A practical ten-point checklist for law firms using AI in client work, internal drafting, legal research support, document review, or operational workflows.
If your law firm is using AI, these ten steps reflect the direction of recent bar guidance, court scrutiny, professional responsibility expectations, and practical AI governance standards.
Prohibit public, non-secure AI models for client work unless a partner-approved exception applies and the data handling risk has been reviewed.
Confirm zero data retention where appropriate, vendor security posture, contractual controls, access restrictions, and SOC 2 Type II or equivalent assurance when available.
Every AI-assisted output used for client work, legal analysis, correspondence, pleadings, or filing support must receive final review and sign-off by a qualified lawyer.
Manually verify every case citation, statute, quotation, and legal proposition against an official or trusted legal database before it becomes client-facing work product or a court filing.
Limit what data may be entered into prompts. Do not include client names, matter numbers, privileged facts, financial data, or sensitive personal information unless the tool and use case have been approved.
Clearly identify internally when work was significantly drafted, summarized, transformed, or analyzed with AI, especially where human review, client disclosure, or file documentation is required.
Keep timestamped records of approved AI use cases, tools, decision points, review steps, and escalation decisions. Logs should support accountability without creating unnecessary client data exposure.
Ensure AI vendors provide appropriate contractual commitments on data use, retention, confidentiality, cybersecurity, GDPR, EU AI Act readiness, and support for firm audit obligations.
For high-risk legal, employment, biometric, or decision-support systems, evaluate whether a Fundamental Rights Impact Assessment or comparable risk assessment is required or advisable.
Notify clients where AI is a core part of the service delivery model, where required by professional guidance, engagement terms, client instructions, or risk context.
This checklist is not a substitute for a firm-specific AI governance framework. It is a starting point for partners who want to move from informal usage to controlled, documented, and defensible AI adoption.