If your professionals are using an AI tool to draft, research, model or review work, it is your work product the moment you sign off on it — and your PI policy that will respond when it goes wrong.
The question of who is liable when AI gets it wrong is a great deal less complicated than the AI policy debate makes it sound. The professional who signed off the work is liable. The professional supervisor who failed to supervise is liable. Whether the model that produced the first draft was generative AI, a junior solicitor, an offshore paraprofessional or a Word template is, from the perspective of the duty of care, an internal process question. What is changing is how that exposure is being underwritten, what firms must disclose about their AI use, and how the policy responds when an AI-assisted output is at the heart of a claim. This guide sets out what we are seeing across the PI book and what we advise.
Three things are happening in parallel.
First, AI tool use has moved from experiment to embedded in most professional practices. Generative AI is used to draft contracts, summarise discovery, prepare design narratives, draft reports, model valuations, code structural analyses, prepare client communications and produce research memos. In most firms the partner or senior responsible for the matter still signs off — but the volume of partner attention per output has fallen, and the supervisor’s ability to spot a subtle hallucination or a fabricated authority is genuinely tested.
Second, claims arising from AI-assisted work are starting to land. They look very much like classic professional negligence claims. The output was wrong; the reliance was reasonable; the loss followed. The novelty is mostly in the disclosure phase, where claimants are asking for the AI prompt history, the model used, the audit trail and the firm’s AI use policy. Firms that cannot produce a coherent AI governance record are at an immediate disadvantage.
Third, underwriters are now asking AI-specific questions on PI proposal forms. They want to know which tools are in use, how they are governed, whether client data is leaving the firm’s environment, who is responsible for review of AI-assisted output, and whether the firm has an AI use policy. The disclosure obligation under section 3 of the Insurance Act 2015 means that the answers given on these questions are part of the fair presentation, and a careless or untruthful answer can produce a remedy under section 8 if a claim turns on the AI use.
The underlying legal point is straightforward: AI output that a professional signs off becomes the professional’s work product for the purposes of the duty of care. The duty owed to the client does not change because a model produced the first draft. The duty to supervise is therefore a duty to supervise the output of the model in the same way the partner would supervise a junior — with attention proportionate to risk.
A standard professional indemnity wording responds to claims arising from a breach of professional duty in the conduct of the firm’s professional services. There is, in most wordings, nothing in the insuring clause that excludes work produced with the assistance of AI. The work is the work; the tool used to produce it is, from the policy’s perspective, irrelevant.
That said, several wording points matter. First, the “professional services” definition should be checked. If it lists specific activities and AI-assisted services are arguably outside the list, a coverage argument is available. Second, some wordings now contain specific AI-related conditions or warranties — usually requiring the insured to have an AI use policy, supervise output, and not allow client data into public models without consent. A breach of warranty has potentially severe consequences, though section 11 of the Insurance Act 2015 limits insurer reliance on terms not relevant to the actual loss. Third, cyber-style language is migrating into PI wordings: AI-related data loss, model poisoning, prompt injection and similar exposures may sit at the PI/cyber boundary, and which policy responds depends on whether the loss is characterised as a professional services failure or an information security incident. Our cyber insurance guide covers the boundary in more detail.
The UK regulatory picture remains principles-based. The AI Regulation White Paper 2023 set out a pro-innovation framework relying on existing regulators applying cross-cutting principles within their remits. The Financial Conduct Authority has signalled it will apply existing senior management and SYSC obligations to AI use in regulated firms. The Information Commissioner’s Office continues to publish AI-specific guidance under the Data Protection Act 2018 and UK GDPR, with particular focus on automated decision-making, fairness, accountability and data protection impact assessments. None of this is a substitute for the professional duty of care, but firms are expected to demonstrate they have considered the regulatory expectations relevant to their sector.
The EU AI Act has extraterritorial reach. UK firms providing services into the EU, deploying AI systems that affect EU data subjects, or supplying AI-related products into the EU market may fall within scope of specific provisions. The risk-classification approach in the Act — unacceptable, high, limited, minimal — drives the obligations. Firms should map their AI use against the Act’s scope, even if they are not EU-established.
Consider a typical commercial law firm of around 60 fee-earners. The firm has been using a generative AI tool for first-draft research, contract review and client correspondence for around 18 months under a documented AI use policy that requires partner sign-off of all client-facing output.
In a corporate transaction, a junior associate uses the tool to research a regulatory question. The tool produces an answer citing a statutory provision that does not exist and a case that is fabricated. The associate inserts the answer into a transaction memo. The supervising partner reads the memo, checks the principal authority briefly, and signs off. The client relies on the memo in deciding to proceed with the transaction on terms it would not have agreed had the actual regulatory position been understood. Six months later the client discovers the position and brings a claim for the cost difference — around £350,000 — plus consequential losses.
The PI policy in force at notification responds. The claim is a straightforward professional negligence claim: negligent research, negligent supervision, negligent reliance procured. The fact that AI produced the original error is relevant only to the firm’s defence narrative and the client’s contributory negligence argument, both of which are weak. The claim settles at around £220,000 inside the limit. The firm’s renewal sees the underwriter ask for the AI use policy, the supervision protocol, and evidence of training delivered. The premium increases moderately.
The point of the example: the wording responded because the activity was within professional services and AI use was not excluded. The next year the underwriter is paying closer attention.
Apex’s view: the underwriter conversation about AI is going to get harder, not easier, over the next two renewals. The firms that come through it well are not the ones using less AI — they are the ones who can describe in a paragraph what they use, why, under what supervision, and with what audit trail. The proposal-form question is becoming a proxy for the broader question of whether the firm has its risk management in order. Treat it that way. Write the policy now, train the people now, and have the artefacts ready at renewal. We see firms tempted to soft-pedal AI use on the form. That is exactly the disclosure failure that section 8 of the Insurance Act 2015 was designed to remedy.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote