The legal profession is in the middle of an AI reckoning. Tools that were experimental three years ago are now deployed across practice groups to draft motions, analyze contracts, run due diligence, and synthesize discovery. The efficiency gains are measurable. The risks are too.
The profession's response has been uneven. Some firms have banned AI outright. Others have adopted it with no formal policy at all. Both responses fail in different ways. What law firms need is a structured, sequenced governance program grounded in the Rules of Professional Conduct and the guidance of ABA Formal Opinion 512. The seven steps below are written in the order they should be executed. Each one depends on the one before it.
Step 1Establish Executive Ownership and Governance Leadership
AI governance has to be an institutional function with a named owner. A committee that meets quarterly and produces no binding decisions is not governance. The first structural step is designating an AI Governance Lead, typically a senior attorney, managing partner, or General Counsel, with explicit authority over the firm's AI policy.
This is not a technology role. The Governance Lead's responsibility is aligning AI use with the firm's ethical obligations, risk tolerance, and practice-specific needs. In larger firms, the Lead chairs an AI Governance Committee that includes IT, risk management, and practice group representatives. In smaller firms, the Lead may wear multiple hats. The accountability has to be singular and named regardless of firm size.
Without this step, every later step becomes advisory. Governance without authority is documentation.
Step 2Conduct a Firm-Wide AI Audit
Before the firm can govern AI use, it has to know what AI use is already happening. The actual footprint is almost always larger than leadership expects.
The audit should be firm-wide and should capture tools used formally (approved by IT or firm leadership) and informally (tools that individual attorneys or staff have adopted on their own, sometimes called shadow AI). It should identify every AI system in use, its vendor, the categories of matters or data it touches, and the people using it.
Findings often surface things leadership did not know. Associates running client documents through consumer chatbots from home. Paralegals using free translation or summarization tools. Partners who have folded AI into their personal research workflow without telling anyone. The audit is diagnostic, not punitive. Its purpose is to establish a baseline the firm can govern from.
Key Audit Question
Is any non-public client information, including facts, documents, financials, or identities, entering any AI system that lacks a contractual zero-retention guarantee? If the firm cannot answer that question with certainty for every tool in use, the firm has a Rule 1.6 problem today.
Step 3Draft and Adopt a Firm-Wide AI Acceptable Use Policy
With audit results in hand, the firm can draft its Acceptable Use Policy: the foundational governance document defining what is permitted, what is prohibited, and what is required when using AI in legal practice.
A working AUP is operational rather than aspirational. It answers concrete questions for every person in the firm. At a minimum, it should address:
- Which AI tools are approved for use, and which are prohibited for client-related work
- Which categories of information may and may not be entered into AI systems
- The mandatory human verification requirement for AI-generated output before filing or external sharing
- Client disclosure obligations, including when and how informed consent under Rule 1.6 must be obtained
- Supervision requirements under Rules 5.1 and 5.3 for attorneys overseeing subordinate use of AI
- Billing and fees guidance consistent with Rule 1.5
- Incident reporting obligations and the internal escalation path
On Client Consent
ABA Formal Opinion 512 makes clear that boilerplate AI language buried in an engagement letter does not satisfy informed consent under Rule 1.6. If current engagement letters carry that kind of language, the firm should have ethics counsel review the disclosure separately.
Step 4Conduct Vendor Due Diligence and Implement Risk Tiering
With the AUP in place, the firm has a defined standard it can evaluate vendors against. Legal and compliance need to be involved at the procurement stage, not after a contract has already been signed.
| Tier | Category | Examples | Required Controls |
|---|---|---|---|
| Tier 1 | Standard | Internal productivity tools not processing client data | Basic approval; standard AUP |
| Tier 2 | Enhanced | Legal research AI; drafting tools processing confidential matter data | Closed-system requirement; data processing agreement; audit rights |
| Tier 3 | High-Risk | High-stakes decision-support tools; tools processing PHI or regulated data | Full DPIA; zero-retention guarantee; periodic third-party audit |
Vendors handling client data must contractually guarantee a zero-retention policy. Firm data must remain siloed inside a tenant the firm controls and may not enter the vendor's external training pipeline.
Step 5Execute an AI Literacy and Training Program
Vendors are approved and the policy is written. The firm now has to make sure every person who works there can execute that policy correctly. Holding attorneys to a standard they were never trained to meet is its own ethics problem.
Training has to go past the basics. Effective AI literacy covers how these models work, why they fail, how to recognize hallucinated content, and how to satisfy ethical obligations in day-to-day practice.
