Confluxion. PointConstruction Workflow AutomationTalk to Us

For Utah contractors carrying the AI risk

AI is already in your business.Utah law just made you liable for it.

A fixed-price AI audit and UAIPA attestation for construction firms. We inventory every AI tool — the ones you bought and the ones your team brought — map your exposure under Utah Code §13-72, and issue the attestation letter your insurance carrier will start asking for.

Book the Audit CallSee the five mistakes we audit for

Twenty minutes. We'll tell you whether an audit makes sense for your firm before we quote it.

Why this matters now

UAIPA is law. Quietly active. For two years.

The Utah Artificial Intelligence Policy Act has been in force since May 1, 2024 — and amended May 7, 2025. Construction contractors are explicitly named as a regulated occupation. The defense “the AI did it” has been codified out of existence.

Penalty · §13-2-5

$2,500

Per violation. Administrative penalty, imposed by the Utah Division of Consumer Protection — no court action required.

Penalty · §13-11-17

$5,000

Per violation. Attorney General civil penalty for knowing violations — imposed in addition to the administrative one.

What compounds

DOPL + E&O + bonding

License review, E&O coverage denial, bonding capacity loss, federal contract disqualification, public listing of enforcement actions.

Sources: Utah Code §13-72 (UAIPA), §13-2-5, §13-11-17. Verify current penalty schedule at le.utah.gov.

What we audit for

Five mistakes we see every week.

Not theoretical risks. Patterns we've seen inside real Utah construction offices in the last twelve months. The audit names yours, specifically.

Mistake 01

AI-drafted bids signed as professional analysis

Estimators using ChatGPT to draft proposals — then signing them as professional analysis. The client asks “did AI write any of this?” The contractor says no. That single answer is the violation.

Mistake 02

AI giving legal advice to your clients

Lien rights, warranty terms, contract questions answered by a chatbot or copilot. Called out by name in the 2025 UAIPA amendments as a high-risk interaction.

Mistake 03

Safety reports drafted by AI, submitted as human-authored

Health and safety is a high-risk category under UAIPA — stricter rules, stiffer penalties. OSHA exposure compounds the state-level liability.

Mistake 04

Confidential data uploaded to public AI tools

Client financials, plans, sub bids, employee data. Most 2026 E&O policies now contain specific exclusions for this scenario — so the breach isn't covered and it's a UAIPA violation.

Mistake 05

AI customer service without disclosure

The chatbot on your website. The auto-responder on your phones. Every consumer-facing AI interaction without a disclosure is a counted violation — and under Moffatt v. Air Canada, the company is bound by what its chatbot says.

· The bigger problem

The AI you bought is a problem when it's used wrong. The AI your employees brought is a problem the moment it exists.

The estimator pasting takeoffs into a personal ChatGPT. The PM dumping a signed contract into Claude. The super running site walks through a personal Otter account. The bookkeeper uploading QuickBooks exports for “a quick chart.” None of these run through corporate IT. All of them are happening right now in firms your size.

55%

Salesforce 2024

of workers use unauthorized AI tools at work

11%

Cyberhaven 2024

of data pasted into ChatGPT is confidential corporate data

78%

Microsoft 2024

of AI users bring their own AI tools to work

$670K

IBM 2024

added per-breach cost when shadow AI is involved

What you walk out with

Four documents. All yours.

Fixed-price engagement, scoped before kickoff. Discovery to delivery in about four weeks. You own everything we produce — including the attestation letter and the friction report.

Document 1

Written AI Risk Report

Named-and-numbered audit findings on every AI workflow we surface — the tools you bought, the tools they brought, and the dollar cost we estimate against each risk. Cited to your specific workflows.

Document 2

UAIPA Compliance Attestation Letter

A formal attestation letter, AIGP-signed, stating where you stand against Utah Code §13-72 as of the engagement date. The document your insurance carrier will start asking for. Backed by our AI-advisory E&O.

Document 3

AI Use Policy + Disclosure Pack

A drop-in AI use policy for your team, plus disclosure templates for proposals, client emails, chatbots, and signage. Construction-context language, not generic boilerplate.

Document 4

Workflow Friction Report

Every manual, repetitive workflow we surfaced during the audit — ranked by hours/month, estimated dollar cost, and fixed-price quote to automate. The audit doubles as a paid discovery for automation work, if you want it.

