AI Is Already Doing Work Inside Your Firm. The Risk Is No One Is Accountable for the Output.

AI Is Already Doing Work Inside Your Firm. The Risk Is No One Is Accountable for the Output.

This isn't about adoption anymore.

AI is already writing proposal sections, refining client emails, summarizing reports, and shaping decisions across your firm. The real issue is simpler—and more dangerous:

No one owns the output.

That's the gap.

In most 25-75 person engineering firms, AI shows up first in proposal teams and operations workflows. It's used quietly, efficiently, and without friction. Leadership assumes there are controls. IT assumes usage is limited.

Neither is true.

What you have instead is a system producing work faster than it can be verified or explained. And when a client or auditor asks questions, that's when the problem becomes visible.

Not as a technology issue.

As a credibility issue.

The AI Control Model for Engineering Firms (3 Layers)

If you want to fix this, you don't need a long policy. You need a system that matches how work actually moves through your firm.

Use this model.

1. Tool Control — What's allowed External tools (ChatGPT, Claude) → restricted for sensitive work
Embedded tools (Microsoft Copilot, Google Workspace AI) → allowed with boundaries
Internal/secure tools → approved and monitored

If a tool isn't defined, it isn't controlled.

2. Data Boundaries — What can be used Level 1: Public content
Level 2: Internal operations and financial data
Level 3: Client, contractual, regulated, engineering data

Level 3 should never enter external tools.

Not occasionally. Not "just to clean something up." Never.

3. Output Verification — What must happen AI-assisted work is flagged
Sources are verified
A named reviewer approves final output

This is where most firms fail.

Not in using AI.

In trusting it too early.

Where AI Risk Actually Lives

Stage | Risk | Control

Drafting | Fabricated or unsupported data | AI-use flag on sections
Editing | Data exposure through prompts | Tool restrictions by data level
Final QA | Missed validation | Required verification checklist

If your workflow doesn't explicitly cover all three stages, risk is already in motion.

What We're Seeing Across Firms

This pattern keeps repeating:

Most firms have no documented AI policy
Proposal teams are the first to adopt AI informally
Tools are mixed without distinction (external + embedded + internal)
Review processes haven't changed, even though the work has

No one intends to create exposure.

But when systems evolve faster than ownership, exposure is exactly what you get.

A Real Incident Timeline (How This Fails in Practice)

A proposal coordinator is under deadline.

They use ChatGPT to refine a submission and strengthen positioning. The tool inserts market benchmarking data. It reads clean. It fits the narrative.

No one questions it.

The document goes through formatting review—not source validation.

It's submitted.

Two days later, the client asks for sources.

The coordinator can't provide them.

Now it escalates:

Business development gets involved
Operations gets pulled in
A technical lead reviews the assumptions
IT is asked what tool was used

No one can reconstruct the origin.

Outcome:

Half a day of internal rework
Delayed client response
Visible loss of confidence

The proposal didn't fail because of AI.

It failed because no one owned verification.

What Enforcement Looks Like in Real Work

This is where most firms fall short. They define policy but never translate it into behavior.

Here's what actual control looks like:

Proposal coordinators flag AI-assisted sections before QA
QA reviewers verify all external data points introduced by AI
External tools are blocked or restricted on systems handling client data
AI verification is added directly into proposal QA checklists
IT reviews tool usage logs on a defined cadence
Approval responsibility is assigned before submission, not after

If these aren't happening inside your workflows, the policy doesn't matter.

Because behavior hasn't changed.

AI Control Maturity (And Where Firms Get It Wrong)

Level 1 — Unstructured
Leadership assumption: "We're not really using AI yet"
Reality: It's already embedded in daily work
What breaks: Unverified content reaches clients

Level 2 — Defined
Leadership assumption: "We have guidelines"
Reality: Inconsistent enforcement
What breaks: Gaps between policy and behavior

Level 3 — Controlled
Leadership view: Clear ownership, defined tools, embedded verification
What works: The firm can explain how work is produced and approved

Most firms believe they are closer to Level 3 than they actually are.

That gap is where risk lives.

What You Will Be Judged On

Clients, municipalities, and regulated partners are not evaluating your AI strategy.

They are evaluating your control.

They will ask:

What tools are in use
What data is allowed
How outputs are verified
Who is accountable

And they will expect consistent answers.

If those answers vary across your team, your process is not defensible.

That's when confidence drops.

What To Do in the Next 7 Days

Assign one owner in Operations and one in IT.

Have them produce a one-page AI control standard using the three layers:

Tool Control
Data Boundaries
Output Verification

If that document does not exist, your firm is already operating without alignment.

The Outcome You Actually Want

You're not trying to slow your team down.

You're removing a category of uncertainty.

So when someone asks how AI is used in your firm, the answer is clear, consistent, and calm.

That's what protects trust.

Schedule your 10 minute discovery call with 911 IT.
We'll walk through how your current AI usage would hold up under external review.
This helps you confirm whether this risk applies to your firm and where it breaks.