Guide / June 2026
AI Policy for Law Firms: What You Must Cover
Most solo and small-firm attorneys using AI have no written governance at all. This guide covers what a defensible AI use policy must include — and gives you a template skeleton to adapt with your own counsel.
01 / Why a written policy matters
The regulatory backdrop
ABA Formal Opinion 512, issued in July 2024, addressed generative AI use by lawyers directly. It affirmed that the duties of competence (Rule 1.1), confidentiality (Rule 1.6), and supervision (Rule 5.1 / 5.3) all apply when attorneys use AI tools on client matters. Since then, multiple state bars have issued their own guidance — some requiring specific disclosures, others flagging particular categories of risk.
A written AI use policy does two things. It forces you to think through the decisions you have probably been making implicitly (which tools, for what, with what data). And it creates a record demonstrating that your AI use is governed rather than ad hoc — which matters if a client complaint or disciplinary inquiry ever arises.
The policy does not need to be long. A focused one-to-two page document covering the elements below is more useful than a 20-page document nobody reads.
02 / The six elements a policy must cover
What belongs in the policy
Approved tools list
Name every AI tool the firm uses and the specific tier or plan (consumer vs. enterprise). For each tool, state the permitted uses (e.g., "drafting, not client data input") and the prohibited uses. An unapproved tool is one not on the list — the policy should state that using an unapproved tool on client matters is prohibited without prior written authorization from the responsible attorney.
Client data classification
Define what counts as client data for purposes of this policy. At a minimum: any information that would identify a client or their matter, any facts related to a client's legal situation, and any work product developed for a specific client. Specify which AI tools may not receive client data at all (consumer-tier tools without a data processing agreement) versus which may receive it under what conditions (enterprise tools with DPA in place).
Confidentiality rules for AI use
State explicitly: no client-identifying information may be entered into a consumer-tier AI tool. No client matter details may be input into any tool unless that tool's data handling has been reviewed and approved. If prompts must be anonymized before use, describe what anonymization requires — and acknowledge that anonymization does not eliminate risk for highly specific fact patterns.
Verification requirements for AI-generated work product
This is the malpractice layer. Any citation, case name, statute reference, or factual assertion generated by AI must be independently verified against primary sources before inclusion in work product delivered to a client or filed with a court. The policy should name who is responsible for verification and what that verification consists of — not just "check it" but "verify each citation in Westlaw/Lexis before filing." The documented cases of AI hallucination sanctions are all failures at this step.
Client disclosure stance
Decide in advance whether and how you disclose AI use to clients. Options: always disclose in the engagement letter; disclose only when AI substantially generated the work product; disclose on request. Document the rationale for whichever approach you choose. Your state bar ethics guidance may constrain your options here — consult your bar's ethics counsel before finalizing this section.
Training and review cadence
State who is covered by this policy (all attorneys, paralegals, staff with access to AI tools). Specify how and when staff will be trained on the policy. Set a review date — at minimum annual, ideally quarterly given how quickly AI tools evolve.
03 / Template
Policy skeleton — adapt with counsel
This skeleton covers the required elements. Fill in the bracketed sections for your specific firm. This is not legal advice; have your attorney or bar ethics counsel review the final document before adopting it.
[FIRM NAME] — Artificial Intelligence Use Policy
Effective date: [DATE] · Next review: [DATE]
1. Purpose
This policy governs the use of artificial intelligence tools by [FIRM NAME] attorneys and staff. It is intended to support compliance with ABA Model Rules 1.1, 1.6, 5.1, and 5.3, and with any applicable state bar ethics guidance.
2. Approved tools
The following AI tools are approved for use on client matters at the tier indicated:
[TOOL NAME] · [TIER, e.g., Enterprise / Teams] · Permitted use: [e.g., drafting, research] · Data restriction: [e.g., no client-identifying data]
[TOOL NAME] · [TIER] · Permitted use: [describe] · Data restriction: [describe]
Add rows as needed. Any tool not listed is unapproved for client-matter use.
Consumer-tier AI tools (ChatGPT Free, Claude.ai free/Pro without a DPA, and similar) may not be used for any portion of a client matter.
