12 April 2026 · 3 min read · John
The audit trail problem with Copilot, ChatGPT and Claude is straightforward: most versions of these tools do not record what was asked, what was answered, or what client data was involved. For regulated professional firms, that is a compliance liability — not a minor gap.
If a regulator knocks, or a client complaint lands, you need to show what happened. Right now, most firms using these tools cannot do that.
Because the enterprise-grade controls that fix this problem are priced and built for large organisations.
Microsoft's Copilot audit logging captures metadata — not the actual prompt or response. Full prompt and response monitoring requires Microsoft Purview with Azure capacity enablement. None of that comes with a standard Microsoft 365 Business plan.
ChatGPT's Audit Logs API is Enterprise and Business tier only. Free and Plus accounts have nothing equivalent. Here is the real problem: a 2025 survey found 73.8% of ChatGPT accounts in workplaces are non-corporate accounts. The person in your firm pasting a client's financial position into ChatGPT at 9pm is almost certainly doing it through their personal login, with no organisational visibility whatsoever.
Claude is arguably the most eye-opening case. In August 2025, Anthropic changed its policy so that consumer users who did not actively opt out by 28 September had their conversations used for model training — with retention jumping from 30 days to five years. Full audit log controls and custom data retention are Enterprise-only. That plan requires a minimum of 50 seats. Most small professional firms do not qualify.
GDPR's accountability principle under Article 5(2) requires you to demonstrate compliance, not just assert it. A written AI policy in a drawer is not evidence. Documentation showing your tools are configured, monitored and controlled is.
If an employee pastes a client's personal data into a consumer ChatGPT account, you may have no record of it, no ability to request erasure under Article 17, and no Data Processing Agreement in place with OpenAI covering that interaction. That is a genuine exposure.
The ICO has been clear: accountability means technical and organisational measures, documented and demonstrable. "We have a policy" does not meet that bar.
The tools I build for clients are configured specifically for their business — not deployed as generic consumer products used however each employee sees fit. That means logging, access controls, and data handling parameters are built in from the start, not bolted on later.
For solicitors, accountants, IFAs and surveyors, this is not abstract. Client confidentiality and regulatory accountability are baked into your professional obligations. The AI tools you use need to reflect that. Off-the-shelf consumer tools, used informally, do not.
I do not promise a version of Copilot or ChatGPT with compliance features switched on. I build tools configured around your firm's actual processes and obligations, with the right controls in place from day one.
If you want to talk through where your current AI use sits from a compliance standpoint, I am happy to spend 20 minutes on it. Book a free discovery call or drop me a line at john@aigura.co.uk.
Want to see how this applies to your business?
Book a free 20-minute call →No. Microsoft 365's Unified Audit Log records metadata only — not the actual prompt or response text. Full prompt and response monitoring requires Microsoft Purview with Azure capacity enablement, which is not included in standard Microsoft 365 Business plans.
No. ChatGPT's Audit Logs API is available to Enterprise and Business tier customers only. Free and Plus accounts have no equivalent, and a 2025 survey found 73.8% of ChatGPT accounts in workplaces are non-corporate accounts — meaning most employee use happens through personal logins with no organisational visibility.
Rarely. Anthropic's Enterprise plan includes full audit log controls and custom data retention but requires a minimum of 50 seats. Most small professional firms do not qualify, meaning proper audit controls are not accessible to them through the standard route.
Under Article 5(2), firms must demonstrate compliance with GDPR, not just claim it. If staff paste client information into AI tools, you need documented technical and organisational measures showing those tools are configured, monitored and controlled. A written policy alone does not satisfy the ICO's accountability standard.