Know exactly where you stand — and what to automate first.
A fixed-price AI-exposure audit and UAIPA attestation for construction firms. We inventory every AI tool — the ones you bought and the ones your team brought — map your exposure under Utah Code §13-72, issue the attestation letter your insurance carrier will start asking for, and rank the workflow friction worth automating next. When you're ready, the build is the next step.
Twenty minutes. We'll tell you whether an audit makes sense for your firm before we quote it. Fixed price, scoped in writing before kickoff.
UAIPA is law. Quietly active. For two years.
The Utah Artificial Intelligence Policy Act has been in force since May 1, 2024 — and amended May 7, 2025. Construction contractors are explicitly named as a regulated occupation. The defense “the AI did it” has been codified out of existence.
Per violation. Administrative penalty, imposed by the Utah Division of Consumer Protection — no court action required.
Per violation. Attorney General civil penalty for knowing violations — imposed in addition to the administrative one.
License review, E&O coverage denial, bonding capacity loss, federal contract disqualification, public listing of enforcement actions.
Sources: Utah Code §13-72 (UAIPA), §13-2-5, §13-11-17. Verify current penalty schedule at le.utah.gov.
Five mistakes showing up in Utah construction offices right now.
Not theoretical risks. These are the patterns playing out across Utah construction offices as AI adoption outruns policy. The audit names yours, specifically.
AI-drafted bids signed as professional analysis
Estimators using ChatGPT to draft proposals — then signing them as professional analysis. The client asks “did AI write any of this?” The contractor says no. That single answer is the violation.
AI giving legal advice to your clients
Lien rights, warranty terms, contract questions answered by a chatbot or copilot. Called out by name in the 2025 UAIPA amendments as a high-risk interaction.
Safety reports drafted by AI, submitted as human-authored
Health and safety is a high-risk category under UAIPA — stricter rules, stiffer penalties. OSHA exposure compounds the state-level liability.
Confidential data uploaded to public AI tools
Client financials, plans, sub bids, employee data. A growing number of E&O policies now contain specific exclusions for this scenario — so the breach isn't covered and it's a UAIPA violation.
AI customer service without disclosure
The chatbot on your website. The auto-responder on your phones. Every consumer-facing AI interaction without a disclosure is a counted violation — and under Moffatt v. Air Canada, the company is bound by what its chatbot says.
The AI you bought is a problem when it's used wrong. The AI your employees brought is a problem the moment it exists.
The estimator pasting takeoffs into a personal ChatGPT. The PM dumping a signed contract into Claude. The super running site walks through a personal Otter account. The bookkeeper uploading QuickBooks exports for “a quick chart.” None of these run through corporate IT. All of them are happening right now in firms your size.
55%
Salesforce 2024
of workers use unauthorized AI tools at work
11%
Cyberhaven 2024
of data pasted into ChatGPT is confidential corporate data
78%
Microsoft 2024
of AI users bring their own AI tools to work
$670K
IBM 2024
added per-breach cost when shadow AI is involved
Four documents. All yours.
Fixed-price engagement, scoped before kickoff. Discovery to delivery in about four weeks. You own everything we produce — including the attestation letter and the friction report.
Written AI Risk Report
Named-and-numbered audit findings on every AI workflow we surface — the tools you bought, the tools they brought, and the dollar cost we estimate against each risk. Cited to your specific workflows.
UAIPA Compliance Attestation Letter
A formal attestation letter, AIGP-signed, stating where you stand against Utah Code §13-72 as of the engagement date. The document your insurance carrier will start asking for. Backed by our AI-advisory E&O.
AI Use Policy + Disclosure Pack
A drop-in AI use policy for your team, plus disclosure templates for proposals, client emails, chatbots, and signage. Construction-context language, not generic boilerplate.
Workflow Friction Report
Every manual, repetitive workflow we surfaced during the audit — ranked by hours/month, estimated dollar cost, and fixed-price quote to automate. The audit doubles as a paid discovery for automation work, if you want it.
Three credentials your IT vendor does not carry.
