An AI policy for a law firm is a short, enforceable set of rules that says which AI tools your people may use, what firm and client information may go into them, how every output must be verified, and who is accountable. This guide is the plain-language checklist — and a free template you can adapt — built around the four obligations that matter most in a firm: confidentiality, privilege, competence, and candour to the court.
Your lawyers are already using AI — with or without a policy. The question is whether that use is governed or ad hoc. An ad-hoc firm learns its rules the hard way: a confidential matter pasted into a public chatbot, or a brief filed with a citation the tool invented. A public database of court decisions involving AI-hallucinated content had documented 1,752 cases worldwide as of July 2026 — 683 of them involving lawyers — and the count rises almost daily.[1] A written policy will not make AI safe on its own — but it is the cheapest, fastest risk control a firm can put in place, and it is the foundation every other AI initiative sits on.
Ten sections. Each one is a decision your firm should make on purpose, not by accident.
State plainly who the policy binds (partners, associates, staff, contractors) and what it governs (all generative-AI tools used for firm or client work, on any device).
Put in your policy "This policy applies to everyone doing work for the firm and to any AI tool used for that work, whether firm-provided or personal."
Maintain a short list of vetted, approved tools and the environments they may be used in. Just as important: a simple path for requesting a new tool, so people ask instead of going around the policy.
Put in your policy A named approver, a one-page request process, and the current approved list (with the data tier each tool is cleared for).
The core control. Define data tiers (public, internal, confidential/client, privileged) and state clearly which tiers may be entered into which tools. Public consumer chatbots and confidential client data do not mix.
Put in your policy "Never enter client-confidential or privileged information into a tool that is not on the approved confidential-data list."
Address when client consent or notice is required before AI touches their matter, and how engagement letters and outside-counsel guidelines are honoured. Some clients mandate or prohibit specific AI uses.
Put in your policy A rule to check outside-counsel guidelines and the engagement terms before using AI on a matter.
An AI that surfaces matter content across conflict screens is a malpractice risk, not a productivity tool. Access controls and ethical walls must be enforced at the data layer, not left to user discretion.
Put in your policy "AI tools must respect existing access controls and ethical walls; no tool may retrieve matter content a user could not otherwise access."
Treat every AI output as a draft from an unreliable junior — useful, never trusted. Require a human to verify facts, quotes, and especially every legal citation against a primary source before anything leaves the firm.
Put in your policy "No AI-assisted work product is filed or sent without a lawyer verifying every citation and factual assertion against the primary source."
Competence now includes understanding the tools you use. Require baseline responsible-AI training before use, and make a supervising lawyer accountable for AI-assisted work by others — the same duty that applies to any delegated work.
Put in your policy "Complete the firm's AI training before using AI on client work; a supervising lawyer remains responsible for the result."
Set the firm's position on disclosing AI use — to clients, and to courts or regulators where rules or standing orders require it. Track the jurisdictions and clients that have specific requirements.
Put in your policy A pointer to a maintained list of court/regulator disclosure rules and client requirements, with a default of transparency.
Specify where prompts and outputs are stored, how long they are kept, whether the vendor trains on your data (it must not, for confidential tiers), and how AI use is logged so it can be reviewed after the fact.
Put in your policy "Approved confidential-tier tools must contractually exclude training on firm data and support retention and audit-logging controls."
Name one accountable owner, set a review cadence, and give people a no-blame way to report a mistake fast. A policy nobody owns and nobody revisits is theatre.
Put in your policy "[Named owner] maintains this policy, reviews it at least twice a year, and runs the process for reporting and containing AI incidents."
A plain-language starting point built from the ten sections above. Open it, adapt it to your firm's tools and rules, and put it in front of your team. No email required.
Open the template →Print to PDF from your browser to circulate it.
A written policy sets the rules; it doesn't make your tools obey them. That's implementation work — access controls and ethical walls enforced at the data layer, approved tools wired into real workflows, and training that sticks. It's exactly what an AI Readiness Assessment scopes.
Book an AI Readiness Assessment →Where this fits
Governance is one of the five dimensions we score in the assessment. We turn a policy on paper into controls that are actually enforced — and a prioritized plan for the use cases worth building first.
Sources
[1] AI Hallucination Cases Database, maintained by legal researcher Damien Charlotin — a tracker of court decisions in which generative AI produced hallucinated content (typically fabricated citations). 1,752 documented decisions worldwide, 683 involving lawyers, as of 13 July 2026. damiencharlotin.com/hallucinations
Not legal advice. Agentic Intelligence is a technology consulting and implementation firm, not a law firm. This checklist and template are practical governance and implementation guidance, not legal advice. Adapt any policy with your own professional-responsibility counsel and the conduct rules of your jurisdiction.