AI Privilege Waivers and Malpractice: What UK and US Professional Services Need to Know in 2026

The AI compliance landscape has shifted from theoretical risk to active liability. Courts are sanctioning lawyers for fabricated citations. Regulators are probing solicitors for uploading client documents to consumer chatbots. Employees are quietly using unsanctioned AI tools that add hundreds of thousands of pounds to the cost of a data breach. For UK and US professional services firms — solicitors, accountants, HR consultancies, marketing agencies — the question is no longer whether AI creates legal exposure. It is whether your firm is already exposed without knowing it.

This briefing cuts through the noise and focuses on what matters most right now: privilege waivers, malpractice risk, and the practical steps your firm needs to take before August 2026's regulatory deadlines arrive.

The Privilege Problem Nobody Is Talking About Loudly Enough

In the United States, the ruling in United States v. Heppner established a precedent that should alarm every fee earner using consumer-grade AI tools: conversations with platforms such as ChatGPT are not protected by attorney-client privilege. The logic is straightforward. Privilege requires confidentiality. Consumer AI tools are third-party services with their own data retention and training policies. Uploading a client's sensitive documents to such a platform is, in effect, disclosing those documents to a third party.

This is not a US-only concern. The Solicitors Regulation Authority in the UK is actively investigating solicitors for exactly this behaviour — breaching client confidentiality by feeding privileged material into unvetted AI tools. The SRA has been explicit: existing professional conduct obligations apply fully to AI use. There is no carve-out for convenience.

For accountants and HR consultancies, the exposure is equally real, even if the framing differs. Uploading payroll data, client financial records, or candidate information to a consumer AI tool may constitute a breach of your data processing obligations under the UK GDPR and, increasingly, the Data (Use and Access) Act 2025, which is actively rolling out clarifications around automated decision-making. The regulatory direction of travel is clear: confidentiality obligations follow the data, not the tool you happen to be using.

Hallucinated Citations Are a Disciplinary Matter, Not Just an Embarrassment

AI hallucination — where a model generates plausible-sounding but entirely fabricated outputs — has moved from a curiosity to a courtroom crisis. In the US, lawyers have faced fines of $59,500 at trial court level and $30,000 at federal appellate level for submitting AI-generated case citations that did not exist. In the UK, there are now 18 documented cases of AI-fabricated citations resulting in sanctions against legal professionals.

These are not edge cases involving reckless individuals. They are the predictable result of treating AI output as a finished product rather than a first draft requiring expert verification. The professional who signs the document owns the error. Courts are unsympathetic to the explanation that an AI produced the mistake. That defence has, in fact, made penalties worse in several instances.

For solicitors, barristers, and legal teams within accountancy or HR firms, the implication is unambiguous: any AI-assisted work product must be subject to mandatory human-in-the-loop review before it is used, filed, or shared with a client. This is not optional good practice. It is the minimum standard required to avoid disciplinary action.

HR and Recruitment Teams Are in the Crosshairs

The enforcement focus on algorithmic bias in hiring is intensifying on both sides of the Atlantic. In the US, the Department of Justice recently fined Elegant Enterprise for AI-generated job postings that unlawfully excluded certain workers. Two significant class actions — Mobley v. Workday and Kistler v. Eightfold AI — are testing whether AI screening tools can expose employers to discrimination claims and Fair Credit Reporting Act liability respectively.

For UK HR consultancies and in-house HR teams, the principle translates directly. Using an AI tool to screen CVs, score candidates, or generate job descriptions without human review and documented justification creates material risk under the Equality Act 2010. Automated systems can encode and amplify existing bias without anyone deliberately programming them to do so. If your firm advises clients on recruitment processes, or runs them internally, you need a clear audit trail demonstrating that human judgement was applied at every decision point.

The Data (Use and Access) Act 2025 is also relevant here, extending and clarifying individual rights in relation to automated decision-making. Firms that cannot explain how an AI-assisted decision was reached are increasingly going to find themselves unable to defend it.

Shadow AI Is Your Biggest Unmanaged Risk

The compliance conversation often focuses on the tools a firm officially adopts. The greater threat is the tools it does not know its staff are using. IBM's 2025 Cost of a Data Breach Report found that 97% of AI-related breaches lacked proper access controls, and that shadow AI — unsanctioned tools used by employees without IT or compliance oversight — adds an average of $670,000 to breach costs. In the professional services sector, the average cost of an AI-related breach has reached $5.08 million.

The mechanism is straightforward. An employee discovers that a free consumer AI tool helps them draft reports faster. They begin uploading client data. Nobody notices until a breach occurs, at which point the firm discovers it had no visibility into how client information was being processed or where it was being stored.

Addressing shadow AI requires more than a policy. It requires a combination of clear acceptable use guidelines, technical controls that limit access to unsanctioned platforms, and a positively framed internal offer — specifically, access to vetted, professional-grade AI tools that do the job without creating compliance exposure. If staff do not have a sanctioned alternative that meets their needs, they will find their own.

The Regulatory Timetable Is Not Waiting

For firms with European clients or EU-facing operations, the EU AI Act's high-risk obligations take effect in August 2026. Mandatory AI literacy requirements for staff came into force in February 2025. Marketing agencies using AI for targeting or profiling, HR firms using AI for candidate screening, and legal teams using AI for document analysis may all be operating in scope.

In the UK, the regulatory picture is less centralised but no less serious. The SRA, ICO, and FRC are all signalling increased scrutiny. The DUAA 2025 is in active rollout. And unlike a speculative future risk, there are already firms facing investigation and sanction.

What Your Firm Should Do Now

Three actions address the majority of the risk described above. First, ban unvetted consumer AI tools and replace them with professional-grade alternatives that offer clear data processing agreements, no training on your inputs, and documented security controls. Second, implement mandatory human-in-the-loop verification for any AI output before it is used in client work, filed, or communicated externally. Third, conduct an internal audit of where AI is currently being used across your firm — including by staff who may not have declared it.

None of this requires a large budget. It requires clear policy, the right tools, and accountability.

Ops Intel Can Help

Ops Intel works with UK professional services firms to build practical, defensible AI compliance frameworks — from policy drafting and staff training to tool vetting and audit support. If your firm is using AI without a clear governance structure, now is the time to act.

[Book a compliance consultation with Ops Intel today] and find out exactly where your exposure lies and how to close it before it becomes a regulatory matter.