Audit client agreements for AI silence
Most firms' client agreements were drafted before AI became a live question and are silent on both the firm's AI use in delivering work and the client's permitted AI use on the firm's output; that silence inherits defaults by omission and leaves the firm exposed under privacy regulation and professional guidance.
Most mid-tier firms’ client agreements were drafted before AI was a live question, and they address neither of the two questions that now need to be answered: whether and how the firm uses AI in delivering the engagement, and whether and how the client is permitted to use AI on what the firm delivers. The silence is not neutral. It inherits defaults from the tools and from assumed industry practice — and the inherited defaults often fall short of where the firm would choose to stand if it examined the question.
Why the silence matters
Two live risks sit in the gap.
Confidentiality and privacy regulation. Australian Privacy Principle 6 (use and disclosure), APP 8 (cross-border disclosure, relevant because most frontier AI services are hosted outside Australia) and APP 11 (security of personal information) all have application the template agreements were not drafted to handle. If a partner feeds client material into a consumer-grade AI without client consent, the firm is now the party that has to answer for it. The agreement offers no cover either way; worse, its silence can be read as non-disclosure.
Professional regulation. For legal, accounting and financial-advice firms, industry bodies are beginning to publish guidance on AI use in client work. Some of it will read against current defaults. A firm whose client agreement does not position the firm on the record will be reacting to the guidance, not anticipating it.
Two questions are usually enough to gauge exposure. Has any client raised AI use in the last six months? Has any of your own people been found feeding confidential client material into a consumer-grade AI tool? In most firms that look, the answer to at least one is yes — and the agreement template covers neither.
How to apply the heuristic
The remediation is not complicated but it is not zero-effort either. Revise the agreement template to take explicit positions on firm-side AI use in delivery, on client-side AI use on output, on the handling of material sent to AI services and its retention, and on consent and attestation mechanics where required. Audit the firm’s own use to identify where staff practice is ahead of the agreement and bring both into alignment. Publish a position clients can rely on.
This is the specific instance, for professional services, of the broader principle set out in Passive AI adoption is an implicit policy choice and responds to Start AI governance imperfect; iterate rather than wait: a provisional position taken now beats a perfect position taken later, because later the default has already become the policy.