AI Use Policy for Law Firms: What Every Firm Needs

Picture this: an associate at your firm needs to draft a summary of a 60-page commercial agreement before a partner meeting at noon. She opens a browser tab, pastes the entire contract including the client name, the counterparty, and the deal terms into a public AI chatbot, and generates a useful summary in under a minute. The partner is impressed. No one thinks twice about it.

Three things just happened that your firm may not be aware of. First, your client's confidential information was transmitted to a third-party service whose terms of service permit training on user inputs unless enterprise controls are specifically enabled. Second, your firm may have violated Rule 1.6 of the ABA Model Rules of Professional Conduct, which governs confidentiality of information relating to clients. Third, if a state bar inquiry ever arose, you would have no written policy to point to that establishes your firm took reasonable precautions.

This is not a horror story about AI. It is a description of a Tuesday at firms across the country right now. According to Clio's 2025 Legal Trends Report, more than half of legal professionals say their firm either has no AI policy or they are unaware of one. That same report found that 79% of legal professionals are using AI tools in their daily work. That gap between adoption and governance is where professional liability accumulates quietly.

An AI use policy does not stop your attorneys from using AI. It does the opposite: it creates the guardrails that let them use it confidently and in compliance with your professional obligations.

Why the ABA Requires Firms to Have a Policy

ABA Formal Opinion 512, issued in July 2024, is the foundational guidance document for AI use in legal practice. It addresses six ethical obligations that apply whenever a lawyer or firm uses generative AI: competence, confidentiality, communication with clients, supervision, candor toward tribunals, and reasonable fees.

On supervision specifically, Opinion 512 is direct: partners and other lawyers with managerial responsibilities must establish clear policies governing the permissible use of AI tools within the firm. This is not advisory language. Under ABA Model Rule 5.1, lawyers with managerial authority are responsible for ensuring their firm has measures in place that provide reasonable assurance all lawyers conform to the Rules of Professional Conduct.

In plain terms: if your attorneys are using AI and your firm has no policy, the managing partner is exposed.

State bar bodies have followed with their own guidance. As of 2026, more than 25 state bars have issued formal opinions or detailed guidance on AI use in legal practice. Florida Bar Opinion 24-1 requires attorneys to disclose AI use when it affects client billing. New York Formal Opinion 2025-6 addresses the use of AI to record and transcribe client meetings, emphasizing confidentiality and consent obligations. Pennsylvania now mandates explicit disclosure of AI assistance in court submissions as a filing requirement. California has proposed new rules that would require attorneys to verify every AI-generated output before filing.

The pattern is clear: state bars are accelerating, and the minimum acceptable standard is rising. A policy written today and reviewed annually will keep your firm ahead of requirements that are still tightening.

What an AI Use Policy Actually Does

There is a common misunderstanding that an AI policy is either a blanket ban ("no AI at all") or a blank check ("use whatever you want"). Neither works in practice.

A blanket ban is unenforceable and leaves your firm at a competitive disadvantage as AI tools become integrated into every major legal platform. A blank check exposes you to the exact scenario in the opening: attorneys making reasonable-seeming decisions that carry real professional risk because no guidance existed.

A well-built AI use policy does three things:

1. It defines which tools are approved and under what conditions, removing the guesswork from individual attorneys.
2. It establishes which tasks require mandatory human review before any output leaves the firm, protecting against citation failures that have led to court sanctions.
3. It sets clear disclosure obligations so your attorneys know when and how to tell clients and courts that AI was used in their work.

That is it. A policy does not need to be a 30-page compliance document. For most small and mid-size firms, a four-to-six page document covering the sections below is sufficient and will be far more likely to be read and followed than something longer.

Section 1: Approved Tools

The most practical starting point is a simple approved-tools list. This removes a decision burden from every attorney every time they encounter a new tool: instead of each person individually evaluating a vendor's data handling, the firm makes one informed decision and everyone benefits from it.

The core distinction your policy needs to capture is the difference between consumer AI and enterprise AI.

