How to Start an Engineering Consulting Firm in 2026

The Question on the Firm Floor

Knowing how to start an engineering consulting firm in 2026 still means forming an entity, putting a Professional Engineer in responsible charge, getting a Certificate of Authorization, and carrying professional liability insurance. It also now means answering a question your senior engineers are already asking each other in the hallway:

"Am I going to start getting in trouble for using ChatGPT on this?"

The people asking it aren't the skeptics. They're the power users— the senior, capable engineers who've quietly figured out that AI shaves hours off a spec, a calc package, a submittal narrative. They're asking because they don't know where the line is, and they suspect their principal doesn't either.

Most principals don't. The classic four-pillar startup checklist for an engineering firm is still real. It is no longer sufficient. Most firms have not answered the question their best engineers are already asking each other.

Here's the reframe — and the one-page, three-rule policy that covers most of the exposure.

The Five Pillars of Starting an Engineering Consulting Firm

An engineering consulting firm in 2026 stands on five pillars: a permitted business entity, a Professional Engineer in responsible charge, a state Certificate of Authorization, professional liability insurance, and an AI governance policy. The first four are well-documented across state boards, the NCEES, and decades of firm-formation guides. The fifth is where most firms are exposed.

Both are true: the old checklist still holds, and there is a fifth pillar most firms have not built yet. Pillars one through four first— fast, then we go deep on five.

Pillar 1 — Choose a Permitted Entity (And Yes, State Matters)

The first pillar is entity choice, and the catch is that state law dictates which structures an engineering firm is even allowed to use. California, for example, does not recognize engineering LLCs at all— the only entity options for an engineering firm there are sole proprietorship, partnership, limited liability partnership, or corporation³.

Common options:

• LLC — flexible, common where permitted
• Professional Corporation (PC) — required in some states for licensed services
• Limited Liability Partnership (LLP) — common for multi-PE founders
• Corporation (C-corp or S-corp) — for firms anticipating outside investment
• Sole proprietorship — small, single-PE practices

Some states also restrict ownership and management to licensed professionals, or require a minimum share of equity to be PE-held¹. State law, not founder preference, decides which entity an engineering firm is allowed to use. Action: confirm with your state engineering board before filing anything with the Secretary of State.

Entity formed. Now the credential that actually authorizes engineering work.

Pillars 2 and 3 — The PE and the Certificate of Authorization

A Professional Engineer must be in responsible charge of all engineering work the firm performs, and in 34 U.S. states the firm itself must hold a Certificate of Authorization issued by the state engineering board before it can offer services¹. A PE license credentials the engineer. A Certificate of Authorization credentials the firm. Most states require both.

Most principals reading this have walked the PE path already; the part founders sometimes miss is the firm-level credential that comes after. The PE path itself, per NCEES⁴:

1. Earn an ABET-accredited engineering degree
2. Pass the Fundamentals of Engineering (FE) exam
3. Complete approximately four years of qualifying experience under a licensed PE
4. Pass the Principles and Practice of Engineering (PE) exam
5. Apply to the state engineering board for licensure

The Certificate of Authorization is the part founders sometimes miss. It's a firm-level credential— separate paperwork, separate fees, separate renewal. In 34 states, an engineering firm cannot legally offer services until the state board issues a COA. Some states allow non-PE owners as long as a PE is named in responsible charge; others restrict ownership entirely. Harbor Compliance maintains a state-by-state matrix worth bookmarking¹.

NSPE's broader position is that the licensure standard— individual competence, accountability for stamped work— should extend to anyone designing or overseeing systems with direct impact on public safety⁵. That framing matters when we get to Pillar 5.

With the credentialing in place, the next pillar is the one your insurance broker calls about.

Pillar 4 — Professional Liability Insurance (And What It Now Asks About AI)

Professional liability insurance— also called errors & omissions, or E&O— is the fourth pillar, and underwriters in 2026 are increasingly asking about AI governance as part of the application and renewal process.

E&O covers firm-level errors in design, specifications, and engineering judgment. It's the policy that responds when a client alleges the firm's work caused a loss. It is not optional for any firm offering stamped engineering services.

What's new is the AI question on the application. Cyber and E&O carriers have started to require disclosure of AI usage policies, and the absence of governance can move premiums up or weaken claims response after an incident involving AI tools⁶. An AI policy is moving from optional governance hygiene to an underwriting question.

What underwriters are starting to ask - Does the firm have a written AI use policy? - Are public-tier LLMs permitted on client work? - Who reviews AI-assisted output before it leaves the firm? - Are AI tools logged on stamped deliverables?

This is directional, not yet uniform. Different carriers ask different questions, and the language is changing quarter by quarter. But the trend line is clear enough that E&O underwriters are starting to factor documented AI governance into pricing and claim decisions. Which brings us to the pillar your peers have not built yet.

