Building an AI Policy for Your Law Firm: A Practical Template

Most law firm AI policies I've reviewed fall into one of two categories: a three-paragraph memo that says "use AI carefully," or a 40-page document that nobody reads past the table of contents. Neither protects your clients, your attorneys, or your firm. What follows is...

The urgency here is real. The ABA's Formal Opinion 512 (2024) made clear that competent use of generative AI is now an ethical obligation, not a bonus skill. State bars from California to Florida are issuing their own guidance. Courts like Judge P. Kevin Castel's court in Mata v. Avianca — where attorneys cited ChatGPT-hallucinated cases — have made the consequences of negligent AI use brutally public. Your policy needs to exist before the incident, not after.

Section 1: Acceptable Use — Draw Hard Lines

Start with what attorneys can do with AI tools, then define the perimeter firmly. Acceptable uses typically include drafting and editing correspondence, summarizing long documents, generating research starting points, and creating first drafts of routine motions or contracts.

What deserves an explicit prohibition: submitting any AI-generated content to a court or client without human verification, inputting client-identifying information into non-approved consumer tools (more on this below), and using AI for final legal conclusions without attorney review.

Your policy should name the approved platforms specifically. Vague language like "use appropriate tools" creates drift. If your firm has licensed Thomson Reuters' CoCounsel Legal, Harvey, or a Microsoft 365 Copilot enterprise deployment, list them. If an attorney wants to use something not on the list, there's an approval process — not a free pass.

Section 2: Confidentiality Is Non-Negotiable

This is where most firms get into trouble fastest. Under Model Rule 1.6, attorneys have a duty to make reasonable efforts to prevent the unauthorized disclosure of client information. Entering a client's name, matter details, or privileged communications into a consumer-facing AI tool — one that may use inputs for model training — is a potential Rule 1.6 violation.

Your policy must require that attorneys only input client data into tools operating under a signed Data Processing Agreement (DPA) that explicitly prohibits training on firm data. OpenAI, Google, and Microsoft all offer enterprise tiers with these protections. The free or standard tiers of these products generally do not carry sufficient protections for confidential client information.

Consider also addressing metadata. A file uploaded to an AI tool for summarization carries document metadata. Your policy should address whether documents need to be sanitized before upload and designate who makes that call.

One workable rule: treat any non-enterprise AI tool the same way you'd treat a non-encrypted email. You wouldn't send privileged communications over it. Don't feed client data into it.

Section 3: Verification Is the Attorney's Responsibility

The hallucination problem isn't going away. Large language models confidently produce false citations, invent statutes, and summarize cases in ways that invert their holdings. Your policy needs to treat verification not as a suggestion but as a mandatory workflow step.

Require attorneys to independently verify every case citation, statute reference, and factual claim generated by AI before it appears in any client-facing or court-filed document. "I relied on the AI" is not a defense — and courts are making that explicit. In addition to Mata v. Avianca, judges in the Southern District of New York and the Northern District of California have issued show-cause orders and monetary sanctions in similar situations.

Build the verification step into your workflow documentation. Some firms are using checklists attached to matter files. Others require a verification notation in the document history. Either approach works, but passive reliance on attorney memory does not.

Section 4: Client Disclosure — Get Ahead of It

Whether attorneys must disclose AI use to clients remains jurisdiction-specific, but the trend is clearly toward more disclosure, not less. Several state bars have signaled that material AI use in representation may require informed consent. Even where it isn't yet required, the better practice is transparency.

Your policy should establish a default disclosure standard: if AI tools contributed materially to work product billed to a client, the engagement letter or a matter-specific notice should reflect that. Draft standard language for engagement letters now. Something like: "The firm may use AI-assisted tools as part of document drafting, research, and review processes. All work product is reviewed and approved by licensed attorneys before delivery."

Some clients — particularly in financial services, healthcare, and government sectors — will have their own AI use restrictions in outside counsel guidelines. Your intake process should flag this and your policy should require compliance with client-imposed restrictions, full stop.

Section 5: Training Is Mandatory, Not Optional

A policy without training is a liability document. Every attorney and paralegal who uses AI tools needs baseline competency in three areas: how the tools work (at a functional level), what the firm's specific protocols require, and how to identify AI output that needs deeper scrutiny.

Build a training requirement into your policy: annual completion at minimum, with new-hire onboarding before AI tool access is granted. Track completion. If a sanctions situation arises and you can demonstrate that your firm trained attorneys and had written protocols, you're in a materially better position than the firm that didn't.

The Bottom Line

An AI policy isn't a bureaucratic formality — it's how your firm demonstrates that it takes competence seriously in the era of generative AI. The framework above isn't exhaustive, but it covers the ground where liability actually accumulates: inappropriate data sharing, unverified citations, inadequate disclosure, and undertrained staff.

Draft it now. Review it quarterly. The tools are changing faster than the rules, which means your policy will need to keep up. Start with a living document, not a laminated one.