Why us, not your IT vendor

Three credentials your IT vendor does not carry.

Networks and hardware are your IT vendor's craft. AI governance is a different discipline — with different credentials, different insurance, and different liability.

Credential

AIGP

AI Governance Professional, issued by the IAPP — the recognized standard for AI governance practitioners. We carry it. Most IT firms do not.

Insurance

AI-Advisory E&O

Required to issue attestation letters that hold up. Standard IT E&O policies are starting to exclude AI advisory entirely. Our rider is explicit.

Framework

CARF

The Construction AI Risk Framework — our internal methodology, mapped to UAIPA, NIST AI RMF, and ISO 42001. Built for construction workflows specifically.

The process

Four weeks. Fixed price. Scoped in writing.

Discovery to attestation in about four weeks. No T&M. No discovery sprint. The senior engineer on the project is the one writing the report.

Stage 1

Discovery Call

Twenty minutes. We map where your AI risk is concentrated and whether an audit is the right call. No quote until we know.

Day 1

Stage 2

Engagement & Inventory

Engagement letter signed. We interview leadership, operators, and field staff. We map every AI tool, every workflow, every disclosure gap.

Deposit due

Week 1

Stage 3

Risk Assessment & Workpapers

We classify each AI use against UAIPA, NIST AI RMF, and ISO 42001. We build the workpapers that will support the attestation letter. Documented to audit standards.

Weeks 2–3

Stage 4

Attestation + Walkthrough

We deliver the four documents and walk leadership through the findings. The attestation letter is signed by the AIGP-certified principal. The Friction Report becomes your automation roadmap.

Week 4

Pricing

Three tiers. Fixed price. Quoted at scope.

Discovery first, quote second. We never quote without seeing the shape of your firm — and we tell you which tier you sit in, not the other way around.

Foundation

$15,000

Small GC · under $10M revenue · <25 employees

  • AI inventory + risk assessment
  • UAIPA attestation letter
  • Policy & disclosure templates
  • Leadership briefing (1 hour)

Structural

$25,000

Mid GC · $10–50M revenue · 25–100 employees

  • Everything in Foundation
  • Vendor risk reviews for top 5 AI tools
  • Subcontractor AI risk template
  • Team training session (1 session)
  • Insurance carrier evidence pack
  • Workflow Friction Report

Enterprise

From $50,000

Large GC · $50M+ revenue · 100+ employees

  • Everything in Structural
  • Multi-project risk assessment
  • Custom CARF mapping to your stack
  • Quarterly retainer included (year 1)
  • DOPL incident response preparation

Common questions

What we're asked most often.

Is UAIPA actually being enforced?

Yes. The Utah Division of Consumer Protection has authority under §13-2-5 to impose administrative penalties without court action, and the Attorney General can layer civil penalties on top under §13-11-17. Enforcement actions are public record. The first construction-specific case is a matter of when, not if.

What if our IT vendor says they cover this?

Ask them three things: Do they hold the AIGP credential? Do they carry AI-advisory E&O coverage? Have they proactively implemented enterprise AI tools (Copilot, ChatGPT Enterprise, Anthropic API) with no-training agreements and blocked public AI on company devices? If any answer is no, they have not caught up on AI governance — and an audit by an implementer is conflicted on its face.

We&apos;re a small firm. Do we still need this?

UAIPA applies to any business interacting with consumers via AI. There's no revenue carve-out. A 12-person GC running a website chatbot has the same disclosure obligation as a 1,200-person firm. The math gets worse for small firms — one $30,000 penalty hurts a $5M firm more than a $50M one.

Will my data leave my systems during the audit?

No. We interview, observe, and review documents in place. Nothing is hosted on our side. The audit itself is conducted under an engagement letter with confidentiality language and a documented AI-use disclosure — we apply the same standards we audit you against.

What does the attestation letter actually do?

It's a formal opinion letter, AIGP-signed, stating where your firm stood against UAIPA on the engagement date. Insurance carriers, GC subcontractor agreements, and government RFPs are starting to ask for documentation like this. It's also what you hand your attorney if a complaint ever lands.

More questions on the FAQ page

Book the audit call

Twenty minutes. No pitch.

We'll ask where your AI risk is concentrated, surface the workflows most exposed, and tell you whether an audit makes sense before we quote it.

Book the Audit CallAbout the firm →

team@confluxionpoint.com · (801) 931-7887