Vol. III · No. 128 Independent LegalTech Analysis Wednesday, June 17, 2026

The Legal Stack

← Analysis Analysis · Legal Operations / AI Governance

Why Legal Departments Are Building Internal AI Playbooks — and Why Most of Them Are Already Outdated

There's a document sitting in a SharePoint folder somewhere at your organization. It was drafted in late 2024, reviewed by outside counsel, approved by the GC, and announced at an all-hands as evidence that the legal department was taking AI seriously. It covers ChatGPT. It...

Andy Armstrong
May 23, 2026 · 7 min read

There's a document sitting in a SharePoint folder somewhere at your organization. It was drafted in late 2024, reviewed by outside counsel, approved by the GC, and announced at an all-hands as evidence that the legal department was taking AI seriously. It covers ChatGPT. It says something vague about not inputting confidential client information into "public AI tools." It probably has a definition of "generative AI" that was already incomplete when it was written.

That document is now a liability.

The Gap Between Tool Velocity and Policy Velocity

Legal AI adoption moved fast in 2024 and 2025. Firms and in-house teams deployed everything from Harvey and CoCounsel to custom GPT wrappers built on Azure OpenAI. Many legal departments, to their credit, didn't just buy tools — they wrote policies. They established acceptable use standards, created tiered approval processes, and designated AI liaisons. That was the right instinct.

The problem is that most of those policies were written for a specific technological moment that no longer exists.

In 2024, the primary concern was single-turn text generation: a lawyer drafts a summary, runs it through a model, and checks the output. The governance frameworks built for that workflow don't translate cleanly to what's actually running in legal departments today. Multimodal models now analyze contract images, flagging handwritten amendments in scanned deal documents. Agent-based workflows — where AI systems autonomously execute multi-step tasks like pulling from a contract repository, cross-referencing a regulatory database, and drafting a variance memo — are live in production at companies like Spotify, Airbnb, and major financial institutions' legal ops teams.

None of that is in your 2024 playbook.

The Vendor Integration Problem Is Worse Than You Think

Here's what doesn't get enough attention: the third-party vendor landscape has changed materially since most policies were written, and legal departments haven't kept up with those changes contractually or operationally.

When a legal team approved a workflow tool in early 2025, that tool may have since updated its underlying model, changed its data retention practices, added a subprocessor in a new jurisdiction, or enabled a new agentic feature by default. Many enterprise agreements include terms that allow vendors to update their AI features without explicit customer notification. Under the EU AI Act, which began phasing in enforcement in 2025, some of those undisclosed changes could implicate your organization's own compliance posture — particularly for legal teams operating in regulated industries where the Act's high-risk AI provisions apply.

If your playbook doesn't include a vendor change management process — a mechanism for reviewing material updates to approved AI tools — you're not governing AI. You're governing a snapshot of AI.

What a Living Playbook Actually Looks Like

The organizations getting this right share a few structural characteristics that distinguish their approach from a static compliance document.

First, they separate principles from procedures. The principles — confidentiality, accuracy, human oversight, auditability — are durable. The procedures — which tools are approved, under what conditions, with what output review requirements — are versioned and dated. Atlassian's internal AI governance framework, which has been discussed in legal ops circles, reportedly treats tool-specific guidance as living annexes rather than embedding them in the core policy document. That architecture matters because it allows the core to remain stable while the operational layer gets updated quarterly.

Second, they assign explicit ownership with teeth. A policy without an owner is a wish. The legal departments that have functioning AI governance have named a specific person — usually a legal ops director or deputy GC — who is accountable for the quarterly review cycle. Not a committee. Not "legal and compliance jointly." One person whose performance review includes AI governance hygiene.

Third, they treat enforcement as a design problem, not a culture problem. When a lawyer uses an unapproved AI tool, the failure isn't usually defiance — it's friction. If the approved pathway is slower or more cumbersome than the alternative, the policy will be circumvented. Effective playbooks include workflow design: making the compliant path the easy path, with access controls and procurement gates that remove shadow AI adoption as a practical option.

The Organizational Failure Modes in Plain Terms

Let's be direct about what's actually happening in most legal departments right now.

Ownership is diffuse. When AI policy straddles legal, IT, compliance, and procurement, updates require cross-functional alignment that moves at the speed of the slowest stakeholder. Policies go 18 months without revision not because anyone decided they were adequate, but because nobody had clear authority to pull them off the shelf and change them.

Review cadences are wishful. A policy that says "reviewed annually" in a footnote is a policy that will be reviewed when something goes wrong. A discovery dispute over an AI-assisted document review, a privilege waiver argument involving automated legal research output, a regulatory inquiry into an algorithmic decision — these are the forcing functions that drive most policy updates. That's too late.

Enforcement is invisible. If no one tracks whether the approved tool list is being followed, and there's no reporting mechanism for AI-related incidents, the policy exists to signal seriousness rather than create it. The SEC's 2024 enforcement actions against firms that had inadequate AI oversight disclosures — despite having written policies — illustrate that documented governance without operational governance is not a defense.

Build It to Break and Fix Easily

The goal of an AI playbook in 2026 isn't comprehensiveness. Comprehensiveness is impossible when the tools evolve faster than editorial cycles. The goal is responsiveness: a document architecture that allows rapid, accountable updates; an ownership structure that doesn't require a steering committee to change an approved vendor list; and a review trigger system that responds to vendor changes, model updates, and regulatory developments — not just the calendar.

Your 2024 policy was a starting point. Treat it as one.

More Analysis