🔒 Governance

Governance Controls for AI: What Firms Need Before Automating

Most conversations about AI start with speed. The first question should be: what controls are in place when something goes wrong?

Most conversations about AI in professional services start with speed. How fast can we draft proposals? How quickly can we process client documents? How many hours can we save?

Those are the right questions to ask second. The first question should be: what controls are in place when something goes wrong?

Professional services firms operate on trust. Your clients share sensitive financial data, legal documents, and proprietary business information because they believe you'll protect it. Introducing AI into those workflows without governance controls isn't innovation. It's risk.

Here are five non-negotiable controls that should be in place before any AI touches a client-facing workflow.

1. No Model Training on Client Data

This is the baseline. If an AI vendor uses your client data to improve their models, your client's proprietary information becomes training material that could influence outputs for other users — including competitors.

What to look for: a written commitment that all AI processing is inference-only. The model processes your input and returns an output. It doesn't learn from it. It doesn't retain it. Your data isn't improving their product.

Ask any vendor point-blank: "Do you train on our data?" If the answer is anything other than a clear no, keep looking.

2. Human Approval Gates on Client-Facing Output

Fully automated AI output sent directly to clients is a liability waiting to happen. The technology is good at drafting. It's not good enough to skip review.

An approval gate is simple: the AI generates output, a designated team member reviews and approves it, and only then does it reach the client. This takes 2–5 minutes per item. Design your gates based on risk classification — internal documents might need lighter review, but client-facing deliverables and anything involving financial data should always have a human in the loop.

3. Full Audit Logging

Every action the AI takes should be logged with a timestamp, the input it received, and the output it produced. When a client questions an output, you need to trace exactly what happened: what data went in, what the AI produced, who approved it, and when it was delivered. Without logs, you're reconstructing from memory.

Audit logs also serve a compliance function. If your firm operates under regulatory frameworks that require documentation of process controls, AI actions without logs create a gap in your compliance posture.

4. Documented Rollback to Manual Operation

AI workflows fail. Models degrade. API providers have outages. When your AI-assisted proposal drafting system goes down at 4 PM on a Thursday before a Friday deadline, you need a documented path back to manual operation.

A rollback plan answers three questions: Who does what? Using which tools? In what order? It should be specific enough that someone unfamiliar with the AI system can follow it. Test your rollback paths quarterly. If manual operation has atrophied because the team hasn't done it in months, the rollback plan is theoretical, not practical.

5. Least-Privilege Access with Rotation

AI integrations should receive the minimum permissions required to function. If the workflow needs to read documents, it shouldn't also have write access to your CRM. If it needs to draft emails, it shouldn't have access to send them without approval.

Least-privilege access limits the blast radius when something goes wrong. A compromised integration with read-only access to one system is a contained incident. A compromised integration with full access to everything is a breach. Rotate credentials quarterly or whenever personnel change.

The Bottom Line

These five controls aren't aspirational. They're table stakes for professional services firms that handle client data. Any AI vendor that treats governance as an add-on or an afterthought is telling you where their priorities are.

The goal isn't to slow AI adoption. It's to build the trust infrastructure that makes sustainable AI adoption possible. Speed without controls is just faster failure.

Paul Thomas

Founder & AI Consultant — TreeHouse AI, Tampa, Florida

Want to review your AI governance posture?

Our free assessment includes a review of your current controls and a clear picture of what needs to be in place before deployment.