3. Client data classification
“Client data” for purposes of this policy includes: any information that identifies a client or their matter by name, case number, or other identifier; any factual information related to a client's legal situation; and any work product developed for a specific client matter.
Client data may only be input into an approved tool whose data handling has been reviewed and documented in this policy. Input into any unapproved tool is prohibited. Anonymization of client data does not eliminate this requirement; highly specific fact patterns may be re-identifying.
4. Verification of AI-generated work product
Any citation, case name, statutory reference, or material factual assertion generated by or with the assistance of AI must be independently verified against primary sources before inclusion in: (a) work product delivered to a client, or (b) any document filed with a court or administrative body.
Verification means: the cited authority exists, says what it is represented to say, and is good law as of the date of the filing or delivery. The responsible attorney must confirm verification before submitting any such document. AI tools with built-in citation checking (e.g., Westlaw AI, Lexis+ AI) reduce but do not eliminate this obligation.
5. Client disclosure
[CHOOSE ONE AND DELETE THE OTHERS:]
Option A — Always disclose: The firm's engagement letter discloses that the firm may use AI tools in connection with client matters. A sample disclosure clause is attached as Exhibit A.
Option B — Disclose when material: The firm discloses AI use when AI substantially generated a deliverable or played a material role in a legal determination affecting the client.
Option C — Disclose on request: The firm discloses AI use when a client specifically inquires. [NOTE: verify this is permissible under your jurisdiction's guidance before selecting this option.]
6. Training and scope
This policy applies to all attorneys, paralegals, and staff who use AI tools in connection with client matters. New staff will be trained on this policy as part of onboarding. All covered persons will review this policy at each annual update.
This policy will be reviewed no less than annually, and immediately upon: adoption of a new AI tool, disclosure of a material vulnerability in a tool used by the firm, or issuance of new ethics guidance by [STATE] State Bar that affects AI use.
7. Questions and violations
Questions about this policy should be directed to [RESPONSIBLE ATTORNEY]. Suspected violations should be reported immediately. Use of an unapproved tool on a client matter, or input of client data into a consumer-tier tool, is a material policy violation subject to review.
Adopted by: [NAME] · [TITLE] · Date: [DATE]
This template is provided for informational purposes only. It is not legal advice. Have your attorney or bar ethics counsel review before adopting.
04 / Implementation
Getting the policy off the shelf
A written policy only reduces risk if it is actually followed. Three practical implementation steps:
Audit your current stack first
Before writing the approved tools list, inventory every AI tool your practice already uses — including ones used informally by staff. You cannot govern what you haven't identified.
Verify the tier for each tool
For each tool, confirm in writing (via the vendor's website or your account settings) whether you are on a consumer or enterprise tier, whether a DPA is in place, and whether training on your data is disabled.
Review annually — or sooner
Set a calendar reminder. The AI tool landscape changes faster than most compliance schedules. A major vulnerability, a vendor policy change, or new bar ethics guidance are all triggers for an off-cycle review.
If you want step one done professionally, the CyberFrad audit delivers a written inventory of your AI tools, their data handling posture, and a hardening plan — the inputs you need to complete the approved tools list in the policy template above.
05 / Primary sources
Where to read the authoritative guidance
- ABA Model Rules of Professional Conduct ↗ — the source rules (1.1, 1.6, 5.1, 5.3) that AI use implicates.
- ABA Formal Opinion 512 (July 2024) — the primary national guidance on generative AI. Available through your state bar library or the americanbar.org ↗ ethics opinions section.
- Your state bar ethics hotline — most bars offer free informal guidance on specific ethics questions. Find your bar via ABA state bar directory ↗.
- For the security side — data training opt-outs, DPAs, and vendor evaluation — see our guide to best AI tools for lawyers, evaluated through a security lens.
FAQ
Frequently asked questions
// Need the approved tools list for your policy?
Get a written inventory of your AI stack.
The CyberFrad audit identifies every AI tool in your practice, evaluates each one's data handling, and delivers the written hardening plan you need to complete Section 2 of the policy above. Flat fee. Five business days.