Calibrate the training by role. Partners need governance-focused sessions. Associates need scenario-based, practice-specific training. IT and compliance personnel need deeper technical training on vendor management and data security.
Training is recurring, not one-time. Programs should be reviewed and refreshed at least annually, and supplemented whenever significant new tools are approved or major new guidance is issued.
Competence Obligation
Under Rule 1.1 Comment 8, technological competence is part of the duty of competence. A firm that provides serious AI governance training is meeting its ethical obligations as an organization, not just managing risk.
Step 6Mandate Human-in-the-Loop Verification at Every Stage
With attorneys trained, the firm can enforce the verification protocols that protect clients and the firm's standing. Generative AI systems are probabilistic. They predict plausible text based on statistical patterns; they do not reason in any meaningful legal sense. They hallucinate. They fabricate citations that sound authoritative and were never written.
A lawyer's professional judgment cannot be delegated to generative AI. It remains the lawyer's responsibility at every step.
Set task-level boundaries. Define which tasks are appropriate for AI assistance, including initial research, document summarization, first-draft generation, and clause comparison, and which tasks require human-only work, including final legal conclusions and any representation to a tribunal.
Require independent verification of all AI-generated output before it is filed with a court or shared externally. Every cited case Shepardized. Every factual assertion cross-checked against primary source materials.
Rule 5.2 means subordinate lawyers cannot defer to supervisors on ethics. The governance program should create an environment where associates can raise concerns without professional repercussion.
Step 7Implement Continuous Monitoring, an AI Registry, and an Incident Response Plan
Governance is a standing function, not a project with a completion date. Tools change, the regulatory environment evolves, and new risks surface as the technology matures.
Maintain a centralized AI Registry. The firm's official inventory of every approved AI system, tracking vendor, risk tier, designated owner, approved use scope, and compliance status. Updated every time a tool is approved, retired, or modified.
Audit periodically at least once a year. For tools that process client data, third-party security audits should be conducted at appropriate intervals.
Develop a formal AI Incident Response Plan that defines what counts as an incident, sets escalation protocols, specifies documentation requirements, and addresses notification obligations to clients or regulators where required.
Watch for model drift. Tools that perform reliably at deployment may produce materially different outputs eighteen months later as training data ages.
Where to Start
Two actions move the program forward fastest. First, run an honest audit of the AI tools currently in use across the firm, including the ones attorneys may be using informally. Second, circulate a short interim policy stating that no AI tool may be used for client matters unless it sits on an approved list. From that foundation, the remaining steps can be built incrementally over the next several quarters.
One realistic note: assembling a defensible AI governance program inside a firm requires the intersection of legal ethics knowledge, AI technical fluency, regulatory awareness, and implementation experience. Most firms do not have that combination in-house, regardless of size. The disciplinary, client-harm, and reputational cost of getting governance wrong dwarfs the cost of getting it right the first time.
Where InGlobo AI Fits
InGlobo AI was built specifically to close the gap between AI's rapid advancement and the legal profession's ethical obligations. We pair legal practice experience with AI governance and regulatory compliance work, helping law firms design, implement, and maintain governance programs that are practical, defensible, and durable.
We do not deliver off-the-shelf checklists. We work alongside the firm to assess the current environment, draft policies fitted to practice areas, evaluate vendors against the firm's actual risk profile, build the training program, and stand up the monitoring infrastructure that keeps governance current as the technology changes.
Your attorneys and staff are the firm's most valuable asset. Let them practice law, and let InGlobo AI handle the governance architecture that lets them do that with confidence.
Sources & References
- ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 512: Generative Artificial Intelligence Tools (July 29, 2024).
- ABA Model Rules of Professional Conduct: Rules 1.1, 1.4, 1.5, 1.6, 3.1, 3.3, 5.1, 5.2, 5.3.
- NYCB Ethics Opinion 2024-5, Generative AI and the Rules of Professional Conduct (2024).
- NIST AI Risk Management Framework (NIST AI RMF 1.0), National Institute of Standards and Technology (2023).
- ISO/IEC 42001:2023, Information Technology: Artificial Intelligence Management System.
- Pennsylvania Bar Association, Committee on Legal Ethics and Professional Responsibility, Op. 2024-200.
- Louisiana State Bar Association, AI Ethics Guidance for Louisiana Practitioners.
Ready to bring responsible AI to your firm? Let's start with a conversation.
Book a Discovery Call