Future Proof Intelligence · Published 24 June 2026 · 11 minute read

Do my clients have the right to know I use AI in their work?

This is one of the most common questions SME operators are asking in 2026. The answer is more structured than most people expect. Several overlapping obligations can require disclosure: EU law, sector regulators, and contract terms. This guide explains when disclosure is legally required, what happens when it is omitted, and how non-disclosure affects your insurance position when something goes wrong.

The question every service business is asking

If you run a business that provides professional services, there is a growing probability that AI tools are part of how you deliver those services. A law firm may use an AI assistant to draft first versions of contracts. A financial adviser may use an AI system to generate initial portfolio recommendations. An accountant may use AI to review documents or generate summaries. A marketing agency may use AI to write client copy. The AI outputs may be reviewed and edited by a human before delivery, or they may go to the client with minimal human intervention.

In all of these scenarios, the client typically does not know. The question this article addresses is: should they?

The answer in 2026 is increasingly yes, and in many situations the answer is a legal requirement rather than a professional preference. This changed materially with the full applicability of the EU AI Act and the simultaneous tightening of sector guidance from regulators across Europe.

What EU AI Act Article 50 requires

Article 50 of Regulation (EU) 2024/1689 sets out transparency obligations for operators deploying AI systems that interact directly with individuals. The most practically significant provision for service businesses is Article 50(1), which reads: "Deployers of AI systems referred to in Article 26(10) that are intended to interact with natural persons shall inform natural persons that they are interacting with an AI system, unless this is evident from the circumstances and the context of use."

The phrase "unless this is evident from the circumstances" is the only exception. If a client contacts your customer service line and reaches a chatbot, the AI nature of that interaction must be disclosed. If a client sends an email and receives a response that was substantially drafted by an AI system, and the client has no basis to assume AI was involved, the same disclosure logic applies. The exception covers truly obvious cases, such as a client who explicitly selected an AI chat option from your service menu. It does not cover a general assumption that AI might be used somewhere in a business.

Article 50 also covers emotion recognition systems (Article 50(3)), synthetic media and deep fake content (Article 50(4)), and providers of general-purpose AI models (Article 53). For the typical SME deploying a commercial AI tool in client work, Article 50(1) is the operative provision.

The penalty for non-compliance with Article 50 falls under Article 99(4) of the Act, which sets fines at up to EUR 15 million or 3% of global annual turnover, whichever is higher, for operators that breach transparency obligations. For an SME with EUR 2 million in annual revenue, that ceiling is EUR 60,000. This is not a theoretical exposure: national supervisory authorities are beginning to build enforcement capacity ahead of the August 2026 deadline.

GDPR Article 22: the automated decision rule

Article 22 of Regulation (EU) 2016/679 (GDPR) runs parallel to the AI Act and often applies to the same situation. It provides that individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them.

Where automated decision-making is used, the controller must inform the individual at the time of data collection (GDPR Article 13 or 14), give meaningful information about the logic involved, explain the significance and envisaged consequences, and provide the right to obtain human intervention, express their point of view, and contest the decision.

For service businesses, this rule applies when AI contributes substantially to a consequential decision about a client. Examples: an AI system that generates a credit risk score used in a lending decision; an AI tool that screens job applicants and produces a shortlist presented to a hiring manager; an AI adviser that recommends a financial product or produces a medical assessment. In each of these cases, GDPR Article 22 notification obligations exist independently of whether the EU AI Act applies.

The combination of Article 50 of the AI Act and Article 22 of GDPR creates overlapping notification requirements. A business that tells clients "we use AI" but does not give them the right to request human review of consequential decisions has satisfied the AI Act transparency rule but potentially failed the GDPR Article 22 right to contest automated decisions. Both must be addressed.

Professional conduct obligations by sector

Even where the AI Act or GDPR creates no specific notification obligation, sector professional conduct rules frequently do. Below are the main examples relevant to SME service businesses operating in Europe.

Legal services

The Bar Council of England and Wales issued AI guidance in 2024 confirming that solicitors using AI to draft, research, or review client documents must be satisfied that the output meets the required standard of care and must disclose the use of AI where it is material to the client relationship. The Dutch Bar Association (NOvA) published a similar position in 2024, reflecting the general principle that clients in a regulated legal relationship have a right to transparency about how their matter is being handled. The German Federal Bar (BRAO framework) treats non-disclosure of AI use in client work as a potential breach of the professional duty of care where the use of AI materially affects the quality or nature of the service.

The sanctions case Mata v. Avianca (S.D.N.Y., 2023) is the starkest illustration of the consequences of undisclosed AI use in legal services. Attorneys were sanctioned USD 5,000 for submitting AI-generated case citations that did not exist. The sanction was not primarily because AI was used. It was because the standard of care was violated when AI output was passed to the court without verification. For client-facing legal services, the same logic applies: AI use without appropriate disclosure and verification creates professional liability that your E&O insurer may contest.