Networks and hardware are your IT vendor's craft. AI governance is a different discipline — with different credentials, different insurance, and different liability.
AI Governance Professional, issued by the IAPP — the recognized standard for AI governance practitioners. We carry it. Most IT firms do not.
Required to issue attestation letters that hold up. Standard IT E&O policies are starting to exclude AI advisory entirely. Our rider is explicit.
The Construction AI Risk Framework — our internal methodology, mapped to UAIPA, NIST AI RMF, and ISO 42001. Built for construction workflows specifically.
Four weeks. Fixed price. Scoped in writing.
Discovery to attestation in about four weeks. No T&M. No discovery sprint. The senior engineer on the project is the one writing the report.
Discovery Call
Twenty minutes. We map where your AI risk is concentrated and whether an audit is the right call. No quote until we know.
Day 1
Engagement & Inventory
Engagement letter signed. We interview leadership, operators, and field staff. We map every AI tool, every workflow, every disclosure gap.
Deposit dueWeek 1
Risk Assessment & Workpapers
We classify each AI use against UAIPA, NIST AI RMF, and ISO 42001. We build the workpapers that will support the attestation letter. Documented to audit standards.
Weeks 2–3
Attestation + Walkthrough
We deliver the four documents and walk leadership through the findings. The attestation letter is signed by the AIGP-certified principal. The Friction Report becomes your automation roadmap.
Week 4
Three tiers. Fixed price. Quoted at scope.
Discovery first, quote second. Every tier is one fixed price, scoped in writing before kickoff — we never quote without seeing the shape of your firm, and we tell you which tier you sit in, not the other way around.
Small GC · $20M–$50M revenue · <25 employees
- AI inventory + risk assessment
- UAIPA attestation letter
- Policy & disclosure templates
- Leadership briefing (1 hour)
Mid GC · $50M–$100M revenue · 25–100 employees
- Everything in Foundation
- Vendor risk reviews for top 5 AI tools
- Subcontractor AI risk template
- Team training session (1 session)
- Insurance carrier evidence pack
- Workflow Friction Report
Large GC · $100M+ revenue · 100+ employees
- Everything in Structural
- Multi-project risk assessment
- Custom CARF mapping to your stack
- Quarterly retainer included (year 1)
- DOPL incident response preparation
What we're asked most often.
Is UAIPA actually being enforced?
Yes. The Utah Division of Consumer Protection has authority under §13-2-5 to impose administrative penalties without court action, and the Attorney General can layer civil penalties on top under §13-11-17. Enforcement actions are public record. The first construction-specific case is a matter of when, not if.
What if our IT vendor says they cover this?
Ask them three things: Do they hold the AIGP credential? Do they carry AI-advisory E&O coverage? Have they proactively implemented enterprise AI tools (Copilot, ChatGPT Enterprise, Anthropic API) with no-training agreements and blocked public AI on company devices? If any answer is no, they have not caught up on AI governance — and an audit by an implementer is conflicted on its face.
We're a small firm. Do we still need this?
UAIPA applies to any business interacting with consumers via AI. There's no revenue carve-out. A 12-person GC running a website chatbot has the same disclosure obligation as a 1,200-person firm. The math gets worse for small firms — an aggregated penalty hurts a $5M firm far more than a $50M one.
Will my data leave my systems during the audit?
No. We interview, observe, and review documents in place. Nothing is hosted on our side. The audit itself is conducted under an engagement letter with confidentiality language and a documented AI-use disclosure — we apply the same standards we audit you against.
What does the attestation letter actually do?
It's a formal opinion letter, AIGP-signed, stating where your firm stood against UAIPA on the engagement date. Insurance carriers, GC subcontractor agreements, and government RFPs are starting to ask for documentation like this. It's also what you hand your attorney if a complaint ever lands.
Twenty minutes. No pitch.
We'll ask where your AI risk is concentrated, surface the workflows most exposed, and tell you whether the audit or an automation build is the right first move — before we quote anything.
team@confluxionpoint.com · (801) 931-7887