Your success is at the forefront of our minds.

Why SA Professional Firms Need an AI Use Policy in 2026

Home / Blog / Why SA Professional Firms Need an AI Use Policy in 2026

Need Expert Guidance for Your Business?

Whether you’re facing challenges or looking for tailored solutions, our team is here to help. Get in touch with us today and take the next step towards securing your business’s future.

By mid-2026, almost every SA professional services firm has integrated some form of generative AI into the work they deliver to clients. Drafts are produced with AI assistance. Research is augmented by AI summary tools. Code reviews, contract reviews, design iterations, financial models, and client communications all routinely involve AI somewhere in the workflow. The productivity gains have been real. The legal, regulatory, and indemnity implications, however, are only now starting to surface in claim conversations and renewal discussions with insurers.

Three forces are converging in 2026. South Africa’s Department of Communications and Digital Technologies has signalled forthcoming AI governance requirements. The Information Regulator continues to interpret POPIA in ways that touch AI-driven processing. And EU regulators are enforcing extraterritorial AI rules that catch SA firms serving EU clients. For SA professional services firms, the question is no longer whether AI changes their liability profile. It does. The question is what they need to disclose, document, and insure to protect themselves and their clients. All cover discussed here is subject to underwriting and final policy wording.

TL;DR

  • SA professional services firms using AI in client work face emerging disclosure obligations under POPIA, sector regulators, and (for firms serving EU clients) the EU AI Act.
  • Most existing professional indemnity policies in SA do not explicitly address AI-generated content. Whether AI errors are covered depends on how the policy defines the insured’s “professional services” and what it excludes.
  • Client engagement letters issued before 2025 typically do not address AI use, AI-driven errors, or AI training data exposure. Firms still operating on those letters carry contractual ambiguity.
  • Claims trends in 2026 are already showing AI-augmented errors in legal drafting, medical advice, engineering calculations, and financial models. Insurers are responding with AI-specific exclusions and endorsements.
  • The cost of fixing this is small (engagement letter update, policy review, internal AI use policy). The cost of not fixing it shows up at the first AI-related claim.

Table of Contents

The 2026 SA regulatory landscape for AI in professional services

South Africa does not yet have a single dedicated AI statute, but the regulatory environment in 2026 is more shaped than it was 18 months ago. Several developments matter for professional services firms.

POPIA enforcement is sharpening on AI processing. The Information Regulator has issued multiple enforcement notices in late 2025 and early 2026 relating to automated decision-making, AI-driven profiling, and the use of personal information as AI training data. POPIA section 71 specifically restricts automated decision-making that has legal or significant effect on a data subject, and the Regulator’s interpretation is now actively applied to AI-assisted professional advice, particularly in financial services, healthcare, and legal services.

Sector regulators are issuing AI guidance. The FSCA has issued draft principles for AI use in financial services. The Health Professions Council is consulting on AI-assisted clinical decision support. The Legal Practice Council has issued ethics circulars on AI in legal practice. Each sector’s guidance differs in detail but shares common themes: human oversight, disclosure, accuracy verification, and accountability.

Department of Communications and Digital Technologies signals. The Department has publicly committed to publishing an AI policy framework in 2026, with consultative draft already circulated. The framework is expected to introduce AI risk categorisation, transparency requirements, and possibly mandatory disclosure for AI use in high-stakes decisions.

The cumulative effect is that SA professional services firms cannot wait for a single law to crystallise. The regulatory exposure is already present through POPIA, sector regulators, and contractual obligations.

What needs to be disclosed and to whom

“Disclosure” in the AI context covers several distinct audiences and obligations. Each matters for different reasons.

To clients

Where AI tools have materially contributed to deliverables provided to a client (legal opinion, medical report, engineering calculation, financial model, marketing copy), the prudent position is to disclose this in writing. The disclosure protects the firm in three ways. First, it prevents the client from later arguing that they assumed the work was fully human-produced. Second, it shifts the conversation about residual risk to a documented baseline. Third, where a claim arises, the disclosure establishes that the AI involvement was not concealed.

The form of disclosure varies by service. A short clause in the engagement letter setting out the firm’s AI use policy is one approach. A specific notation on each AI-assisted deliverable is another. The choice depends on the type and frequency of AI involvement.

To regulators

Where AI is used in a way that triggers sector regulatory obligations (FSCA financial advice, HPCSA clinical assessment, LPC legal advice), the firm must follow the disclosure rules of the regulator concerned. These are evolving, and the safe default is to over-disclose rather than under-disclose pending clearer guidance.

To insurers

At renewal, professional indemnity insurers are increasingly asking about AI use in the proposal form. Honest, specific disclosure protects the cover. Generic answers (“we use AI tools sometimes”) risk being interpreted as material non-disclosure if a claim later arises involving an undisclosed AI workflow.

To data subjects

POPIA requires data subjects to be informed when their personal information is being processed for automated decision-making. If your AI workflow processes client data to generate advice or decisions, the data subject (your client, or in some cases your client’s customers) needs to be informed in a manner consistent with POPIA section 18.

