AI Compliance Checklist for Professional Services Firms: What to Do Before the June 30 Deadline

The AI Regulatory Landscape in 2026: What Professional Services Firms Need to Know

If you have been half-reading the AI compliance news and feeling a growing low-grade anxiety about what your firm is supposed to be doing, you are not alone. The regulatory environment for AI has moved fast, the headlines are often misleading, and the language in the actual rules is written for lawyers — not for the owners of 12-person firms who are just trying to use AI responsibly.

Here is the honest overview: most of the regulation that has passed so far applies either to large technology companies or to high-risk automated decision systems. The majority of professional services firms using AI for drafting, research, client communication, and administrative work are not the primary targets. But you are not entirely in the clear — because your professional associations (the ABA, AICPA, and state bars) have been issuing guidance that does apply to you, regardless of whether a statute requires it.

The map of what you need to know in 2026 breaks into four areas:

• •State AI laws — Colorado's AI Act is the most relevant. Several other states are following.
• •The EU AI Act — only matters if you have EU clients or use EU-regulated AI tools. Most small US firms: low direct impact.
• •Professional association guidance — ABA Opinion 512 for lawyers, AICPA AI Framework for accountants. These matter now and are not optional.
• •Client disclosure — what you are required or expected to tell clients about AI use in their matters.

We will go through each one specifically.

Colorado AI Act: Does It Apply to Your Firm?

Colorado's AI Act (Senate Bill 24-205) went into effect February 1, 2026, making Colorado the first US state with a comprehensive AI law. It has received outsized attention because of that first-mover status, but most professional services firms will find its direct application narrower than the headlines suggest.

The Act focuses on high-risk AI systems — defined as AI systems that make or substantially support “consequential decisions” about Colorado residents. Consequential decisions are defined to include decisions about education, employment, financial services, healthcare, housing, insurance, and legal services that have a significant effect on a person's rights, opportunities, or access to essential services.

For a small professional services firm, the practical threshold question is this: Is AI making a consequential decision about a client, or is AI assisting a professional who makes the decision? If a lawyer uses AI to draft a contract and the lawyer reviews and finalizes it, the lawyer is making the consequential decision and the Act's high-risk provisions likely do not apply. If an AI system automatically approves or denies a loan application without meaningful human review, that is high-risk.

The Act does impose obligations on “deployers” — any business that uses a high-risk AI system — including impact assessments, disclosure obligations, and anti-discrimination provisions. If your firm is Colorado-based and uses AI in any workflow that touches legal, financial, or employment decisions about clients or employees, you should have a lawyer review whether any of those tools qualify as high-risk systems under the Act's definitions. The review for most firms will be straightforward and will likely confirm that general-purpose AI writing and research tools fall outside the high-risk category.

EU AI Act: What US-Based Firms Need to Know

The EU AI Act became fully applicable in August 2026. It is the world's most comprehensive AI regulation, and it has extraterritorial reach — it applies to any organization that offers AI systems or AI-enabled services to EU users, or whose AI outputs affect people in the EU.

For most US-based professional services firms with a purely domestic client base, the EU AI Act does not apply. If your firm has no EU clients, partners, or employees, you can monitor this one rather than act on it now.

If you do have EU exposure — a client headquartered in Europe, an employee working remotely from an EU country, or services provided to an EU-based entity — the relevant questions are:

• 1.Do any of your AI tools fall into the Act's high-risk categories? Annex III of the Act lists specific high-risk uses including AI systems for legal interpretation, credit scoring, and employment decisions. Most general-purpose writing and research tools do not qualify.
• 2.Are your AI tool vendors compliant? The primary compliance burden under the EU AI Act falls on AI system providers (the companies building the tools), not on deployers using those tools for standard professional services work. Confirm with your major AI vendors that their tools are registered and compliant where required.
• 3.Do you need to update client-facing disclosures for EU clients? The Act requires transparency about AI use in certain contexts, particularly AI-generated content and AI-assisted decisions that affect individuals.

The honest assessment: for the vast majority of small US professional services firms, the EU AI Act is a “monitor and confirm vendor compliance” situation, not an immediate compliance emergency.

ABA Formal Opinion 512 and State Bar AI Guidance: The Lawyer's Compliance Checklist

ABA Formal Opinion 512, issued in July 2024, is the most consequential professional guidance for law firms using AI. It does not create new rules — it interprets how the existing Model Rules of Professional Conduct apply to generative AI use. But that interpretation has teeth, because the underlying rules are enforceable and state bars are increasingly paying attention.

The Opinion establishes four core obligations for lawyers using generative AI:

1. Competence (Rule 1.1). A lawyer must understand the AI tool they are using well enough to evaluate its output critically. You cannot submit AI-generated work product without meaningful review. The Opinion notes that this does not require technical expertise, but it does require understanding the tool's limitations — including its tendency to generate confident-sounding errors (hallucinations) in legal research.

2. Confidentiality (Rule 1.6). Do not enter client confidential information into AI tools that use input data to train their models unless you have client consent and a data processing agreement with the vendor. This is the rule most commonly violated at small firms — not out of bad faith, but because nobody checked the terms of service. Review your AI tools' data handling policies now.