Pillar 5 — AI Governance (The Fifth Pillar Most Firms Haven't Built)

The fifth pillar is an AI governance policy— a written, firm-level set of rules for how engineers may use AI tools on client work— and it now sits beside entity, license, COA, and insurance because NSPE's Board of Ethical Review has already ruled that AI-generated engineering work carries the same professional responsibility as human-generated work².

This is the part most principals have not internalized. NSPE BER Case 24-2 is direct: AI-generated technical work requires at least the same level of scrutiny as human-created work, and "engineers must not affix their signatures to documents with subject matter in which they lack competence, nor to any plan or document not prepared under their direction and control."² Per NSPE, an engineer who stamps AI-generated work assumes the same professional responsibility as if they had produced it manually.

The confidentiality canon is just as direct. NSPE's ruling treats uploading client information into open-source AI interfaces as "placing the client's private information in the public domain without permission."⁷ That is a confidentiality breach under the existing code— not a future ethical question. AI Can Make Words, But Not Meaning. The stamp is still the engineer's, and so is everything that travels with it.

The AEC adoption picture - 27% of architecture, engineering, and construction professionals report using AI in their operations⁸ - 94% of those AI-using firms plan to increase usage in 2026⁸ - 79% of AEC AI users are using chatbots like ChatGPT⁹

The takeaway is uncomfortable. A minority of firms have policies because a minority of firms describe themselves as AI-using— but among the engineers actually doing the work, chatbots are already in the mix. NSPE's Position Statement goes further, arguing the licensure standard should extend to AI-system designers and overseers whose work touches public safety⁵. If you'd like a deeper read on how this fits into broader founder strategy, our piece on AI governance strategy for founder-led firms covers the operating model.

Shadow AI on the Firm Floor

Shadow AI is what happens when employees use AI tools on the job without firm authorization— and the data says it is already happening inside firms whose principals believe "we don't really use AI here." Saying "we don't use AI here" is not a policy. It's a guess about other people's behavior.

The signal: 38% of employees acknowledge sharing sensitive work information with AI tools without employer permission, per industry research compiled by Netwrix¹⁰. And these are not the skeptics— they are the most curious, most productivity-pressed people on the team.

Picture it concretely: a junior engineer pastes a client's drawing set into ChatGPT to "speed up" a spec writeup the night before a submittal. No malice. No bad intent. Per NSPE's confidentiality canon, that drawing is now in the public domain.⁷

The Samsung analog is the closest cautionary tale we have on record— three Samsung semiconductor engineers leaked proprietary data by pasting source code, meeting transcripts, and chip yield sequences into ChatGPT within a single month¹⁰. Different industry, same mechanism. Just because it's easy doesn't mean it's good. Insurers are watching this pattern, and the AI decision framework for founders is more useful here than a panic memo.

Which raises the practical question: what does a workable policy actually contain?

The One-Page AI Policy: Three Rules That Cover 80% of Exposure

A workable AI policy for a small or mid-sized engineering firm is one page, not thirty, and three rules cover roughly 80% of the practical exposure. This is a Dan Cumberland Labs editorial position, anchored to NSPE's ethics canon and PSMJ's call that AEC firms need a written policy governing how AI is used and supervised¹¹. It is a starting point, not a substitute for SME or counsel review.

1. No client, project, or proprietary data may be entered into public-tier LLM interfaces. Public-tier means free or consumer ChatGPT, Claude, Gemini, etc.— interfaces where prompts may be retained for training. This anchors directly to NSPE's confidentiality canon⁷.

1. The PE of record reviews any AI-assisted output before applying their stamp. Reviews, not skims. This is the NSPE competence-and-responsibility canon translated into a workflow rule². The stamp is still the engineer's. The policy is what makes that real.

1. The firm maintains a log of which AI tools were used on stamped work. A simple project-level field— "AI tools used: [tool name + tier]"— supports E&O documentation, supports incident response, and supports the underwriter conversation when it comes.

For larger firms or firms working on regulated public-safety projects, a fourth rule is worth adding: enterprise-tier accounts only, where contracts explicitly prohibit prompt retention and model training on firm data.

A workable AI policy for a mid-sized engineering firm is one page. Three rules cover most of the exposure. Three rules don't write themselves into a firm. Implementation is the next conversation.

Implementation — Turning a Policy Into a Practice

A policy on a server matters less than a practice on the floor, so implementation means three quick moves: socialize the policy with the senior engineers first, give the team a sanctioned tool option, and revisit the policy quarterly as both AI capabilities and underwriter expectations move⁶.