The five professional indemnity questions every firm should answer this quarter

Professional indemnity policies issued before 2024 generally do not address AI explicitly. Whether they respond to an AI-related claim depends on five questions that every SA professional services firm should answer this quarter.

1. Does the policy define “professional services” broadly enough to include AI-assisted work? If the definition references specific services or activities, AI-augmented versions of those services should fall within the definition. If the definition is silent or ambiguous, this needs clarification at renewal.

2. Does the policy exclude “automated processes” or “algorithmic decision-making”? Some older PI wordings have exclusions written in a pre-AI context that could be read to exclude AI-assisted work. Where this exclusion exists, an explicit AI carve-back is needed.

3. Does the policy cover liability arising from third-party AI tools? Where the firm’s AI workflow uses third-party AI APIs (OpenAI, Anthropic, Google, Microsoft Copilot), the firm may face liability for outputs that originated from those tools. The policy needs to respond to errors that arise even where the firm itself used the tool properly.

4. Are intellectual property claims arising from AI-generated content covered? AI-generated text, images, code, and designs can inadvertently reproduce training data, creating copyright or trademark claims. Where the firm delivers such content to a client, the firm may face indemnity claims from the client if a third party sues for infringement. PI policies vary in how they address this; explicit AI-specific IP cover is becoming a recommended endorsement.

5. Does the policy address regulatory investigations triggered by AI use? POPIA investigations, FSCA inquiries, HPCSA proceedings, and LPC reviews can all be triggered by AI-related complaints. Whether the PI policy responds to defence costs in regulatory matters depends on the wording. Many SA PI policies have regulatory defence extensions; check whether AI-related regulatory matters fall within the scope.

See our existing guidance on professional indemnity for engineers and consultants and PI for allied health and telemedicine for related limit and retro-date considerations.

Engagement letter clauses for AI-assisted work

Most SA professional firms are still using engagement letters drafted before 2024. These letters typically do not address AI in any form. The addition of a short AI clause closes a gap that may matter at claim time.

A balanced AI clause typically addresses:

  • Disclosure of AI use. “The firm may use artificial intelligence tools to assist in the preparation, review, or delivery of services. The firm remains responsible for the work product and maintains human oversight of AI-generated content.”
  • Client consent or acknowledgement. Where the client’s data may be processed through AI tools, a specific acknowledgement is appropriate.
  • Third-party AI tools. A statement that the firm may use third-party AI services and that the firm’s responsibility relates to the integrated work product, not to defects in the underlying tools.
  • Confidentiality and data handling. A statement on what client data may be entered into AI tools, what data is excluded, and the firm’s approach to AI provider terms.
  • Limitation of liability. Where the engagement permits, a clause limiting liability for losses arising from AI tool failures or errors, subject to professional standards and applicable law.

The exact wording must reflect the firm’s regulatory environment (legal, medical, engineering, financial advice). A generic AI clause will not satisfy sector-specific obligations.

Sector-specific AI liability scenarios

Different professions face different AI exposures. Common 2026 examples by sector:

Legal services

AI-drafted contracts containing references to non-existent case law (a documented failure mode of generative AI). AI-generated due diligence reports missing material adverse information. AI-summarised expert reports omitting critical findings. The Legal Practice Council’s 2026 ethics guidance specifically addresses the duty of independent verification of AI output.

Medical and healthcare

AI-augmented diagnosis tools missing differential diagnoses. AI-generated clinical notes mischaracterising patient histories. AI-supported triage misclassifying urgency. The HPCSA’s draft AI guidance emphasises the requirement for documented human clinical judgement on AI-supported decisions, particularly in high-acuity contexts.

Engineering and design

AI-generated structural calculations omitting load cases. AI-generated geotechnical reports using inappropriate analogues. AI-augmented design tools producing outputs that breach building code requirements. ECSA‘s professional conduct guidance now expects independent verification of AI-augmented engineering output, particularly on safety-critical work.

Financial advice and accounting

AI-generated financial planning advice using outdated tax rules. AI-augmented audit procedures missing material misstatements. AI-summarised regulatory filings missing required disclosures. The FSCA’s draft AI principles emphasise the fiduciary duty to verify AI-driven advice before delivery.

Cybersecurity and IT consulting

AI-generated security assessments missing known vulnerabilities. AI-augmented penetration test reports including false positives or false negatives. AI-driven incident response advice that does not reflect the specific environment. See related cyber insurance considerations for IT consultancies.

The EU AI Act and SA firms serving EU clients

The EU AI Act has extraterritorial reach. SA firms providing AI-driven services to EU clients, or whose AI-driven outputs are placed on the EU market, fall within scope. The Act categorises AI systems into risk tiers (unacceptable, high-risk, limited risk, minimal risk), each with different obligations.

