Partner Briefing Pack
This report was generated by the firm's managing partner or practice manager completing the Theia-Stack audit. It contains only information the firm provided during that process, combined with publicly documented risk characteristics of the identified tools. It does not involve network scanning, system access, or any form of technical investigation.
The score below reflects the firm's responses to the Theia-Stack audit questionnaire, weighted against the known risk profiles of the tools identified from billing data.
62
Risk score
ModerateRedacted & Associates identified three AI tools during the audit. The firm confirmed that two of these are used in contexts where client information may be involved, and that no formal AI usage policy currently exists.
The firm also confirmed that no structured staff training on AI use has been delivered, and that it is not certain what data retention settings apply to the tools in use.
These are the gaps driving the moderate risk rating. None represent an insurmountable position — they reflect a firm that is using AI practically but has not yet formalised how it does so.
The following tools were identified from three months of transaction data provided by the firm, and confirmed during the audit review step. Risk ratings reflect publicly documented characteristics of each tool — not a technical assessment of your specific configuration.
| Tool | Confirmed use (firm-reported) | Known data characteristic | Monthly cost | Risk |
|---|---|---|---|---|
| Microsoft Copilot Microsoft Corporation | Document drafting and email summarisation | Integrates with Microsoft 365 — data handling depends on tenant configuration. Default settings vary by licence type. | $420 | High |
| ChatGPT OpenAI | Research and drafting assistance | Data terms differ significantly between consumer, Teams, and Enterprise tiers. The firm did not confirm which tier is in use. | $60 | High |
| Otter.ai Otter.ai Inc. | Meeting transcription | Transcripts stored on US-based infrastructure under standard plan. Data processing terms publicly documented. | $89 | Medium |
Risk ratings are based on publicly available vendor documentation and known industry risk classifications — not on any technical inspection of your firm's systems or configuration.
The following summarises the firm's responses to the structured compliance questions completed during the audit. Findings and recommendations in this report are derived directly from these responses.
Each finding below is derived from the firm's audit responses above, or from publicly documented characteristics of the identified tools. Where the basis is a firm response, this is noted.
No AI usage policy exists
The firm has no documented position on how AI tools may be used, what data may be submitted to them, or what oversight is required. This is the most significant gap in the firm's current position.
No staff training on AI use has been delivered
The firm confirmed that no structured guidance has been given to staff about appropriate or inappropriate use of the tools identified. Without training, the firm cannot demonstrate that staff are using AI within boundaries the firm has set.
ChatGPT subscription tier not confirmed
OpenAI's data handling terms differ materially between its consumer, Teams, and Enterprise tiers. The firm was unable to confirm which tier is in use. Until this is established, the applicable data terms are unknown.
Microsoft Copilot data settings not confirmed
Microsoft Copilot's data handling behaviour varies depending on licence type and tenant configuration. The firm was unable to confirm its current settings. This is a known complexity of the product and does not imply a problem — only that the position is currently unknown.
No process for approving new AI tools
The firm confirmed that AI tools are adopted informally, without a sign-off process. As the market for AI tools expands rapidly, the absence of an approval process creates ongoing exposure as staff add tools without governance review.
Recommendations are ordered by priority. Each is actionable by the firm's managing partner or practice manager without external technical support.
Implement a documented AI usage policy
Establish a written policy covering which AI tools are approved for use, what types of information may and may not be submitted to them, and what the consequences of non-compliance are. Circulate to all staff and record acknowledgement.
Confirm the ChatGPT subscription tier in use
Identify whether staff are using personal, Teams, or Enterprise accounts and review the applicable data terms. OpenAI publishes its terms for each tier publicly. If personal accounts are in use for firm work, this warrants a decision about whether to consolidate under a firm-managed account.
Confirm Microsoft Copilot data configuration
Microsoft publishes documentation on data handling settings for Copilot. The managing partner or practice manager should confirm the relevant settings in the Microsoft 365 admin portal, or request confirmation from whoever manages the M365 subscription.
Deliver structured staff training on AI use
Provide all staff with clear guidance on the approved uses of each tool, what information should not be submitted, and what to do if they are uncertain. Keep a record of who has completed training.
Establish a process for approving new AI tools
Put in place a simple sign-off step before any new AI tool is used for firm or client work. This does not need to be complex — a brief review against a standard checklist is sufficient to demonstrate that governance is in place.