Financial services

The Financial Conduct Authority in the UK issued a portfolio letter in 2024 reminding firms that AI use in client-facing services is subject to the Consumer Duty obligations introduced in 2023. Under Consumer Duty, firms must ensure that products and services deliver good outcomes for clients, which includes transparency about how services are delivered. The AFM in the Netherlands has taken a comparable supervisory position, noting that AI use in advice or recommendation processes is a material fact for purposes of the obligation to provide clear and accurate information to clients.

For MiFID II-regulated firms across the EU, the suitability assessment obligations under Article 25 of MiFID II already require firms to act in the best interest of clients and to be transparent about the basis for recommendations. AI-generated recommendations that are not disclosed as such create uncertainty about whether the suitability assessment was conducted correctly and by an appropriately qualified person.

Healthcare and life sciences

The EU AI Act classifies AI systems used in clinical decision support as high-risk under Annex III, point 5. This means providers deploying AI in diagnostic or treatment support contexts must meet the full set of high-risk requirements under Articles 9 to 17, including human oversight under Article 14 and transparency towards deployers under Article 13. Patients interacting with AI-supported healthcare services must be informed under Article 50(1). The Medical Device Regulation (EU) 2017/745, where it overlaps with AI system use, carries additional documentation and transparency requirements.

Contract terms and general consumer protection

Outside regulated sectors, contract law and general consumer protection rules create disclosure obligations in many situations.

If your service agreement describes services as being performed by qualified human professionals and you use AI to perform substantial parts of those services without disclosure, the description of the service may be inaccurate. A client who relied on the representation that a qualified lawyer or accountant was handling their matter personally, when in practice an AI system handled the first draft and a human reviewed it briefly, has a potential misrepresentation claim. This is not a purely hypothetical risk: in competitive markets where clients specifically value human expertise, non-disclosure of AI substitution is the kind of material fact omission that supports a claim for damages.

The EU Consumer Rights Directive and its national implementations across member states require traders to provide consumers with clear and comprehensible information about the main characteristics of the service before the consumer is bound. Where AI-driven delivery is a departure from what a consumer would reasonably expect, this can constitute a failure to provide required pre-contractual information.

What happens when something goes wrong without disclosure

The liability landscape is straightforward when disclosure was omitted. The client can argue three things simultaneously: the AI output caused harm; they were not told AI was being used; and they could not have assessed or mitigated the risk because they did not know it existed. This is a materially stronger position than a claim against a business that disclosed AI use and obtained informed consent.

The Air Canada chatbot ruling (Moffatt v. Air Canada, BC Civil Resolution Tribunal, February 2024) established the foundational principle: a business is responsible for what its AI agent says to customers, and it cannot disclaim that responsibility on the grounds that the chatbot was a separate legal entity. That case involved a disclosed AI system (Air Canada's chatbot was identifiable as such). When the AI is not disclosed at all, the operator's position is weaker, not stronger.

From an insurance perspective, undisclosed AI use creates two specific risks. First, if the non-disclosure constitutes a breach of a professional obligation, some insurers will argue that the claim arose from a breach of professional duties, which affects coverage under the professional conduct exclusions in many E&O policies. Second, non-disclosure can be characterised as a material misrepresentation in the underwriting questionnaire if the insurer asked about AI use and the answer was not accurate. Both of these positions are harder to contest if the non-disclosure was deliberate rather than inadvertent.

For a complete review of how your current insurance policies treat AI-related claims, see our guide to what business insurance covers for AI errors and the AI policy exclusions SME operators must review.

When disclosure is not required

The EU AI Act Article 50(1) exception covers situations where the AI nature of the interaction is evident from the circumstances. Four categories commonly qualify.

AI tools in internal business processes. If AI is used to process data, generate internal summaries, or assist with back-office work that does not result in a customer-facing output, no Article 50(1) disclosure is triggered. The interaction is not with a natural person in the relevant sense.

Clearly labelled AI interfaces. If a client explicitly navigates to an AI chat option in your service and the interface is labelled as AI, the disclosure obligation under Article 50(1) is satisfied. This is common in software and SaaS products where AI assistants are a named feature.

AI-assisted outputs reviewed and certified by a professional. Where a human professional reviews AI-generated content, takes responsibility for it, and delivers it under their professional signature, the disclosure position is nuanced. The GDPR Article 22 automated decision rule does not apply if a human meaningfully reviews and overrides or endorses the decision. The AI Act transparency rule may not apply if the final interaction is clearly with the human professional, not with the AI. However, if the AI substantially determined the output and the human review was perfunctory, this position may not hold at claim time.

General public knowledge. In contexts where the use of AI assistance is now common industry practice and clients have no reasonable expectation of exclusively human work (for example, proofreading, formatting, translation, or certain categories of software development), the disclosure obligation may be lower. This is a narrowing exception: as AI capabilities expand and client expectations evolve, what was considered ordinary professional judgment in 2021 may be considered AI delegation in 2026.

A practical disclosure framework for SME service businesses

The approach below provides a defensible disclosure framework for service businesses using AI tools in client work in 2026.

