Short answer: staff can use AI safely when the firm treats it as a governed work tool, not a casual shortcut.

What this helps you check

Use this as a practical starting point for a calmer internal review.

  • Approved AI tools and staff rules
  • What information must stay out of public AI tools
  • Human review before AI output is relied on

In many New Zealand professional services firms, AI use has already started. Staff may be using it to summarise notes, draft first versions of emails, tidy internal documents, research background topics, or prepare meeting material.

The issue is not whether AI can be useful. It can be. The issue is whether staff know what is safe, what is not safe, and who decides.

What does safe staff AI use mean?

Safe AI use means the firm can answer five practical questions:

  • Which AI tools are approved for work?
  • What client or firm information must never be entered?
  • Which tasks are suitable for AI support?
  • Who checks AI-generated work before it is relied on?
  • How are permissions and data access controlled?

If these answers are unclear, staff are left to make risk decisions alone. That is unfair to the person using the tool, and uncomfortable for a firm handling confidential client work.

What should staff avoid putting into AI tools?

Unless the firm has approved the tool and the data use, staff should not enter confidential client information, personal information, matter details, financial records, contracts, credentials, commercially sensitive material, or anything that could identify a client or private situation.

This rule needs to be written in plain English. Staff should not have to interpret a policy while trying to finish a piece of work.

Why approved tools matter

Not all AI tools treat information the same way. Some are consumer tools. Some are enterprise tools. Some store prompts. Some may use submitted information to improve services. Some can be managed through the firm's security settings.

A professional services firm should keep a simple approved-tools list. It should say what each tool may be used for, what information is allowed, and who owns the decision to add or remove tools.

Human review is not optional

AI output can sound confident while still being wrong, incomplete, or too generic for professional advice. Staff should treat AI as a drafting or thinking assistant, not as an authority.

Before AI-assisted work is used externally, someone with the right professional judgement should check the facts, tone, confidentiality position, and whether the output fits the client context.

Microsoft 365 permissions need attention before AI expands

AI safety is not only about prompts. It is also about what systems can be searched, summarised, or surfaced.

If the firm uses AI tools connected to Microsoft 365, old SharePoint permissions, broad Teams access, unmanaged guest users, and loose sharing links can become more visible. AI does not usually create those permission issues, but it can make them easier to find.

Before wider AI use, review:

  • SharePoint and Teams permissions.
  • External sharing and guest users.
  • OneDrive sharing settings.
  • Sensitive client folders.
  • Administrator accounts.
  • Staff training and reporting routes.

What should an AI staff policy include?

A useful AI staff policy should be short enough to use and specific enough to protect the firm. It should cover approved tools, prohibited data, acceptable use cases, human review, disclosure expectations, escalation contacts, and review dates.

The aim is not to stop sensible use. It is to make safe use easier than risky use.

FAQs

Can staff use AI safely in a professional services firm?

Yes. Staff can use AI safely when the firm approves the tools, sets clear data rules, protects client confidentiality, reviews outputs, and manages access to systems such as Microsoft 365.

What should staff never put into public AI tools?

Staff should not put confidential client information, personal information, matter details, financial records, contracts, credentials, or commercially sensitive material into public AI tools unless the firm has explicitly approved that use.

Why does Microsoft 365 access matter for AI safety?

AI tools connected to Microsoft 365 may use existing permissions to find and summarise information. If SharePoint, Teams, OneDrive, or guest access permissions are too broad, AI can make those access issues more visible.

Sources: Microsoft, Office of the Privacy Commissioner, and EQIQ local brand materials.