to everyone. It's about mapping out who needs to know that AI is being used, and how much they need to know.
For clients, at minimum your engagement terms should address AI use. Some firms are adding a clause along the lines of: "We may use AI-assisted tools in the preparation of work product. All AI-generated content is reviewed and approved by a qualified professional before delivery to the client." Others are going further and disclosing specific AI use on a matter-by-matter basis. The right approach depends on your client relationships, your sector, and your risk appetite - but having no position is the worst option. For regulators, if you're FCA-regulated, you'll need to demonstrate how AI-influenced decisions are monitored for fairness and accuracy. If you're SRA-regulated, you'll need to show that client confidentiality obligations are being met by any AI tool processing client data. For internal teams, fee earners need to know what tools are approved, what's not, and who to ask when they're unsure. Ambiguity here is your enemy.
The fourth is monitoring: who checks? Someone specific, at defined intervals, with a record. AI tools change - they update their models, alter their terms, change how they process data. The regulatory landscape evolves. Your own use cases expand. A governance decision that was sound in January might not hold in July.
The minimum viable version is a quarterly review of every deployed AI application. Has the tool changed? Have the regulations changed? Has the way you're using it changed? If yes to any of those, the governance decision gets revisited. Keep a record - even a simple spreadsheet - and you have an audit trail that will serve you well if a regulator or a client ever asks.
The four dimensions apply across professional services, but each sector has specific considerations worth calling out.
For legal firms, client confidentiality obligations under the SRA Code of Conduct apply to data processed by AI tools. Full stop. Any AI tool that touches client data must operate within the same confidentiality framework as a fee earner. This means checking where data is processed, whether it's used for model training, and whether it can be accessed by the provider. Legal professional privilege implications for AI-assisted work product are still being worked through by the courts and the SRA - which is exactly why your governance framework needs to be designed for evolution rather than permanence.
For financial services firms, the FCA and PRA expectations around model risk management, explainability, and audit trails apply to AI systems. Consumer Duty obligations require that AI-influenced client outcomes are monitored for fairness. The regulatory picture here is moving quickly - the FCA's approach to AI supervision is developing in real time. Your governance framework needs enough flexibility to accommodate changes without requiring a full rebuild every time new guidance lands.
For consulting firms, here's one that catches people off guard: client IP protection. I was reviewing engagement terms for a consulting client last year and realised that nothing in their standard contract addressed what happened to client data processed by AI tools. If you're using AI tools that learn from or are calibrated by client data, you need to be certain that insights or patterns from one client's data aren't benefiting another client - or your firm's own knowledge base. Most standard consulting engagement terms don't address this adequately. It requires specific contractual and operational protections. The clause we typically recommend is short - two or three sentences - but it needs to be there. If you haven't reviewed your engagement terms with AI data processing in mind, put that on the list.
I keep coming back to this test: does your governance change what happens on a normal working day? Because if it doesn't, it's not governance. It's documentation.
Practical governance for AI in professional services looks like four things. A one-page AI use policy - not a thirty-page document. One page, written in plain language that a fee earner can read in five minutes. It covers what you can use AI for, what you can't, and who to ask when you're not sure. I've seen firms overthink this spectacularly, producing policy documents so comprehensive that nobody reads them. The one-page version gets pinned to the intranet and actually gets consulted. The one we helped a mid-sized accountancy firm put together last year had three sections: approved tools, prohibited uses, and escalation. That's it. Fits on one side of A4. Their compliance officer told me six months later that it was the most-read document on their intranet. Make of that what you will.
A named AI lead. One person, not a committee. This is the first point of contact for governance questions and the person who approves new AI applications. In most mid-sized firms, this is a role that sits alongside someone's existing responsibilities - your head of IT, your compliance officer, your COO. It doesn't need to be a new hire.
A simple approval process. When someone wants to use a new AI tool for client work, what happens? The process should take no more than a week and produce a record. A form that captures: what the tool does, what data it processes, who's accountable for its outputs, and what the client transparency approach is. Four fields. If your approval process is more complex than that, simplify it.
A quarterly review. Every three months, your AI lead reviews every deployed AI application. Has the tool changed? Has the regulatory environment changed? Has the way it's being used changed? This takes a couple of hours per quarter for most firms. It keeps your governance current rather than fossilised.
These four elements can be in place within two to four weeks. We've seen firms do it faster. The point is that you don't need months of preparation before your first AI deployment. You need these four things.
There's a particular flavour of perfectionism in professional services that I find genuinely frustrating sometimes. It manifests as: "We can't start the AI programme until the governance is perfect." Which is just another way of saying "We can't start."
The governance doesn't need to be perfect. It needs to exist. A one-page policy, a named owner, a week-long approval process, and a quarterly review. That's your minimum viable governance. It protects your firm, it protects your clients, and it gives your fee earners the clarity they need to actually start using AI with confidence rather than using it in secret.
And here's what happens once that framework is in place: the governance evolves naturally. Your first quarterly review reveals things you hadn't considered. Your AI lead develops expertise through doing the job. Your policy gets refined based on real situations rather than hypothetical ones. The framework grows with the programme.
If you're thinking about how governance fits into a broader operating rhythm - how it connects to your strategic planning and quarterly prioritisation rather than living as a separate workstream - that's exactly what WHNN® is designed for. It builds governance into the quarterly cycle rather than treating it as a standalone exercise.
If you want the minimum viable governance framework - AI use policy, accountability structure, approval process, and quarterly review format - as a template you can adapt for your firm in a day, download it here. Each element is ready to customise, not blank. A firm that completes and adopts this template has taken the most important governance step before its first AI deployment.
And if you'd rather design the governance framework in a structured workshop that produces a firm-ready output by the end of the day, book an AI governance workshop. We'll bring the framework, you bring the context, and you'll leave with something you can implement the following week.