The question that costs $400 to answer
It is Tuesday afternoon. A second-year associate is closing out an engagement and needs to know whether she can email the client's draft deliverable to their personal Gmail because their corporate inbox is down. She does not know. So she pings a partner who is mid-review on a different matter. He stops, thinks for ninety seconds, says "no, use the secure portal," and goes back to work. That ninety seconds, billed at his rate and broken concentration, just cost the firm more than the answer was worth. And the same question will surface again next week from someone else.
That is the real shape of the problem in a professional services firm: policy knowledge lives in partners' heads and in a SharePoint folder nobody trusts is current. The RSM middle-market AI survey and the San Francisco Fed analysis of AI and small businesses both point to the same lesson for firms this size: AI earns its keep when it is tied to a workflow people already repeat, with someone clearly accountable for it. Policy Q&A qualifies because the repetition is constant and the interruption tax falls on your highest-cost people.
Do not start with your whole policy library. Start with the four or five questions a junior asks before they will admit they are unsure: Can I store this client file there? Do I need a conflict check before I take this referral? What gets redacted before a deliverable leaves the building? When does a fee write-off need partner sign-off? Pick the policies where the answer is unambiguous and the cost of guessing wrong is high. Then use the workflow automation screen to confirm those questions actually recur often enough to justify building anything.
The answer a partner can defend, not just a plausible one
Here is where most firms get this exactly backwards. They take the generic chatbot, feed it the policy PDFs, and ship it. Then an associate asks about client-data handling, the model blends last year's retention policy with a half-remembered training, and produces a confident answer that is wrong in a way nobody catches until a client's counsel asks why a file still existed. In a professional services firm, a confidently wrong policy answer is not a bad search result. It is a malpractice exposure.
So the assistant must be built to answer only from approved, current policy documents, and to show the partner exactly which clause it pulled from. The NIST AI Risk Management Framework gives you the language for accountability and risk controls, and the CISA AI Data Security Best Practices cover the access, logging, and output-handling discipline that matters when the underlying documents touch client confidentiality. Translated to a firm's reality, that means a short list of non-negotiables: every answer cites the exact policy section and its effective date; retrieval respects who is allowed to see what (an associate on the manufacturing team should not surface a financial-services conflict memo); superseded versions are pulled, not just deprecated; every query is logged; and ambiguous questions — the ones that start "well, technically..." — route to a named human instead of getting an answer at all.
That last rule is the one that separates a tool a firm can trust from one a managing partner will quietly kill. The assistant's job is not to answer everything. It is to answer the settled questions fast and to refuse the unsettled ones loudly. Before you build, run the candidate use case through the AI use-case scoring model to pressure-test whether your policy sources are clean enough and your confidentiality boundaries clear enough to be worth automating yet.
What "working" looks like ninety days in
You will know this succeeded not when the assistant answers a lot of questions, but when the partners stop being asked them. Watch for the second-year who used to ping a manager four times a week and now pings once — because the assistant handled the routine three, and that fourth question was genuinely novel and deserved a human. The Deloitte State of AI in the Enterprise 2026 makes the point that production value comes from changing how the work flows, not from installing software. For a firm, the operating-model change is this: policy knowledge stops being a relationship you maintain with a senior partner and becomes a resource the whole staff can reach.
Measure the things that prove it: how many internal policy questions reach partners now versus before; how long it takes a policy change to show up in the assistant's answers (if a new client-data rule takes three weeks to propagate, you have a stale-source problem, not an AI problem); how often answers get corrected; whether managers themselves use it; and — the one to never stop watching — whether any question touching live client data got an answer it should have escalated instead. The OECD report on AI adoption by small and medium-sized enterprises is blunt that firms your size win or lose on management capacity, not on the model — so the owner who keeps sources current matters more than the technology.
If you do one thing Monday, name that owner. Pick the person who will keep the policy documents current and review the escalation log, and put their name on it before you write a line of code. Then sequence the build — source cleanup first, answer review second, partner training third, production governance last — using the 90-day AI implementation plan.
