The Vendor Defence Is Dead: AI Liability for UK Professional Services in 2025–2026

For years, professional services firms have operated under a comfortable assumption: if an AI tool goes wrong, the liability sits with the vendor. That assumption is now legally untenable. Across the UK, Europe, and beyond, regulators and courts have made their position unambiguous — the organisation that deploys an AI system is responsible for what that system does. Pointing at the software provider is no longer a defence. It is barely even an argument.

This is not a future risk to monitor from a distance. Enforcement is live, penalties are severe, and the professional services sector — solicitors, accountants, HR consultancies, marketing agencies — is directly in the frame.

What Has Changed and Why It Matters Now

The regulatory landscape shifted decisively in early 2025. The EU AI Act's initial provisions came into force on 2 February 2025, immediately banning practices such as workplace emotion recognition and introducing mandatory AI literacy requirements for any staff who work with AI systems. These are not aspirational guidelines. They are enforceable obligations. By 2 August 2026, the Act's full regime for high-risk AI systems becomes enforceable, with penalties reaching €35 million or 7% of global annual turnover — whichever is higher.

UK firms should not assume that post-Brexit distance insulates them. The ICO has already demonstrated it will act. It fined Advanced Computer Software Group £3 million for security failures and hit Reddit with a £14.47 million penalty for children's privacy violations. These are data processor cases, not AI-specific rulings, but they illustrate the ICO's willingness to hold organisations directly accountable for systemic failures in how they handle data — including data processed by third-party systems. The SRA is separately investigating solicitors for inputting confidential client information into consumer-grade AI tools. That investigation is ongoing and active.

The GDPR enforcement picture across Europe reinforces the direction of travel. Clearview AI received a €30.5 million fine for biometric data scraping. LinkedIn was penalised €310 million for covert behavioural profiling. These are not outliers. They are the new baseline.

The Hidden Cost of Shadow AI

One of the most significant and least-discussed liability vectors in professional services is shadow AI: the unsanctioned use of AI tools by employees acting outside firm policy, or in the absence of any policy at all.

The numbers are stark. Research indicates that uncontrolled shadow AI usage adds an average of £670,000 to the cost of a data breach. For professional services firms, the average total cost of a data breach already sits at approximately $5.08 million. Shadow AI is not a peripheral concern — it is a material cost multiplier.

The mechanism is straightforward. An employee, under time pressure, uploads a client document to a consumer-grade generative AI platform to summarise it or draft a response. No vetting has taken place. No data processing agreement exists with that platform. Client confidentiality has potentially been breached, and depending on the nature of the matter, attorney-client privilege may have been waived.

This is not a hypothetical. In February 2026, the US ruling in United States v. Heppner established that uploading confidential client information into consumer AI constitutes a legal waiver of attorney-client privilege. UK law has not yet produced an equivalent ruling, but the SRA's active scrutiny of ChatGPT usage by solicitors signals that domestic regulators are pursuing precisely this question.

Hallucinations Are a Professional Liability Issue

If shadow AI represents the hidden risk, AI-generated hallucinations represent the visible one. Courts in the United States have now issued a series of severe sanctions against legal practitioners who submitted AI-generated case citations that did not exist. Penalties have included a $30,000 appellate fine, a $59,500 fine at trial court level, and $5,000 in sanctions against the firm Morgan & Morgan.

UK solicitors and barristers operate under equally robust professional conduct obligations. Submitting inaccurate information to a court — regardless of whether a human or a machine generated it — remains the responsibility of the practitioner. The AI tool is not your professional indemnity policy. Reliance on AI output without verification is not a mitigation. It is the conduct being sanctioned.

The same principle applies to accountants producing AI-assisted reports and to HR consultancies using automated scoring tools in recruitment. If the output is wrong, the professional bears the consequence.

Recruitment and HR: A Specific and Growing Exposure

HR teams and recruitment agencies using AI-powered screening tools face a distinct and rapidly developing area of liability. In the United States, the Department of Justice fined a firm for AI job postings that unlawfully excluded protected categories of workers. Class actions targeting algorithmic discrimination in hiring — including Mobley v. Workday and the 2026 case Kistler v. Eightfold AI — are actively testing the boundaries of employer liability when AI systems make or influence employment decisions.

The UK's Equality Act 2010 does not distinguish between a decision made by a human and one made by an algorithm that a human implemented. If an AI screening tool systematically disadvantages candidates on the basis of a protected characteristic, the organisation deploying it is liable. The fact that the tool was purchased from a vendor is, again, not a defence.

What Firms Must Do

The compliance requirements that follow from all of this are not optional enhancements to existing processes. They are the minimum standard of responsible practice for 2025 and beyond.

Ban unvetted consumer AI immediately. No employee should be permitted to input client or candidate data into any AI platform that has not been assessed, approved, and covered by appropriate contractual protections. This requires a written policy, not an assumption.

Implement mandatory human-in-the-loop verification. Every AI-generated output that will be relied upon professionally — legal research, financial analysis, recruitment scoring, marketing copy submitted to a regulated client — must be reviewed and verified by a qualified human before use. This is not optional; it is the basis on which professional liability can be defended.

Conduct an AI audit across your entire toolset. Many firms are running AI-enabled systems — in their practice management software, their email platforms, their document tools — without having formally assessed them. Each of these represents a potential liability if the system processes personal data or influences a professional output.

Secure explicit client consent for AI use. Where AI tools are used in the delivery of client services, clients should be informed and their consent obtained. The ABA's Formal Opinion 512 establishes this standard for legal practitioners in the US; equivalent obligations under UK professional conduct rules and GDPR apply domestically.

Train your staff. The EU AI Act mandates AI literacy training for employees. More practically, staff who understand the risks are substantially less likely to introduce shadow AI into your firm's workflows.

The window for treating AI compliance as a future consideration has closed. The enforcement actions, judicial sanctions, and regulatory investigations covered here are not warnings of what might happen. They are a record of what is already happening to firms that did not act in time.

Ops Intel works with UK professional services firms to build AI compliance frameworks that are practical, proportionate, and legally defensible. If your firm does not yet have a clear position on AI governance, now is the time to establish one.

Contact Ops Intel to book a compliance assessment and understand exactly where your firm's AI exposure sits.