Consumer AI tools (the free or low-cost tiers of ChatGPT, Google Gemini, and similar services) typically allow the provider to use your inputs to improve their models. Client data submitted through those interfaces may be retained and used by the provider in ways that are generally incompatible with Rule 1.6.

Enterprise versions of those same tools, and legal-specific platforms such as Harvey, Paxton, and Clio Duo (built into Clio's practice management environment), typically include contractual protections: data processing agreements that prohibit training on your firm's data, SOC 2 Type II certification, and in some cases Business Associate Agreements where health information is involved.

Your approved-tools list should specify, for each tool:

• The tool name and tier or version
• The approved use cases (drafting, research, summarization, and so on)
• The data types permitted as input (redacted documents, public information, etc.)
• Whether client-identifiable information may be submitted

Review this list at least annually and whenever a major new tool is introduced or an existing vendor updates its terms of service.

Section 2: Confidentiality Protocols

Even with an approved tool, your policy needs to address how attorneys handle confidential information within that tool.

The safest default is a firm rule that client-identifiable information should be redacted or anonymized before submission to any AI tool, even an approved enterprise tool. This creates a habit that protects the firm if a vendor's terms change or if an attorney uses an unapproved tool under time pressure.

Practical redaction for legal work is not complicated. In most summarization or drafting tasks, the AI does not need to know that the contract is between Acme Corp and Baker LLC. It needs to understand the structure and the terms. Replacing names with generic labels such as "Party A" and "Party B" before submitting a document preserves almost all of the utility while significantly reducing the confidentiality exposure.

Your policy should also address the distinction between AI tools that operate within your existing practice management environment and AI tools accessed separately. When an attorney uses Clio Duo within Clio, the data handling is governed by your existing data processing agreement with Clio. That is meaningfully different from copying and pasting client data into a separate browser tab. Attorneys should understand which category each approved tool falls into.

Where your firm handles matters involving health information, financial account data, or other regulated categories, the policy should note the additional requirements that apply, including any HIPAA obligations and the need for a signed Business Associate Agreement before health-related client information is submitted to any AI tool.

Section 3: Human Review Requirements

Every output generated by an AI tool must be reviewed by a licensed attorney before it is transmitted to a client, filed with a court, or incorporated into any client-facing work product. This is not a temporary precaution. It is a direct requirement of your duty of competence under ABA Model Rule 1.1.

The cautionary benchmark is Mata v. Avianca, a 2023 case in the Southern District of New York. Attorneys submitted a brief containing six AI-generated case citations; none of those cases existed. The court sanctioned the firm $5,000 USD. The failure mode has not disappeared: legal AI tools have improved substantially, but no tool operates without error, and the attorney, not the software vendor, bears professional responsibility for the work product.

Your policy should define what "human review" means in practice for different work types. For a research memo, review means verifying each case citation in Westlaw or Lexis before the memo leaves the firm. For a drafted motion, review means reading the entire document, not only the sections the attorney prompted the AI to write. For a client-facing summary, review means confirming that factual claims accurately reflect the underlying source documents rather than AI-generated interpretation.

The policy should also make clear that supervisory responsibility flows appropriately: attorneys are responsible for AI-assisted work produced by staff and paralegals they supervise, just as they would be for traditionally produced work product. An associate or paralegal using an approved AI tool does not reduce the supervising attorney's responsibility for the output.

Section 4: Disclosure

This is the section where state-specific guidance matters most and where the ground is shifting fastest.

There are two disclosure contexts your policy needs to address: disclosure to clients and disclosure to courts.

Client disclosure. ABA Formal Opinion 512 states that lawyers must inform clients of AI use in their representation when the client asks, or when disclosure is reasonably necessary. For most firms, the clearest way to satisfy this obligation is through the engagement letter. A straightforward addition to your standard letter might read: "Our firm uses AI tools to assist with certain tasks including research, document drafting, and administrative work. All AI-assisted work product is reviewed by a licensed attorney before delivery to you."

