AI in UK professional services: the full liability map

~7 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 01 July 2026

Artificial intelligence has moved from novelty to daily kit in most UK professional practices. Solicitors are using large-language-model tools to draft first-pass advice. Accountants deploy machine-learning classifiers to spot anomalies in ledgers. Financial advisers rely on algorithmic screens to filter product universes. Architects and engineers run generative design tools to stress-test options. Used well, these tools free professional judgement to concentrate on the questions that actually need it. Used poorly, or without the audit trail to prove they were used well, they concentrate liability instead. This entry maps how UK law and regulation treat AI-enabled professional work, what the courts and regulators are likely to expect when something goes wrong, and how professional indemnity cover is beginning to respond.

A working taxonomy of AI in professional services

Not every "AI" tool poses the same liability profile. It helps to separate four broad categories. First, generative advice tools — large language models that draft correspondence, memoranda, or client-facing explanations. Second, algorithmic decision systems — rules-based or machine-learning engines that produce a recommendation or score (credit decisions, triage tools, actuarial pricing). Third, automated document drafting — contract assembly, precedent selection, and clause-library tools that generate a working draft from structured inputs. Fourth, machine-learning-driven analysis — pattern recognition applied to disclosure, transaction ledgers, imagery, or engineering data. Each interacts differently with the professional's duty of care, but the same fundamental legal position applies to all of them.

The legal position: the reasonable care test is unchanged

Nothing in the arrival of AI has moved the standard of care in professional negligence. The Bolam test (Bolam v Friern Hospital Management Committee [1957] 1 WLR 583) still asks whether the professional acted in accordance with a practice accepted as proper by a responsible body of practitioners in the field. Bolitho v City & Hackney HA [1998] AC 232 adds that the practice must itself withstand logical analysis. The Supreme Court's decision in Manchester Building Society v Grant Thornton UK LLP [2021] UKSC 20 clarifies the scope-of-duty question — a professional is liable for losses that fall within the scope of the duty assumed, not for every downstream consequence of an error.

Applied to AI: the fact that a draft, a valuation, or a recommendation was produced by a machine does not transfer the duty. Under s.13 of the Supply of Goods and Services Act 1982 a professional supplying services in the course of business owes an implied term of reasonable care and skill. That duty is owed by the human — or by the firm — who signs off, not by the software. If a solicitor sends a letter of advice drafted by a language model without verifying its content, the position is legally identical to sending a letter drafted by a trainee without checking it.

Verification obligations

The active question, therefore, is what reasonable verification looks like. The courts have not yet drawn a bright line, and it is unlikely they will. Instead, the test is contextual: what would a responsible body of practitioners do with the output of this specific tool, applied to this specific type of work, for this specific client? A generative model producing a client-facing note of law probably needs line-by-line citation checking — the well-documented tendency of such models to hallucinate authorities makes anything less indefensible. A well-audited actuarial engine used within its documented parameters may need lighter human review, provided the parameters are checked. A machine-learning triage tool applied to a bundle of disclosure documents needs sampling and back-testing rather than exhaustive re-review, if that is the accepted practice.

UK GDPR Article 22 and automated decisions

Where an AI tool produces a decision that has legal effect on an individual, or similarly significantly affects them, Article 22 of the UK GDPR (retained in the Data Protection Act 2018) is engaged. Fully automated decisions of that kind are permitted only in narrow circumstances — contract necessity, explicit consent, or authorising law — and the data subject has the right to human review, to express a point of view, and to contest the decision. For most professional services the practical response is to ensure a meaningful human intervenes before the output leaves the firm. "Meaningful" means the human has the authority and the information to change the decision — a rubber-stamp does not qualify.

Regulator guidance: FCA, SRA, ICAEW

The FCA has published thematic work on AI in insurance and wider financial services since 2019, and continues to update its position. The consistent themes are governance, model risk management, explainability, fair outcomes under the Consumer Duty (PRIN 2A), and the accountability of senior managers under SMCR — no automation defence for SMF holders. The SRA's guidance on the use of AI (updated periodically) is short but pointed: solicitors remain responsible for the work, must protect client confidentiality when using external tools, and must not mislead the client or the court about how the output was produced. ICAEW's Technical Releases on the use of algorithms and analytics in audit and assurance set out the professional's obligation to understand, test, and document any tool relied on for a material judgement.

Across all three regulators the direction of travel is the same: the tool does not carry the duty, the professional does, and the professional must be able to show the tool was fit for the use to which it was put.

Evidence and audit trail requirements

If reasonable care is fact-sensitive, evidence becomes the currency of any later dispute. Practices that will help a firm defend itself include: recording which tool was used and its version; retaining the input prompt or data; retaining the output; recording the human reviewer and the changes made; and documenting periodic validation of the tool against known cases. None of that is exotic — it is the same audit discipline expected of any other professional workflow, applied to a new class of input. A firm that cannot show what the tool produced and what the human changed has no answer to a later allegation that the human did not really review it.

Contractual position with AI vendors

Most AI vendor terms limit the provider's liability sharply, disclaim fitness for a particular purpose, and place the burden of verification on the user. That is a commercial reality rather than a defect. It also means the firm cannot pass its professional duty back up the supply chain. Points worth negotiating where the vendor will engage are data-handling and confidentiality terms, indemnities for third-party IP infringement in generated output, and a clear statement of the model's intended use and known limitations. Where the vendor will not engage, the firm still owns the risk and needs to price and control it accordingly.

How PI policies respond

The standard UK professions-focused PI policy insures the firm against liability arising from the provision of the insured professional services. A negligent piece of advice, or a negligently drafted document, is covered whether it was produced by a partner, a junior, or a language model — because the insured act is the firm's provision of the service. The tool is not the insured. Cover typically responds to: the defence of a claim of professional negligence; damages awarded or agreed in settlement; and, subject to policy terms, mitigation costs. Where a claim alleges breach of a data-protection obligation as well as negligence, the interaction with cyber cover matters and the two policies need to be read together.

Emerging market wording on AI

Some insurers have begun to add specific language on AI use — occasionally as a positive confirmation of cover for outputs generated with AI assistance, and occasionally as a warranty that the firm has documented governance for AI-enabled work. Exclusions specifically aimed at AI are not yet common in the UK PI market for professions, but underwriters increasingly ask at renewal whether the firm uses AI tools, in what workflows, and what oversight applies. Firms that can answer those questions crisply tend to have easier renewals.

Practical safeguards for firms

A short list of measures that keep the risk in proportion: a written policy on which AI tools may be used and for what; a verification standard proportionate to the risk of the output; a confidentiality rule that prevents client information going into unapproved external tools; training for the people who use the tools; periodic sampling of AI-assisted work against expected standards; and a record-keeping habit that would survive a regulator or insurer looking over the shoulder. Firms that adopt AI thoughtfully — and can prove it — are not accumulating hidden liability. They are extending their reach.

For related material see the wiki entries on AI-generated advice and professional negligence and algorithmic decisions and PI cover. Sector-specific PI guidance is available for solicitors, accountants, independent financial advisers, architects, surveyors, engineers, IT consultants, and management consultants.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.

Looking at a PI policy and want a careful read of the wording?
Start a conversation