• Socialize with the power users first. The senior engineers who are already using AI will either champion the policy or quietly ignore it. Bring them in. PSMJ's line on this is plain— firms need an organizational policy and supervised use¹¹. Asking the power users to help shape the rules turns them into compliance allies.
• Give a sanctioned tool path. A blanket ban with no alternative pushes use further into the shadows. An enterprise-tier account, an internal RAG setup, or a vetted vendor list gives engineers somewhere to go. This is also where building an AI culture across the team starts to matter.
• Quarterly review cadence. Both the tools and the underwriting questions are moving. A quarterly fifteen-minute review keeps the policy alive instead of stale.

If sorting out the right AI policy and the right sanctioned tool stack for a firm of your size feels like one more thing on the principal's desk, that's the kind of mapping work Dan Cumberland Labs does with founder-led firms— peer-to-peer, not a 90-day engagement nobody asked for. A fractional AI officer arrangement is one way firms have brought this work in without adding a permanent seat.

FAQ

Quick answers to the questions principals and senior engineers ask most often when starting or running an engineering consulting firm in 2026.

Do I need a PE license to start an engineering consulting firm?

A Professional Engineer must be in responsible charge of all engineering work the firm performs. Many states allow non-PE ownership as long as a PE is named in that role; ownership rules vary state by state¹.

What is a Certificate of Authorization?

A Certificate of Authorization is a state-issued license that authorizes a business entity— not an individual— to offer engineering services. It is required in 34 U.S. states and is separate from individual PE licensure¹.

Can my engineers use ChatGPT on client work?

Only with controls. Per NSPE's Board of Ethical Review, the engineer who stamps AI-assisted work assumes full professional responsibility, and uploading client information into public AI tools is treated as placing private information in the public domain²⁷.

What should an AEC firm's AI policy cover?

At minimum: no client or proprietary data into public LLMs; the PE of record verifies any AI-assisted output before stamping; and the firm logs which AI tools were used on stamped work²¹¹.

Does professional liability insurance cover AI errors?

Coverage is evolving. Cyber and E&O underwriters are increasingly asking about documented AI governance as part of pricing and claims decisions, so the absence of a written policy is becoming a coverage variable⁶.

Don't Be the First Case

The classic four pillars of starting an engineering consulting firm— entity, PE, COA, insurance— still hold. The fifth one, AI governance, is the pillar most firms have not built and the one their best engineers are already standing on without authorization. Both are true. All of it matters.

The first AEC liability case involving AI hasn't been written. It is being underwritten right now. Write the one-pager this week. And if you're a founder running a professional services firm, make it the next thing on the calendar, not the next thing on the list.

References

1. Harbor Compliance, "Engineering Firm License Requirements (50-State Guide)" (2025) — https://www.harborcompliance.com/engineering-firm-license-certificate-of-authorization
2. National Society of Professional Engineers, "Use of Artificial Intelligence in Engineering Practice (BER Case 24-2)" (2024) — https://www.nspe.org/career-growth/ethics/board-ethical-review-cases/use-artificial-intelligence-engineering-practice
3. Wolters Kluwer, "Engineering firm business licensing and other legal requirements" (2024) — https://www.wolterskluwer.com/en/expert-insights/engineering-firm-business-licensing-and-other-legal-requirements
4. NCEES, "Licensure" (2025) — https://ncees.org/licensure/
5. National Society of Professional Engineers, "Artificial Intelligence — Position Statement" (2024) — https://www.nspe.org/nspe-advocacy/explore-issues/professional-policies-and-position-statements/artificial-intelligence
6. Vouch, "The Liability Risks of Shadow AI Tools in the Workplace" (2025) — https://www.vouch.us/blog/shadow-ai-workplace-liability-risks
7. National Society of Professional Engineers, "Use of Artificial Intelligence in Engineering Practice (BER Case 24-2)" — confidentiality canon (2024) — https://www.nspe.org/career-growth/ethics/board-ethical-review-cases/use-artificial-intelligence-engineering-practice
8. American Society of Civil Engineers, "Architecture, engineering, construction sector slow to adopt AI, survey shows" (2025-12-18) — https://www.asce.org/publications-and-news/civil-engineering-source/article/2025/12/18/architecture-engineering-construction-sector-slow-to-adapt-ai-survey-shows
9. Chaos, "The state of AI in architecture: how AI is reshaping architectural design & visualization in 2026" (2026) — https://blog.chaos.com/the-state-of-ai-in-architecture-survey-insights
10. Netwrix, "12 Critical Shadow AI Security Risks Your Organization Needs to Monitor in 2026" (2026) — https://netwrix.com/en/resources/blog/shadow-ai-security-risks/
11. PSMJ Resources, "Establish a Solid AI Policy. Ensure Your People Aren't Putting Your Firm at Risk." (2024) — https://go.psmj.com/blog/establish-a-solid-a.i.-policy.-ensure-your-people-arent-putting-your-firm-at-risk