The Compliance Gap: Most Firms Still Don't Have an AI Policy

Based on conversations with dozens of firms, I estimate 60-70% of professional services firms still don't have a documented AI policy beyond "ChatGPT is on the approved list" or "ChatGPT is banned." That's a significant gap, especially now that AI is moving from experimental to production.

The good news: an effective AI policy for professional services isn't that complicated. The bad news: most firms don't have one.

What You're Missing Without a Policy

Without a clear policy, you have:

• Inconsistent usage across the firm
• Risk that someone uses AI inappropriately with client data
• No guidance for associates on what's safe and what's not
• No audit trail if something goes wrong
• Exposure if regulators ask "what's your policy?"

A good policy prevents most of this.

What an Effective AI Policy Should Cover

1. Approved Tools and Models "We permit: Claude, GPT-4, internal implementations of Haiku. We prohibit: unauthorized models, open source models run on unsecured infrastructure, tools without data agreements."

Be specific. Don't just say "AI is OK." Say which tools and under what conditions.

2. Data Governance "No client confidential data can be sent to external APIs unless the client has consented. Public information, redacted information, and internally developed content can be used with any approved tool."

This is the core issue. People want to use AI for confidential work, but they can't without consent or contractual indemnification.

3. Approval Workflows "Routine tasks (research, document generation, summarization) require no pre-approval. New applications or use of AI for generating legal advice requires approval from practice group leadership and AI steering committee."

Not everything needs bureaucracy. But high-stakes decisions should.

4. Quality Assurance "AI-generated content must be reviewed by a qualified person before use. AI cannot generate legal opinions, financial advice, or client communications without human review and approval."

This is your liability protection. Be explicit that humans verify AI work.

5. Training and Awareness "All staff must complete annual AI awareness training covering what AI can and cannot do, appropriate use cases, and risk areas. Practice group leads must complete advanced training."

Policies only work if people know them. Training is not optional.

6. Monitoring and Audit "We will monitor AI usage (redacted logs). Unauthorized use of prohibited tools will trigger investigation and potential disciplinary action. Violating data governance rules will result in immediate suspension of AI access."

Enforcement matters. A policy with no consequences is just a suggestion.

How to Build This in 30 Days

Week 1: Audit and Inventory What AI tools are people currently using? Approved? Unauthorized? Get a baseline.

Week 2: Draft Policy Use the framework above. Involve practice leaders and your tech/risk teams. Draft something 80% perfect that you can refine later.

Week 3: Feedback and Refinement Get input from key stakeholders. Make it real. Get buy-in from practice leadership.

Week 4: Launch and Training Announce policy. Provide training. Answer questions. Make compliance clear.

This is a month of work for someone, not years. Don't over-engineer it.

What Changed From a Year Ago

A year ago, the policy question was: "Should we even allow AI?" Now it's: "How do we allow AI safely?" This is progress. It means you're past the "is this allowed?" question and into the "how do we do this well?" question.

Your policy should reflect this. It shouldn't be prohibitive. It should be enabling—encouraging use while managing risk.

The Competitive Signal

When your team has clarity on what they can and can't do with AI, they adopt it faster. When they're confused, they use it less (too cautious) or recklessly (too permissive). A clear policy creates the Goldilocks zone: not too much, not too little, just right.

Your competitors who don't have a policy yet are losing productivity and creating risk. Don't be that firm.