AI Compliance for UK Professional Services: Three Regulatory Shifts That Change Your Liability

The regulatory environment around artificial intelligence has moved from aspiration to enforcement. For UK professional services firms — accountants, solicitors, HR consultancies, marketing agencies — that shift carries direct consequences for how you deploy AI tools, who bears responsibility when things go wrong, and what your clients can legally demand from you.

This briefing covers three developments that matter most right now, and what each one requires you to do.

1. Personal Liability Is No Longer Theoretical

The most significant change in AI enforcement is not the size of the fines. It is who is being held responsible for paying them.

In a landmark GDPR action, the Dutch Data Protection Authority pursued Clearview AI's directors for personal liability alongside a €30.5 million corporate fine for illegal biometric data scraping. The message was deliberate: regulators are no longer content to fine a legal entity and move on. They are looking at the individuals who made the decisions.

Courts are doing the same. In early 2026, appellate courts in the UK (UKUT 81), Singapore, and Argentina each ruled independently that supervising professionals face direct personal sanctions when junior staff submit AI-generated content — including hallucinated case citations or fabricated data — without adequate verification. Critically, the judgments found that supervisors bear greater culpability than the junior staff who produced the error, precisely because they failed to check the output before it went out the door.

For a senior solicitor, a partner at an accountancy practice, or a director at an HR consultancy, this is not abstract. If a member of your team uses an AI tool to draft advice, prepare a report, or generate a candidate assessment, and that output contains a material error that harms a client, you may face personal sanctions if you cannot demonstrate that you reviewed and verified what was submitted.

UKUT 81 went further still. The ruling found that uploading client data to open-source or consumer-facing AI systems legally constitutes a breach of client confidentiality and a waiver of legal privilege. This effectively rules out using publicly available AI tools for any work involving sensitive client information.

What this requires of you: Invest in closed, privilege-safe AI environments that do not expose client data to third-party training pipelines. Establish mandatory human verification workflows for any AI-assisted output before it reaches a client or a court. Document those workflows. The question regulators and judges will ask is not whether you used AI — it is whether you had adequate controls in place when you did.

2. Algorithmic Decisions Now Require Plain-Language Explanations

If your firm uses automated decision-making in any meaningful capacity — credit assessments, hiring filters, client risk scoring, pricing models — a recent ruling from the Court of Justice of the European Union has changed what affected individuals are entitled to know.

In the Dun & Bradstreet case, the CJEU ruled that organisations cannot use trade secrets as a blanket refusal when individuals request meaningful explanations of how an automated system reached a decision about them. The operative word is meaningful. A generic description of your model architecture will not satisfy the obligation. Affected individuals are entitled to a concise, plain-language account of the logic involved and why it produced the outcome it did in their specific case.

This ruling has immediate relevance for professional services firms. Accountancy and advisory firms using AI to assess client creditworthiness or financial risk, HR consultancies running AI-assisted screening, and marketing agencies using behavioural profiling tools are all within scope. The obligation to explain exists whether or not you consider the underlying logic to be commercially sensitive.

Where genuine trade secrets are at stake, the ruling does not require you to publish proprietary detail publicly. However, it does require that you establish protocols to share that logic securely with regulators when requested, so that a proper balancing test can be conducted. "We cannot tell you" is no longer an acceptable answer on its own.

What this requires of you: Audit every automated decision-making system in use across your firm. For each one, build a clear explanation protocol — a process by which affected individuals can receive a plain-language account of the decision within a defined timeframe. If trade secrets are a genuine concern, take legal advice on how to structure secure disclosure to regulators. Do not wait for a complaint before designing this process.

3. Incoming EU Rules Will Extend Your Compliance Obligations and Liability Exposure

Even for firms operating primarily in the UK, the EU's regulatory trajectory matters. Many UK professional services businesses have EU clients, EU staff data, or EU-facing operations. The following changes are incoming and will affect you directly or through your supply chain.

The proposed Digital Omnibus on AI establishes fixed compliance deadlines for high-risk AI systems under the EU AI Act: December 2027 for employment and credit scoring systems, and August 2028 for AI embedded in regulated products. More immediately, the deadline for machine-readable watermarking on AI-generated content has been brought forward to November 2026. If your firm produces or distributes AI-generated material — marketing content, client reports, drafted communications — you need to understand how these transparency requirements will apply and whether your current tooling can support compliant marking.

Alongside this, the revised Product Liability Directive, which EU member states must transpose by December 2026, classifies AI software as a product and introduces strict, no-fault civil liability for defective AI systems. Victims are no longer required to prove negligence. If the AI system caused harm and the provider failed to disclose relevant system evidence, a presumption of defectiveness applies. This fundamentally changes the risk calculus for any firm deploying AI in client-facing or decision-making contexts.

Finally, guidance from Spain's data protection authority, the AEPD, on agentic AI — autonomous tools that take actions across systems without step-by-step human instruction — makes clear that delegating decisions to an AI agent does not reduce a firm's liability as data controller. If you are exploring or already using agentic AI tools, you must rigorously map third-party API data flows, enforce strict retention policies on agent memory, and maintain active human oversight of what those agents are doing and why.

What this requires of you: Begin scoping your AI systems against the EU AI Act's Annex III categories now, even if your deadlines feel distant. Review supplier contracts to understand how liability flows if an AI product causes harm. Treat agentic AI deployments as a distinct governance challenge requiring their own controls.

The Direction of Travel Is Clear

Regulators and courts are not waiting for the technology to mature before they assign responsibility. Personal liability for AI errors is already being enforced. Explainability obligations are already being litigated. Liability for defective AI systems will be strict within 18 months.

Professional services firms that treat AI governance as an operational afterthought are accumulating risk. Those that build structured, documented compliance frameworks now will be better protected — and better positioned to demonstrate responsible practice to clients who are increasingly asking for exactly that.

Ops Intel works with UK professional services firms to assess AI risk, design compliance frameworks, and implement practical governance that holds up under regulatory scrutiny.

If you want to understand where your current AI deployments create liability exposure, contact the Ops Intel team to arrange a compliance review. We will give you a clear picture of where you stand and what needs to change.