Categorise your AI use. List every AI tool used in client work, describe what it does, and identify which clients or client interactions it touches. This is the same list you need for an insurance renewal review and for an Agent Certified assessment. Build it once and maintain it.

Check for sector-specific obligations. If you operate in law, financial services, healthcare, or accountancy, review the current guidance from your sector regulator on AI use and disclosure. For EU-regulated sectors, the relevant national competent authority (BaFin, AFM, FCA, AMF, etc.) will have issued or is developing guidance specific to your sector.

Review your engagement letters and service agreements. Add language that accurately describes AI use in the delivery of your services. The language should be specific enough to inform the client, not so vague as to cover nothing. A single line stating "we may use AI tools to assist in the preparation of documents and analysis" is more defensible than no language at all, and less defensible than a clear description of what the AI does and what human oversight is applied.

Build a disclosure record. For each client engagement where AI tools were used, document what was used, what output it produced, what review was applied, and what disclosure was given. This record is the evidence base if a claim arises.

Review your insurance position with disclosure in mind. When you next speak to your broker, explain what AI tools you use and what your disclosure practice is. Confirm that your professional liability policy covers AI-assisted work and that there is no exclusion for non-disclosed AI use. For deeper context on how insurers are approaching AI-related professional liability claims, the agentinsured.eu coverage platform tracks the European insurance market for AI agent liability. For the certification framework that builds your governance evidence file, see agentcertified.eu.

Frequently asked questions

Do I have to tell my clients I am using AI in their work?

In many situations, yes. The EU AI Act Article 50 requires operators of AI systems that interact with humans to disclose that the interaction is AI-generated. GDPR Article 22 requires notification and an explanation when automated systems make decisions that significantly affect individuals. Many professional conduct rules in law, accountancy, medicine, and financial services also treat AI use as a material fact that clients have a right to know. Outside regulated sectors, contract terms, client expectations, and general consumer protection law create an obligation in most cases. The safest position is to disclose and document that disclosure.

What does EU AI Act Article 50 require?

Article 50 of Regulation (EU) 2024/1689 requires operators of AI systems designed to interact with natural persons to disclose that the interaction is AI-generated, unless the context makes it obvious. The penalty for breach is up to EUR 15 million or 3% of global turnover. The Article applies to any customer-facing AI system: a chatbot, an AI adviser, an AI-assisted customer service agent. Disclosure must be given at the time of interaction.

What happens if I do not disclose AI use and something goes wrong?

Non-disclosure when disclosure was required strengthens the client's claim in two ways: they can argue they did not consent to AI handling and could not assess the output. Your insurer may also dispute coverage if the non-disclosure constitutes a breach of professional duty or a material omission in your underwriting questionnaire. Moffatt v. Air Canada (2024) confirmed that businesses are bound by their AI agent's statements to clients.

Do professional service firms have specific AI disclosure obligations?

Yes. The Bar Council of England and Wales (2024 guidance), the Dutch NOvA, the FCA (UK Consumer Duty), and the AFM in the Netherlands have all issued guidance that treats AI use in client-facing services as a material fact requiring transparency. In healthcare, the EU AI Act's high-risk classification for clinical decision support AI under Annex III creates additional documentation and disclosure requirements.

If a client has not complained, do I still need to disclose past AI use?

Yes, where the obligation existed at the time of the work. A client who later discovers undisclosed AI use can bring a claim based on the non-disclosure itself, not just the quality of the output. From an insurance perspective, undisclosed AI use at the time of a claim may be treated as a prior circumstance affecting coverage under claims-made policies.

References

1. European Parliament and Council. Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act). Official Journal of the European Union, 12 July 2024. Article 50 (transparency obligations for operators), Article 99(4) (penalties for transparency breaches).
2. European Parliament and Council. Regulation (EU) 2016/679 (GDPR). Article 22, automated individual decision-making including profiling. Article 13 and 14, information to be provided.
3. Bar Council of England and Wales. AI Guidance for Barristers. 2024. Available at barcouncil.org.uk.
4. Nova, Orde van Advocaten. Statement on AI Use in Legal Practice. 2024.
5. Financial Conduct Authority. Portfolio letter on AI in financial services and Consumer Duty. 2024. Available at fca.org.uk.
6. Autoriteit Financiele Markten (AFM). Supervisory expectations on AI use in financial services. 2024.
7. European Parliament and Council. Directive 2014/65/EU (MiFID II). Article 25, assessment of suitability and appropriateness.
8. British Columbia Civil Resolution Tribunal. Moffatt v. Air Canada. Decision issued 14 February 2024. Tribunal member Christopher Rivers. CAD 812.02 damages awarded.
9. US District Court, Southern District of New York. Mata v. Avianca, Inc., No. 1:2022cv01461. Judge P. Kevin Castel. USD 5,000 sanction. June 2023.
10. European Parliament and Council. Regulation (EU) 2017/745 on Medical Devices. Classification and disclosure requirements for AI-assisted clinical tools.
11. European Parliament and Council. Directive 2011/83/EU on Consumer Rights. Article 5 and 6, pre-contractual information requirements.