For SA professional services firms, the most relevant categories typically include:

  • Limited-risk AI, where transparency obligations apply (the user must know they are interacting with AI). This catches most AI-augmented client communications.
  • High-risk AI, where significant compliance obligations apply (risk management, data governance, technical documentation, human oversight, accuracy). This may catch AI use in credit decisions, employment screening, education, healthcare, and critical infrastructure work.

SA firms unsure whether their EU-facing work falls within scope should obtain specific legal advice. The fines for non-compliance are substantial, and the regulatory reach is being actively tested by EU authorities.

Internal AI use policies that reduce indemnity risk

From an insurance perspective, the firms with the lowest claim exposure are the ones with documented internal AI use policies. The policies need not be elaborate, but they need to exist and be followed. Key elements:

  1. Approved AI tools list. A specific set of AI tools approved for use, with documented decisions about why each was selected. This protects against employees using unapproved tools that may not meet confidentiality or accuracy standards.
  2. Prohibited data list. A specific list of data types that may not be entered into AI tools (client confidential information, personal information of third parties, attorney-client privileged material, medical records, financial information). This addresses the confidentiality and POPIA exposure.
  3. Verification standards. A documented standard for the human review applied to AI-generated content before delivery. Different work types require different review depth; the policy should specify.
  4. Disclosure standards. A documented standard for when AI use is disclosed to clients and how that disclosure is framed.
  5. Audit trail. A record of which AI tools were used on which client matter, when, and by whom. This is critical evidence in any subsequent claim or regulatory review.
  6. Training and updates. Regular training on the AI policy, with updates as tools and regulations evolve.

For SA firms requesting professional indemnity insurance renewals in 2026, having a documented AI use policy is increasingly expected by underwriters and may favourably affect terms.

Frequently asked questions

Does my existing professional indemnity policy cover AI-related errors?

It depends on the specific wording. Most SA PI policies issued before 2024 do not address AI explicitly. Whether an AI-related claim is covered depends on how “professional services” is defined, whether exclusions for “automated processes” appear, and how third-party tool errors are treated. A targeted policy review by a broker can identify any AI-related gaps in your current cover.

Do I need to disclose AI use to my clients?

In most professional contexts, yes. The form and detail of disclosure varies by profession and by how material the AI use is to the deliverable. A short clause in the engagement letter is typically sufficient for routine AI assistance. More prominent disclosure is appropriate where AI is central to the deliverable. Where personal information is processed through AI, POPIA disclosure obligations apply separately.

What is the EU AI Act and does it apply to my SA firm?

The EU AI Act is a regulatory framework for AI systems placed on the EU market or affecting persons in the EU. It has extraterritorial reach, meaning SA firms providing AI-driven services to EU clients or whose AI outputs reach the EU can fall within scope. The Act categorises AI use into risk tiers with different compliance obligations. SA firms with EU-facing AI use should obtain specific legal advice about applicability.

Can AI generate work that breaches copyright, and am I liable?

Yes, AI-generated content can reproduce training data, raising copyright concerns. Where the firm delivers AI-generated content to a client, the firm may face indemnity claims from the client if a third party sues for infringement. Most SA PI policies do not address this exposure explicitly. An AI-specific IP cover endorsement is becoming a recommended addition to PI programmes for firms whose AI use produces client deliverables.

What is the most common AI-related professional liability claim in 2026?

Claims involving AI-augmented research or drafting where the AI tool produced an inaccuracy that the human reviewer did not catch. Examples include legal opinions citing non-existent cases, financial models using outdated assumptions, engineering calculations with embedded errors, and medical reports with mischaracterised history. The defence to these claims is documented human verification, which underscores the importance of an internal AI use policy and audit trail.

Should I refuse to use AI to avoid the liability risk?

No. The productivity advantages of AI in professional services are large and growing, and firms that refuse to use AI will lose competitiveness. The correct response is to use AI thoughtfully with documented controls, disclose appropriately, structure engagement letters to address AI, and ensure professional indemnity cover is updated to respond to AI-related exposures. The combination delivers the productivity gain while managing the liability profile.

What does an AI-aware professional indemnity policy include?

Key features include an explicit definition of “professional services” that captures AI-assisted work; carve-back from “automated process” exclusions; explicit cover for liability arising from third-party AI tools; AI-specific IP infringement cover; regulatory defence cover extending to AI-related investigations; and reasonable claims handling provisions for novel claim types. A broker review identifies which of these features your current policy includes and which need to be negotiated at renewal.

Review your PI programme before the next AI-related claim

AI is now embedded in how SA professional firms do work. The legal, regulatory, and insurance implications are still catching up, and the firms that act now will be ahead of the curve when the first major AI-related claims start to test policy wordings in 2026 and beyond. Contact Berkley Risk or call 011-702-8250 to arrange a professional indemnity review that addresses your AI use, engagement letter alignment, and regulatory exposure, subject to underwriting and insurer appetite.

Berkley Risk (Pty) Ltd arranges/places/co-ordinates insurance with licensed insurers. FSP #54407. This article is general information only and does not constitute legal, financial, or regulatory advice. All cover is subject to underwriting acceptance and final policy wording.