3. Supervision (Rule 5.3). If non-lawyer staff or contract workers are using AI to produce work product on client matters, a supervising lawyer is responsible for the output. You cannot delegate quality control to the AI tool itself. The supervising lawyer must review AI-assisted work before it goes to the client.

4. Disclosure. The Opinion says disclosure of AI use is required when a reasonable client would want to know — which the ABA interprets as situations where AI substantially generates work product the client relies on, or where AI is used in ways that implicate confidentiality. The practical approach: update your engagement letter to describe how your firm uses AI tools. This converts a potential disclosure obligation into a transparent upfront conversation.

AICPA AI Guidelines for Accountants: What's Required, What's Recommended

The AICPA has taken a more principles-based approach to AI guidance than the ABA, releasing its AI Framework for CPA firms in late 2024 and updating it in early 2026. Unlike the ABA Opinion, the AICPA guidance does not attach to a specific enforceable rule — but it reflects the direction state CPA boards are moving in, and it is the framework that peer reviewers and disciplinary bodies will reference when questions arise.

The AICPA Framework focuses on five areas:

Professional skepticism. Accountants must apply the same critical evaluation to AI-generated output that they would apply to any other source of information. AI outputs should be treated as a starting point, not a conclusion. This is especially important in audit — AI that analyzes 100% of transactions can surface anomalies humans would miss, but the interpretation and professional judgment remain the accountant's responsibility.

Data privacy and client confidentiality. The Framework requires firms to establish and document policies for what client data may be entered into AI systems, under what conditions, and with what vendor data protections in place. For firms handling tax returns, financial statements, and payroll data, this is not optional — it is a basic fiduciary responsibility.

Transparency with clients. The AICPA recommends — and state boards are beginning to require — that engagement letters disclose the firm's use of AI tools and describe how client data is protected when AI is involved in service delivery.

Quality control. Firms should have documented policies for reviewing AI-generated work product before delivery. The standard of review should be no less rigorous than for work produced by a junior staff member.

Ongoing education. The Framework expects CPAs to maintain competency in the AI tools they use — both technically (understanding what the tool does and does not do) and ethically (staying current with evolving guidance from the AICPA and state boards).

AI Client Disclosure: What You Must Tell Clients (and What's Best Practice)

The disclosure question is the one that makes most firm owners uncomfortable — not because they are hiding anything, but because nobody knows exactly where the line is. Here is the practical breakdown.

What is currently required: For lawyers in states that follow ABA Opinion 512, disclosure is required when AI substantially generates work product the client will rely on, or when AI use implicates confidentiality. For accountants, disclosure is required when AI tools process personal financial data, and the AICPA recommends it for any material AI use in service delivery. In Colorado (and likely soon in other states), disclosure may be required by statute when high-risk AI systems are involved in decisions affecting clients.

What is best practice (and increasingly standard): Add a clear AI use disclosure to your engagement letter. The leading language firms are using in 2026 covers three things: (1) a description of how AI tools are used in service delivery; (2) a statement that all AI-generated work product is reviewed by a licensed professional before delivery; and (3) a description of how client data is protected when processed by AI systems. Firms that have added this language report that clients receive it positively — it reads as a sign of modernity and rigor, not as a red flag.

Your 5-Step AI Compliance Checklist for Professional Services Firms

Most small professional services firms can complete this checklist in a single afternoon. It covers the minimum required actions for 2026 compliance — not a comprehensive risk management program, but the floor that any firm using AI tools should have in place.

1. 1. Inventory your AI tools

   Make a list of every AI tool your firm uses, who uses it, what tasks it is used for, and what data it touches. Include tools your team uses informally (ChatGPT, Copilot, Gemini) as well as tools embedded in your practice management, tax prep, or document management software. You cannot manage compliance for tools you do not know about.

2. 2. Review data handling policies for each tool

   For each AI tool that touches client data, confirm: (a) does the tool use input data for model training? (b) is there a data processing agreement (DPA) available? (c) does the tool meet your jurisdiction's data protection requirements? Tools that use inputs for training without client consent are a professional responsibility risk. Most major AI providers now offer enterprise tiers that disable training on user inputs — confirm this before entering client data.

3. 3. Update your engagement letter

   Add an AI disclosure clause to your standard engagement letter that describes how your firm uses AI tools, confirms that AI-generated work is reviewed by a licensed professional, and describes your client data protection practices. This is the single highest-leverage compliance action available to small firms — it converts a potential obligation into proactive transparency that most clients appreciate.

4. 4. Establish a review-before-delivery policy

   Document a firm-wide policy that AI-generated work product requires professional review before it is delivered to clients. The policy does not need to be long — one paragraph is enough. What matters is that it is written down, communicated to staff, and consistently followed. This is what your professional liability carrier will ask about if an AI-related error reaches a claim.

5. 5. Assign someone to track regulatory updates quarterly

   AI regulation is moving fast. Assign one person at your firm — an owner, partner, or office manager — to check for updates from your professional association (ABA, AICPA, state bar or CPA board) every quarter. This does not require hours of reading; most associations now publish AI guidance summaries. Add it to your calendar as a 30-minute quarterly review. The firms that get caught flat-footed by new requirements are usually the ones with nobody assigned to watch for them.

FAQ: AI Regulation Questions from Professional Services Firm Owners