Lawyers are using AI tools — for research, drafting, contract review, and document summarization. Bar associations across the United States have issued guidance making clear that existing professional responsibility obligations apply to AI use. Here's what a law firm AI acceptable use policy needs to cover.
The legal industry's relationship with AI in 2026 is somewhere between enthusiastic early adoption and careful institutional skepticism. Associates and paralegals are using AI research and drafting tools. Senior attorneys are experimenting with contract review and due diligence automation. And administrative staff are using the same consumer AI tools everyone else uses for everyday work tasks.
At most law firms, this is happening without a written policy governing it. That creates a specific problem for lawyers that doesn't exist in most other industries: professional responsibility obligations — not just organizational policy — apply to how attorneys use AI tools with client information.
Multiple state bar associations have issued formal ethics opinions or guidance on AI use, and the themes are consistent across jurisdictions:
Lawyers have an obligation to protect client information from unauthorized disclosure. Entering client information into an AI tool that lacks appropriate confidentiality protections may constitute a breach of this duty — regardless of whether the information is actually disclosed or misused. The obligation applies to any information "relating to the representation."
Competent representation requires understanding the benefits and risks of relevant technology. Using AI tools without understanding how they handle client data, how their outputs should be verified, and what their limitations are may fall below the competence standard. Several bar associations have specifically noted that competence now includes understanding AI tools used in practice.
Partners and supervising attorneys are responsible for ensuring that associates, paralegals, and other staff comply with professional responsibility rules — including rules governing AI use. A firm that has no AI policy gives supervising attorneys no framework for meeting this obligation.
Attorney-client privilege protects confidential communications between attorney and client made for the purpose of seeking or giving legal advice. Whether entering client communications or privileged work product into an AI tool constitutes a waiver of privilege is an evolving question that courts have not uniformly resolved.
The conservative and defensible position: privileged communications and work product should not be entered into AI tools that lack contractual confidentiality protections (i.e., tools where the vendor has no agreement committing to confidentiality of inputs and restricting use of that data). Enterprise-tier AI tools with appropriate data processing agreements and no-training commitments are a lower-risk environment for this content than consumer free-tier tools.
A firm's AI policy should address this explicitly — not just as a data handling principle, but as a named rule about privileged material specifically.
The policy must name which AI tools are approved for use with client information and which are not. "Confidential information" in a generic policy is not specific enough for a law firm context — the policy should explicitly address client names, matter descriptions, privileged communications, and work product as distinct categories, and specify which tools can and cannot receive each category.
Any AI-generated legal research, case citations, contract language, or legal analysis must be independently verified by a licensed attorney before it is relied upon or communicated to a client. This is not a general "review AI output" rule — it is a specific obligation tied to the competence standard, and it should be stated explicitly. AI tools have produced fabricated case citations in legal filings. This is a documented risk with documented consequences.
Some jurisdictions' ethics guidance suggests that attorneys should consider whether to disclose to clients when AI tools are used in their representation, particularly when client information is processed by those tools. The policy should address whether the firm has a standard disclosure practice, and in which circumstances client consent should be sought before using AI tools with that client's information.
Non-attorney staff — paralegals, legal assistants, administrative staff — are not bound by professional responsibility rules directly, but supervising attorneys are responsible for their compliance. The AI policy should apply to all firm personnel, not just attorneys, and the supervision obligation should be explicitly assigned to named roles.
Law firm AI tool adoption is moving fast. Most major AI vendors now offer enterprise tiers with data processing agreements, no-training commitments, and security certifications relevant to legal use. Several legal-specific AI platforms have been built specifically for law firm use with confidentiality protections built into their architecture.
The practical guidance for building your firm's tool tier list:
Beyond internal compliance, law firm clients are beginning to ask questions about AI governance as part of matter intake and outside counsel guidelines. Enterprise clients in particular — those with their own AI governance programs — are increasingly requiring that outside counsel demonstrate AI policies that protect client confidentiality.
A documented AI acceptable use policy is becoming a prerequisite for some client relationships, not just a good governance practice. Firms without one may find that gap showing up in RFPs and outside counsel questionnaires.
The firm that handles its own AI governance well is the firm clients trust to handle theirs.
Shadow AI Policy generates a tailored AI acceptable use policy, tool tier list, employee acknowledgment form, and manager FAQ — with legal industry-specific confidentiality rules and client data handling guidance built in.
Generate my law firm policy →