Should You Tell Your Client You Used AI? (What the Law Actually Requires)
By Gabriel Tan | May 2026
An ex-colleague running an IR firm told me about a conversation that caught him off guard. His client, the CFO of a listed company in Hong Kong, asked him over lunch: "By the way, do you guys use AI when you draft our materials?"
He said yes, they use it to help with early drafts and research. The CFO nodded and said: "Good. Just make sure our board knows you have controls around it. They asked me last week."
That was the easy version of the conversation. The harder version is when the client finds out you used AI and did not tell them. Not from you. From someone else. Or from noticing that the language across three different deliverables sounds suspiciously similar. Or from a competitor who mentions it during a pitch.
The disclosure question is one that most MDs of PR, IR, and financial communications firms have thought about but few have formalised. The reason it stays informal is that the answer feels complicated. It is not, once you look at what the regulations actually say.
What the regulations say about disclosure
Three frameworks covered in the AIGP (Artificial Intelligence Governance Professional) certification are directly relevant here.
The EU AI Act, Article 52. The Act requires that users be informed when they are interacting with an AI system. This applies to chatbots, emotion recognition tools, and AI-generated content like deepfakes. Deployers must label synthetic content and tell users they are talking to a machine, not a person.
Here is the nuance for professional services firms. Article 52 targets systems that interact directly with people. It does not explicitly require a PR firm to disclose that AI helped draft a press release, because the client receives a human-reviewed document, not raw AI output. The client is reading your work, not talking to a chatbot. So the legal mandate under Article 52 does not directly apply to most of what your firm does.
But the direction is clear. The Act also introduced an AI literacy obligation that took effect on 2 February 2025. If your firm has EU-listed clients or a London office, you need documented policy and training around AI use. The regulatory direction is toward more transparency, not less.
OECD AI Principles, Principle 3: Transparency and Explainability. The OECD principles state that users should know when AI is involved and understand its decisions. This principle is broader than Article 52. It is not limited to chatbots or deepfakes. It covers any use of AI where a stakeholder has a reasonable interest in knowing.
The OECD principles are non-binding, but they have been adopted by over 40 countries including Singapore, the UK, and countries across the EU. They shaped the EU AI Act itself.
For a professional services firm, the OECD principle means this: if your client is a stakeholder in the work you produce, and AI was involved in producing it, the principle says they should know.
ISO/IEC 42001, Clause 7.4: External Communication. ISO 42001 is the first certifiable standard for AI management systems. Clause 7.4 requires organisations to maintain external communication plans for their AI use. The standard says you need to decide: what you communicate about AI, when you communicate it, to whom, in what format, and through what channel.
Clause 7.4 does not tell you what to disclose. It tells you to have a plan for disclosure and to follow it consistently. The standard treats "we have not decided" as a gap, not a position.
Three disclosure positions
The three frameworks sit on a spectrum. Article 52 sets a legal floor: disclose when AI interacts directly with people. The OECD principles set a higher bar: disclose when stakeholders have a reasonable interest. ISO 42001 says: whatever you decide, document it and apply it consistently.
From that spectrum, three positions emerge.
Position 1: Disclose proactively. You add a clause to your engagement letter or service agreement that states your firm may use approved AI tools to assist in research and content development, and that all outputs are reviewed and approved by named senior staff before delivery. The client knows from day one. There is no surprise to manage later.
This is the only position that fully satisfies all three frameworks. It meets the OECD transparency principle. It exceeds the EU AI Act's requirements. And it gives ISO 42001 auditors a clean communication plan to review.
Position 2: Disclose on request. You do not volunteer the information, but if the client asks, every team member gives the same honest answer. This requires a briefing so your team knows what to say.
This position satisfies ISO 42001's requirement for a documented communication plan, because you have decided what to say and when. It partially satisfies the OECD principle, because transparency is available but not proactive. The risk is that "on request" can feel evasive if the client later feels they should have been told earlier. It also means different clients get different levels of transparency depending on whether they think to ask.
Position 3: Disclose when AI contributed substantially. You tell the client when AI played a significant role in producing the deliverable, but not when it was used for minor tasks like formatting, spell-checking, or background research.
This position requires your team to make a judgement call on what counts as "substantial." What one consultant considers minor, another might consider significant. ISO 42001's process orientation would flag this as a control weakness, because inconsistent application is harder to audit. It partially satisfies the OECD principle but introduces a gap between what your firm intends and what your team actually does.
Which position to take
To be honest, Position 1 is the cleanest. It removes the judgement call entirely. It protects your firm from the "why didn't you tell us" conversation. It is the most defensible under all three regulatory frameworks. And in practice, most clients respond the way that CFO did: they are fine with it, as long as there are controls.
Position 2 is workable if your team is well-briefed and consistent. But it carries a latent risk: the client who does not ask is not the client who does not care. They may simply not have thought of it yet.
Position 3 is the weakest. The judgement call it requires is where mistakes happen. Two people from the same firm giving different answers to the same client is the scenario you want to avoid.
What to put in the engagement letter
One clause. Three sentences.
State that your firm may use approved AI tools to assist in research, drafting, and content development. State that all AI-assisted outputs are reviewed and approved by named senior staff before delivery to the client. State that your firm maintains an AI use policy, an approved tools list, and a data classification framework to protect client information.
That is the disclosure. It is factual, specific, and does not apologise for using AI. It positions AI use as a controlled, governed part of your process.
If your current engagement letter was written before 2023, it almost certainly says nothing about AI. That silence is the gap. Updating the letter takes 30 minutes and closes a risk that grows every month.
What to do this week
Pull up your standard engagement letter. Search for any mention of AI, AI tools, or technology-assisted work. If there is nothing, add the three-sentence clause.
Brief your team on your firm's disclosure position. Make sure everyone gives the same answer when a client asks. The worst outcome is two people from your firm giving different answers to the same client.
If you are unsure which position to take, start with Position 1. Proactive disclosure is the lowest-risk option and the easiest to maintain. You can always adjust later. You cannot undo a trust breach once the client feels they were kept in the dark.
Gabriel Tan is the founder of Mekong Bridge Advisory. He builds structured execution systems for PR and communications firms.
