Governance · free template

AI policies for law firms: a practical 2026 checklist.

An AI policy for a law firm is a short, enforceable set of rules that says which AI tools your people may use, what firm and client information may go into them, how every output must be verified, and who is accountable. This guide is the plain-language checklist — and a free template you can adapt — built around the four obligations that matter most in a firm: confidentiality, privilege, competence, and candour to the court.

Your lawyers are already using AI — with or without a policy. The question is whether that use is governed or ad hoc. An ad-hoc firm learns its rules the hard way: a confidential matter pasted into a public chatbot, or a brief filed with a citation the tool invented. A public database of court decisions involving AI-hallucinated content had documented 1,752 cases worldwide as of July 2026 — 683 of them involving lawyers — and the count rises almost daily.[1] A written policy will not make AI safe on its own — but it is the cheapest, fastest risk control a firm can put in place, and it is the foundation every other AI initiative sits on.

Answer-first: the shortest useful law-firm AI policy answers five questions — Which tools? What data? How is output verified? Who is trained and supervising? Who owns this and when is it reviewed? Everything below expands those five.
The checklist

What a law-firm AI policy must cover.

Ten sections. Each one is a decision your firm should make on purpose, not by accident.

1

Scope — who and what it covers

State plainly who the policy binds (partners, associates, staff, contractors) and what it governs (all generative-AI tools used for firm or client work, on any device).

Put in your policy  "This policy applies to everyone doing work for the firm and to any AI tool used for that work, whether firm-provided or personal."

2

Approved tools — and how a tool gets approved

Maintain a short list of vetted, approved tools and the environments they may be used in. Just as important: a simple path for requesting a new tool, so people ask instead of going around the policy.

Put in your policy  A named approver, a one-page request process, and the current approved list (with the data tier each tool is cleared for).

3

Data rules — what may and may not go in

The core control. Define data tiers (public, internal, confidential/client, privileged) and state clearly which tiers may be entered into which tools. Public consumer chatbots and confidential client data do not mix.

Put in your policy  "Never enter client-confidential or privileged information into a tool that is not on the approved confidential-data list."

4

Client confidentiality & consent

Address when client consent or notice is required before AI touches their matter, and how engagement letters and outside-counsel guidelines are honoured. Some clients mandate or prohibit specific AI uses.

Put in your policy  A rule to check outside-counsel guidelines and the engagement terms before using AI on a matter.

5

Privilege & ethical walls

An AI that surfaces matter content across conflict screens is a malpractice risk, not a productivity tool. Access controls and ethical walls must be enforced at the data layer, not left to user discretion.

Put in your policy  "AI tools must respect existing access controls and ethical walls; no tool may retrieve matter content a user could not otherwise access."

6

Accuracy, verification & candour to the court

Treat every AI output as a draft from an unreliable junior — useful, never trusted. Require a human to verify facts, quotes, and especially every legal citation against a primary source before anything leaves the firm.

Put in your policy  "No AI-assisted work product is filed or sent without a lawyer verifying every citation and factual assertion against the primary source."

7

Supervision & competence (training)

Competence now includes understanding the tools you use. Require baseline responsible-AI training before use, and make a supervising lawyer accountable for AI-assisted work by others — the same duty that applies to any delegated work.

Put in your policy  "Complete the firm's AI training before using AI on client work; a supervising lawyer remains responsible for the result."

8

Disclosure

Set the firm's position on disclosing AI use — to clients, and to courts or regulators where rules or standing orders require it. Track the jurisdictions and clients that have specific requirements.

Put in your policy  A pointer to a maintained list of court/regulator disclosure rules and client requirements, with a default of transparency.

9

Data handling, retention & audit logging

Specify where prompts and outputs are stored, how long they are kept, whether the vendor trains on your data (it must not, for confidential tiers), and how AI use is logged so it can be reviewed after the fact.

Put in your policy  "Approved confidential-tier tools must contractually exclude training on firm data and support retention and audit-logging controls."

10

Ownership, review & incidents

Name one accountable owner, set a review cadence, and give people a no-blame way to report a mistake fast. A policy nobody owns and nobody revisits is theatre.

Put in your policy  "[Named owner] maintains this policy, reviews it at least twice a year, and runs the process for reporting and containing AI incidents."

Free · ungated · yours to adapt

The one-page AI policy template.

A plain-language starting point built from the ten sections above. Open it, adapt it to your firm's tools and rules, and put it in front of your team. No email required.

Open the template

Print to PDF from your browser to circulate it.

FAQ

AI policies for law firms — common questions.

What should an AI policy for a law firm include? +
At minimum: which AI tools are approved and how a new one gets approved; what firm and client data may and may not go into which tools; a mandatory verification step for every output; supervision and competence requirements; disclosure obligations; data retention, security, and audit logging; and a named owner with a review cadence.
Do small law firms need an AI policy? +
Yes. A one-page policy is often enough for a small firm, but the obligations — confidentiality, privilege, competence, candour — apply regardless of size, and lawyers are already using AI whether or not a policy exists. A short written policy is the cheapest risk control available.
Who should own and approve the policy? +
A named partner or committee — often the managing partner, general counsel, or an innovation/risk lead — with input from IT/security and professional-responsibility counsel. One accountable owner and a clear tool-approval path matter more than a long document.
How often should it be reviewed? +
At least twice a year, and whenever a major tool, model, or regulatory guidance changes. The AI landscape moves faster than an annual policy cycle.
Is a template enough, or does it need customizing? +
A template gets you started, but an enforceable policy has to reflect your actual tools, data systems, practice areas, and applicable conduct rules. The template above is a starting point to adapt — not a finished policy.
From policy to practice

A policy is the floor. The next step is building AI that follows it.

A written policy sets the rules; it doesn't make your tools obey them. That's implementation work — access controls and ethical walls enforced at the data layer, approved tools wired into real workflows, and training that sticks. It's exactly what an AI Readiness Assessment scopes.

Book an AI Readiness Assessment

Where this fits

Governance is one of the five dimensions we score in the assessment. We turn a policy on paper into controls that are actually enforced — and a prioritized plan for the use cases worth building first.

Sources

[1] AI Hallucination Cases Database, maintained by legal researcher Damien Charlotin — a tracker of court decisions in which generative AI produced hallucinated content (typically fabricated citations). 1,752 documented decisions worldwide, 683 involving lawyers, as of 13 July 2026. damiencharlotin.com/hallucinations

Not legal advice. Agentic Intelligence is a technology consulting and implementation firm, not a law firm. This checklist and template are practical governance and implementation guidance, not legal advice. Adapt any policy with your own professional-responsibility counsel and the conduct rules of your jurisdiction.