Why Australian Law Firms Are Ahead of the U.S. on AI Governance — and What American Firms Can Actually Steal From Them

American law firms spent much of 2024 and 2025 arguing about whether generative AI was a billing problem, a malpractice problem, or someone else's problem entirely. Meanwhile, Australian firms quietly built governance infrastructure that actually works. The gap is now wide enough to be embarrassing — and instructive.

This isn't a story about technology adoption rates. It's a story about institutional seriousness. Australian firms moved faster on AI governance not because they had better tools, but because they had better frameworks to build from. U.S. managing partners and legal ops leads should stop treating this as a curiosity and start treating it as a playbook.

The Foundation Australia Already Had

The speed advantage starts with existing law. The Privacy Act 1988, substantially strengthened through the 2022 Privacy Legislation Amendment, created specific accountability obligations around automated decision-making that American firms — operating under a patchwork of state privacy statutes and no federal equivalent — simply don't face at the same level. When your baseline compliance infrastructure already requires you to document how systems process personal information and make consequential decisions, building an AI governance layer on top is an extension of existing practice, not a reinvention.

The Australian Privacy Principles, specifically APP 1 (open and transparent management of personal information) and APP 12 (access to information), created a documentation culture that translated directly into AI audit trails. U.S. firms operating under CCPA in California or the new Texas and Virginia frameworks face weaker, more fragmented obligations — and the documentation habits reflect that.

Professional conduct rules mattered too. The Law Council of Australia's Australian Solicitors' Conduct Rules emphasize supervision obligations in ways that mapped cleanly onto AI output review requirements. When the Law Council released its AI guidance in late 2023 — well before most U.S. state bars had done anything meaningful — it wasn't writing from scratch. It was codifying practices that existing rules already implied.

What Herbert Smith Freehills and Allens Actually Built

Herbert Smith Freehills deserves specific credit for moving first and moving seriously. By mid-2024, HSF had implemented a tiered AI governance structure that distinguishes between three categories of AI use: administrative (drafting internal communications, scheduling, research summarization), supervised legal work (first-draft pleadings, contract analysis, due diligence output), and high-stakes advisory (AI-assisted analysis informing substantive client advice). Each tier carries different sign-off requirements, different disclosure obligations, and different documentation standards.

That tiering framework is the single most stealable piece of architecture in this entire story. It resolves the false binary that still dominates U.S. firm conversations — "AI-assisted or not AI-assisted" — and replaces it with a risk-proportionate system that lawyers actually understand and can apply.

Allens went further on the oversight committee side. Their AI Governance Committee includes the Chief Risk Officer, the Managing Partner of Knowledge & Innovation, a rotating senior associate representative, and — critically — an external privacy advisor. The external seat matters. It's the structural acknowledgment that firms have conflicts of interest when self-assessing their own AI use, particularly when that use is generating efficiency gains that feed directly into profitability. Most U.S. firms that have formed AI committees have staffed them entirely internally, which produces governance that is better described as governance theater.

Allens also built client disclosure language into its engagement letters by the first quarter of 2025. The language is neither apologetic nor buried. It specifies that AI tools may be used in matter delivery, identifies the categories of tools approved for use, and confirms that lawyer review requirements apply to all AI-assisted work product. Clients can opt out of specific tool categories. This is not a disclaimer. It is a disclosure protocol — and the distinction matters enormously when you're thinking about informed consent and future liability.

The U.S. Approach, Charitably Described

The American Bar Association's 2024 guidance on AI — Formal Opinion 512 — is thoughtful and largely correct. It is also effectively unenforceable and has produced almost no observable standardization at the firm level. State bars have moved at wildly different speeds. The New York City Bar's AI task force has done serious work. Most state bars have produced webinars.

At the firm level, the pattern is depressingly consistent: a technology committee reviews AI tools, a handful of approved tools get listed in an internal FAQ, associates are told to "use judgment," and the firm's professional liability insurer quietly adjusts its questionnaire. That is not governance. That is managed ambiguity.

The firms that have done real work — Cleary Gottlieb's documented AI review protocols, Orrick's investment in legal AI infrastructure — are exceptions notable precisely because they're exceptions.

What to Steal, Specifically

Managing partners and legal ops leads, here is your actionable list.

Take the tiered use framework. Classify every AI use case your firm has today into administrative, supervised legal, and high-stakes advisory categories. Build different approval and documentation requirements for each. This can be done in 90 days.

Build an oversight committee with an external seat. It does not have to be permanent. Bring in outside privacy counsel or a legal technology ethicist on a consulting basis for quarterly reviews. The external voice changes the conversation.

Adopt disclosure language in engagement letters now. Don't wait for your state bar to tell you what to say. The Allens model — specific, affirmative, opt-out capable — is available to adapt. Your clients are already asking about AI. Meet them with a protocol, not a conversation.

Create an audit trail requirement for supervised and high-stakes AI work. Document which tool generated which output, who reviewed it, and what modifications were made. This is table stakes for malpractice defense in five years.

The Conclusion Worth Sitting With

Australian firms aren't smarter. They had better conditions for moving fast — stronger privacy law, coherent professional conduct rules, and a regulatory culture that treats documentation as discipline rather than burden. Those conditions produced governance frameworks that U.S. firms are now two years behind on.

The good news is that frameworks, unlike culture, can be imported. The tiered structure, the committee design, the disclosure language — none of it requires legislation. It requires a managing partner who decides that "we'll figure it out as we go" is no longer a defensible position.

You have the playbook. The question is whether you're serious enough to use it.