Many professional services firms are no longer asking whether AI will affect their work.
What this helps you check
Use this as a practical starting point for a calmer internal review.
- AI tool approval and governance
- Confidentiality and client-data rules
- Microsoft 365 permissions and human review
It already has.
Staff may be using AI to summarise notes, draft emails, analyse documents, prepare research, tidy spreadsheets, or speed up internal admin. Some of that use may be helpful. Some of it may be risky. Much of it may be happening before the firm has agreed on the rules.
For legal, financial, and advisory firms, that is the tension.
AI can save time. But client confidentiality, privacy, professional judgement, and reputation cannot be treated as afterthoughts.
The market is moving, but governance is lagging
Recent research points in the same direction.
KPMG New Zealand's 2025 AI trust research notes that AI adoption is rising while AI literacy and governance remain weak. It also found that only 36% of New Zealanders believe they have the skills to use AI tools appropriately, compared with 60% globally.
Thomson Reuters' 2025 Generative AI in Professional Services Report found that organisational GenAI usage nearly doubled from 12% in 2024 to 22% in 2025. In the legal sector, usage nearly doubled from 14% to 26%, while 48% of law firm professionals still lacked formal GenAI policies.
That combination should get attention.
AI use is increasing. Confidence is uneven. Formal rules are often missing.
For professional services firms, that is not a comfortable mix.
Safe AI starts with confidentiality
The first rule is simple:
Do not put confidential client information into tools unless the firm has approved the tool, the data use, and the controls.
That sounds obvious, but it is where many risks begin. Staff may not know which tools are public, which tools store prompts, which tools train on submitted data, or which tools are covered by enterprise protections.
A safe AI policy should make this plain. It should explain:
- Which AI tools are approved.
- Which information must never be entered.
- Which use cases are acceptable.
- When human review is required.
- How AI-generated material should be checked.
- Who staff should ask when they are unsure.
This does not need to be a 40-page document. It needs to be clear enough that people can follow it during a normal working day.
Microsoft 365 and identity settings matter too
Safe AI adoption is not only about prompts and policies.
It is also about the systems AI can access.
If a firm is using Microsoft Copilot or other AI tools connected to internal systems, permissions become even more important. AI may surface information based on existing access. If those permissions are too broad, old, or poorly managed, AI can make an existing governance problem more visible.
Before adopting AI more widely, firms should review:
- SharePoint permissions.
- Teams and channel access.
- External sharing.
- Guest users.
- Sensitive folders.
- Document labelling.
- Identity and access controls.
- Administrator privileges.
AI does not remove the need for good information governance. It increases the value of getting it right.
Matt Allwood's practical view on AI adoption
Matt Allwood, EQIQ's Managing Director, brings experience across IT services, infrastructure, and business technology strategy in the New Zealand SME market. His view is pragmatic: AI should help firms work better, but not at the expense of confidentiality or control.
That is why EQIQ's approach to AI is not built around hype.
It starts with the firm's real operating environment: how people work, where information sits, what clients expect, and what level of risk is acceptable.
For professional services firms, AI adoption should feel measured, useful, and controlled. If it feels like a leap of faith, the governance work is not finished.
A practical AI governance checklist
Before encouraging wider AI use, a firm should be able to answer:
- Which AI tools are approved for staff use?
- Which tools are blocked or not recommended?
- What data can and cannot be entered?
- Are staff trained on safe AI use?
- Are AI outputs reviewed before client or external use?
- Are Microsoft 365 permissions clean enough for AI-connected tools?
- Is there a process for testing new AI use cases?
- Who owns the AI policy?
- How often will the policy be reviewed?
- How will the firm handle mistakes or inappropriate use?
If the answer is "we are not sure", that is a sensible place to start.
The opportunity is real, but so is the responsibility
AI can help professional services firms reduce admin, improve drafting, support research, and make internal processes more efficient.
But the firms that benefit most will not be the ones that simply turn tools on and hope for the best.
They will be the firms that use AI deliberately.
They will protect confidentiality first. They will set clear rules. They will train staff. They will clean up permissions. They will choose tools carefully. They will keep human judgement in the loop.
That is how AI becomes useful without becoming reckless.
FAQs
What is safe AI adoption for professional services firms?
Safe AI adoption means using AI tools in a way that protects client confidentiality, privacy, professional judgement, and firm reputation. It includes approved tools, clear data rules, staff guidance, human review, and strong information governance.
Why does Microsoft 365 governance matter for AI?
AI tools connected to Microsoft 365 may surface information based on existing permissions. If SharePoint, Teams, guest access, or file-sharing settings are too broad, AI can expose information governance problems that already existed.
What should a professional services AI policy include?
An AI policy should explain approved tools, prohibited data, acceptable use cases, review requirements, staff responsibilities, escalation points, and how the policy will be reviewed as tools and risks change.
Sources: KPMG New Zealand, Thomson Reuters, and EQIQ local brand materials.
Book a Conversation
