Governance tends to get discussed at altitude: principles, frameworks, commitments, the occasional policy paper. At some point it has to come down and touch the system, living in a document that someone can open, review, and act on. That is the job of AI documentation cards.
A documentation card is a structured, single-page artifact that records the governance-essential facts about one component of an AI system. It captures what a system does and where its limits sit. Four card types cover the layers of a deployment: the data, the model, the interfaces, and the agents. Together they form the technical documentation layer of any serious governance program.
For legal work, the stakes raise these cards from good practice to necessity. A wrong AI output can produce a malpractice claim, a sanction, or harm to a client who trusted the firm to get it right. The four cards are the working evidence that a firm knows what its AI is doing and can answer for it.
The Dataset Card: Knowing Where the Data Came From
Every AI system learns from data. A Dataset Card documents the data that flows into and through the system: where it came from, how it was processed, what it contains, and the constraints that govern its use.
The core elements are consistent across systems: lineage and provenance (the chain of custody from original source to training set), quality characteristics such as completeness, accuracy, and representativeness, privacy and sensitivity classifications, usage permissions and jurisdictional restrictions, and the mechanism by which the dataset gets refreshed over time.
In Legal Practice
When a firm or a legal technology vendor deploys an AI tool for contract review, e-discovery, or legal research, the Dataset Card answers the questions that decide whether the tool is safe to rely on. Was the model trained on data that included protected client information? Do jurisdictional restrictions limit how that data may be used? Does the training corpus cover the range of legal contexts the tool will meet, or is it narrow enough to fail quietly on the edge cases?
These map directly onto a supervising attorney's obligations. Before certifying work product produced with AI assistance, a lawyer has to be able to account for the inputs behind it. Model Rule 1.1 treats competence as including the technology a lawyer relies on, and a Dataset Card is what turns that competence into something documented rather than assumed.
The Model Card: What the System Does and Does Not Do
A Model Card is a short, structured report that travels with an AI model. It sets out the intended use, the data the model was trained on, how it performs across different groups and conditions, and, most importantly, its known limitations.
The Model Card began as a transparency tool, built so that developers, users, and regulators could understand how a model should and should not be used. In practice it tells a practitioner where the vendor's marketing claim ends and the model's reliable behavior begins.
In Legal Practice
Predictive litigation analytics, AI-assisted research platforms, and automated contract analysis all generate outputs that lawyers and clients act on. A Model Card tells the practitioner whether performance drops on certain document types, whether the model was tested for uneven results across demographic groups (a live concern in any matter touching employment, housing, or public benefits), and what sits outside the model's intended scope.
Several jurisdictions now require this kind of disclosure. New York City's Local Law 144 mandates bias audits for automated tools used in employment decisions. The EU AI Act imposes technical documentation duties on high-risk AI systems, a category that reaches many legal applications. Where those regimes apply, a Model Card stops being good hygiene and becomes a compliance record the firm may have to produce.
The Interface Card: Securing the Point of Contact
An Interface Card documents the surfaces through which an AI system is reached. That includes human-facing surfaces such as dashboards, chatbots, and client portals, and machine-facing surfaces such as APIs, service endpoints, and integrations with other platforms.
Of the four, the Interface Card is the most security-focused. It captures authentication and authorization controls, input validation, the privacy implications of whatever the interface exposes or transmits, and the human usability factors that determine whether practitioners use the system correctly under pressure.
In Legal Practice
Legal AI sits where high-value data meets high-stakes decisions. A document management system wired to an AI analysis tool can expose privileged communications, and a client-facing chatbot can quietly collect sensitive personal information. Connect a litigation support platform to a court filing system through an API, and you have opened an attack surface that, if exploited, could produce unauthorized filings, a data breach, or the disclosure of confidential settlement terms.
The Interface Card surfaces these risks before they become incidents. It feeds the threat-modeling session and gives a security review its starting checklist. When a firm later has to account for how client data was protected, that same card is the record of due diligence.
The Agent Card: Governing AI That Acts
The Agent Card is the newest of the four and the one gaining importance fastest. It documents AI agents, the components of a system that take action on their own: searching, drafting, filing, communicating, or triggering other processes without step-by-step human direction.
An Agent Card captures five governance-essential elements: the agent's scope of authority (what it can and cannot do without human approval), its impact radius (how far its actions reach), its failure modes and fallbacks (how it degrades when something breaks), its resource-consumption limits, and the oversight mechanisms that keep human control meaningful.
In Legal Practice
AI agents are starting to appear in legal workflows: scheduling systems that negotiate directly with court calendars, research agents that retrieve and synthesize case law on their own, contract agents that flag and redline terms across large document sets. The professional responsibility stakes are real. A lawyer cannot delegate supervisory judgment to a machine. Model Rule 5.3 requires lawyers to supervise nonlawyer assistance, and an agent operating without defined authority limits and oversight is precisely the unsupervised conduct that rule exists to prevent.
The Agent Card makes that scope of authority explicit and auditable. It lets a firm demonstrate, rather than simply assert, that meaningful human oversight stayed in place while the agent was working.
From Principles to Records
Principles and commitments matter, but on their own they do not produce accountability. Accountability shows up in documentation that reaches the system itself: the data it learned from, the model behind its outputs, the interfaces it is reached through, and the agents it puts to work on a client's behalf.
These four cards are working artifacts, used today by organizations building governance that can hold up under legal scrutiny, regulatory review, and a client's reasonable demand to know how AI was used on their matter. InGlobo AI helps legal organizations build governance at that level of operational detail, so the program lives in the system and not only on paper.
The four-card documentation model described here, including the field structures shown in the diagrams above, is adapted from the AI governance curriculum and writing of James Kavanagh and AI Career Pro. The diagrams are original InGlobo AI renderings.
Ready to bring responsible AI to your firm? Let's start with a conversation.
Book a Discovery CallLegal Disclaimer
InGlobo AI, LLC is an AI governance consultancy and not a law firm. This article is provided for general informational and educational purposes only and does not constitute legal advice. Reading or sharing this article does not create an attorney-client relationship with InGlobo AI or its personnel. Law firms, lawyers, and organizations evaluating AI governance or compliance questions should consult independent legal counsel licensed in the applicable jurisdiction.