If your firm uses AI in a way that materially affects billing (for example, a task that previously took four hours now takes 45 minutes because of AI assistance), Florida Bar Opinion 24-1 requires disclosure and asks firms to address how efficiency gains are reflected in the fee charged. This principle is likely to spread to other jurisdictions, and addressing it in your policy now creates a clear and defensible practice.

Court disclosure. Pennsylvania currently requires explicit disclosure of AI use in court filings. Other jurisdictions have individual judges who issue standing orders with the same requirement. Your policy should require attorneys to check the local rules and any applicable standing orders for each jurisdiction in which they file, and to make the required disclosure whenever AI assistance contributed to a submission.

A practical safeguard: draft a standard disclosure statement your attorneys can insert when required. Something factual and neutral, such as: "Counsel utilized AI tools to assist in the preparation of this filing. All content was reviewed and verified by the undersigned attorney." Having standard language ready removes friction and ensures consistency.

Section 5: Training and Annual Review

A policy that exists but is not understood does not protect your firm. Your AI use policy should specify the training all attorneys and staff receive before using approved tools, and the cadence for ongoing training.

At minimum, training should cover: how each approved tool handles data, the firm's confidentiality protocols including redaction requirements, the human review standard and what it means for different work types, and disclosure obligations for that attorney's typical jurisdictions and practice areas.

For most small firms, a focused onboarding session when the policy launches, followed by brief annual refreshers, is sufficient. The goal is not compliance theater. It is making sure every person at the firm can explain, if asked, why they made the AI-related decisions they made in their work.

Managing partners with supervisory responsibility under ABA Model Rule 5.1 should also understand that training records and policy documentation are the evidence that the firm exercised reasonable care. If a bar complaint or client grievance ever arises related to AI use, your ability to point to a written policy, a training log, and documented vendor due diligence is the difference between demonstrating competence and being unable to show that reasonable precautions were taken.

Commit to reviewing the policy at least once a year. State bar guidance is still actively developing across most jurisdictions, and your approved-tools list will shift as vendors update their terms and new tools enter the market. An annual review does not need to be extensive: a working session to check each section against current guidance and update the approved-tools list is usually enough to stay current.

How to Start This Afternoon

If your firm does not have an AI policy yet, here is a practical path that does not require outside legal counsel or a lengthy committee process.

Draft a document with five sections using the framework above: approved tools, confidentiality protocols, human review requirements, disclosure obligations, and training requirements. For each section, adapt the guidance here to reflect how your firm actually operates today.

For the approved-tools section, start by inventorying every AI tool your attorneys currently use. A quick survey of your team often surfaces tools the managing partner was not aware of. That inventory becomes the starting point for your approved list and your list of tools that need to be retired or replaced with enterprise versions.

For the confidentiality section, start stricter than you think you need to be: no client-identifiable information into any AI tool without explicit approval. You can refine this as you build confidence in specific approved tools with appropriate agreements in place.

For the disclosure section, identify the three or four jurisdictions in which your attorneys file most frequently, check the current local rules and any applicable standing orders, and build those requirements into your standard checklists and engagement letter templates.

Once the first draft exists, share it with your attorneys and ask for honest feedback on whether it reflects how they actually work and what it would change. A policy that sounds reasonable but is ignored in practice because it is impractical does not protect your firm. The goal is a document that gets used.

The Policy Is the Foundation, Not the Ceiling

An AI use policy is not a constraint on what your firm can do with AI. It is what makes it practical to deploy AI tools across the firm without every attorney navigating the ethical questions from scratch, every time, in isolation.

The firms that will get the most out of AI over the next several years are not the ones that say yes to everything or no to everything. They are the ones with clear governance that lets them evaluate new tools quickly, deploy them consistently, and demonstrate to clients and bar bodies that they are operating thoughtfully.

At Futureman Labs, we see this pattern regularly: firms that started with a clear policy made better tool decisions earlier and avoided the credential-scrubbing work that comes from a bar complaint or a client question you cannot answer cleanly. The Law Firm AI Readiness Scorecard is a quick self-assessment that maps your current tools, workflows, and governance gaps so you know exactly where to focus first.