Professional indemnity insurers have started asking accounting firms specific questions about AI use at renewal. The questions are not yet uniform across the market, but the direction is clear - insurers want to know which AI tools are being used, what categories of data are processed through them, what governance controls are in place, and what happens when AI output enters a client file. A firm that cannot answer these questions in writing is increasingly likely to face either a loaded premium or an exclusion in the policy wording.
This guide is for partners and risk leads who need to draft, or refresh, an AI use policy that will hold up to insurer, regulator, and partner board scrutiny. It is not a template - every firm's position will differ - but it covers the structure, the clauses that matter, and the procedural disciplines that turn the policy from a piece of paper into an operating control.
Why insurers care about AI policies
From an insurer's perspective, AI in a professional services firm is a new and not yet well-priced source of claims exposure. The plausible loss scenarios - incorrect advice based on a hallucinated authority, breach of confidentiality from a consumer chatbot, GDPR enforcement action from an undocumented processing arrangement, audit failure traced to AI-generated working papers - are all real, and the underwriter's response is to ask for evidence of control.
A firm with a written policy, a clear approved tool list, evidence of training, and a documented incident response will be treated differently from a firm that ticks "we use AI" on the proposal form and leaves it there. The premium differential is real and growing.
The structure that works
A policy that satisfies most insurer questions and is workable inside the firm tends to follow this structure:
- Scope - what counts as AI for the purpose of the policy, and which staff it applies to
- Approved tools - the named list of AI tools the firm permits, by tier (e.g. enterprise OpenAI, Microsoft Copilot, the firm's docs-only platform)
- Prohibited tools - explicit prohibition of personal consumer accounts for client work
- Data classification - which categories of data may be processed in which tools
- Use cases - the approved and prohibited use cases, with examples
- Human review - the standard of review applied to AI output before it enters a client file
- Documentation - what is recorded in the working papers about AI use
- Training and acknowledgement - onboarding and annual sign-off requirements
- Incident response - what happens if AI use causes an error, breach, or complaint
- Review cycle - who owns the policy and when it is updated
Defining the approved tool list
The single most concrete part of the policy is the approved tool list. Insurers want a list of named tools, with the contractual basis on which each is used, and the data categories that may flow through each. Vagueness here is treated as absence of control.
The practical position for most UK firms in 2026 is a short list - a docs-only AI tool inside the practice management platform for client work, an enterprise tier of a general AI vendor for non-client research and drafting, a Microsoft 365 Copilot deployment for general productivity within the firm's tenancy, and an explicit statement that no other AI tool may be used for client work without partner approval. For UAE firms the structure is similar, with attention to the data localisation positions of each supplier.
The prohibited list matters as much as the approved list
A policy that only says what is allowed is weaker than one that also says what is not. The prohibited list should explicitly cover personal consumer accounts of any AI vendor for client work, browser-extension AI tools that capture page content, voice-to-text services that send recordings to third parties without contract, AI-powered email plugins that process client correspondence outside the firm's tenancy, and any tool not on the approved list.
This list does the work of catching the shadow AI use that insurers and regulators are most concerned about. It also gives the partner board a clear conversation to have with any team member found using something they should not be.
Data classification - the four-tier model
A workable approach is to define four data tiers and to specify which tools may process each tier:
- Tier 1 - public information (general tax law, accounting standards, no firm or client identifiers): processable in any approved tool
- Tier 2 - internal information (firm templates, internal notes, no client identifiers): processable in any approved business-tier tool
- Tier 3 - client-identified information (client names, contracts, accounts, correspondence): processable only in the docs-only platform or other tools with explicit processor agreements
- Tier 4 - special category personal data, AML/KYC source data, or anything subject to a non-disclosure agreement: processable only in tools with written approval from the risk lead and an appropriate contractual basis
Human review standards
The policy should set out the standard of human review applied to AI output before it enters a client file. The minimum position for most firms is that no AI output is sent to a client, filed with HMRC or the FTA, or placed in a working paper file without review by a qualified team member who has checked the citations and confirmed the substance against source documents. For higher-risk outputs - tax computations, audit conclusions, formal advice - the reviewer should be a manager or partner.
This is also the right place to make clear that the firm's opinion is the firm's opinion, not the AI's, and that the partner signing a piece of work cannot rely on "the AI said so" as a defence to a claim. That principle is easier to embed if it is in the policy from day one.
Documentation that satisfies regulators and insurers
For each piece of work where AI has been used in a material way, the working paper file should contain: the prompt or question put to the AI, the documents made available, the AI's output, the reviewer's verification, and the firm's final conclusion. This is the artefact a regulator inspection or an insurer claim investigation will ask for.
A practice management platform that captures this automatically is much easier to defend than a free-text note that the team has to remember to write. The documentation discipline should be embedded in the workflow, not bolted on at the end.
Training, acknowledgement, and culture
A policy that is signed on joining and never read again is worth very little. A working approach is a 30-minute training session on joining covering the policy, the approved tools, and the prohibited uses; an annual refresher session with updates from the previous year's experience; a written acknowledgement at each renewal; and a clear named owner inside the firm who is the first point of contact for any AI question.
The culture point matters as much as the documentation. If senior people in the firm are seen using consumer chatbots for client work, the policy is a fiction regardless of what it says on paper.
Incident response
The policy should set out what happens when something goes wrong. A workable incident response covers: who is notified internally (partner board, risk lead, COLP equivalent), what is documented, when the insurer is notified, when the client is notified, when the ICO or relevant data protection regulator is notified, and what corrective action is taken. The discipline of having this written down before an incident is the difference between a contained event and a regulatory escalation.
Review cycle and ownership
AI is moving fast enough that an annual review of the policy is not enough. A workable cycle is a quarterly review by the named owner, with substantive amendments brought to the partner board, and a full annual refresh signed off by the partner board and acknowledged by every team member. The policy should carry a version number and an effective date on every page.
How Accupe helps
Accupe gives firms an approved-tool position they can put directly into the policy. The AI document analysis operates in a docs-only mode, with source citation on every statement, three modes (Fast, Planning, Ultra-Detailed) for different work types, and a data handling commitment that the firm can show its insurer. AI use sits inside the practice management workflow alongside Smart Boards, AML/KYC screening via OpenSanctions, the encrypted client portal, and built-in e-signatures - so the documentation discipline the policy requires is captured automatically. Per-firm pricing from £20/month.