Operator scenario

How a Consulting Firm Documented Its AI Tool Usage Before a Client Audit

Operator scenario — professional services

Situation

A 14-person management consulting firm had been using AI tools informally for about a year — writing assistants for proposal drafts, summarization tools for research, a code assistant for one of their analysts. No formal inventory existed. No policy covered how client information could be used with these tools.

A prospective enterprise client asked during the sales process whether the firm had a documented AI usage policy and whether client data was protected from AI training data. The firm did not have a good answer.

What they did

The principals worked through the AI Readiness Workflow. The context step established the scope: 14 people, professional services, working with client strategic and financial information. The inventory step produced a structured list of every AI tool in use, who used it, what kind of information it accessed, and whether the tool's data practices were understood. The risk review step surfaced two specific gaps: one tool's default settings permitted training on user inputs (an opt-out existed but had not been applied), and one tool had no data processing agreement available.

What they produced

An AI Readiness Readout that documented current tool usage, identified the two specific gaps, and outlined the corrective actions taken (opting out of training data use, finding an alternative for the tool without a DPA). The readout served as the basis for an internal AI usage policy and was shared with the prospective client as documentation of their approach.

This is a composite scenario based on common patterns in professional services firms. It does not represent a specific client or named organization.

← Back to case studies

Do Not Sell My Data