Law Firm AI Policy Template
A fill-in-the-blank AI use policy built for law firms — privilege, client consent, outside counsel guidelines, and bar ethics, all in one.
A law firm AI policy is the written rulebook that says how your lawyers and staff may — and may not — use AI tools like ChatGPT, Copilot, or legal research assistants on client work. Unlike a generic company AI policy, a law firm policy has to answer questions no other business faces: Does putting client facts into an AI tool waive attorney-client privilege? Which of our clients' outside counsel guidelines (OCGs) restrict or ban AI? Do we have to tell a court when a filing was AI-assisted? Can we bill a client for time the AI saved us? A generic acceptable-use policy skips all of this, which is exactly why a firm that adopts one is still exposed on the issues that matter most to a bar regulator, a malpractice carrier, and a demanding client.
This page gives you the full policy on-screen — every section written in plain language with [bracketed] blanks you fill in for your firm. Read it, copy it, or grab the editable DOCX download and customize it with your firm name, approved tool list, and client requirements in minutes.
How to Use This Template
This template is a starting point, not finished legal advice. Work through it top to bottom, fill in every [bracketed] field, and delete anything that does not fit how your firm practices. A three-lawyer estate firm and a 400-lawyer litigation shop need different versions — the final section shows you what to change for each.
Have the partner or committee that owns risk (managing partner, general counsel, or an AI/technology committee) approve the final version before you circulate it. Then have every lawyer and staff member sign the acknowledgment so you can show a clear supervision trail under ABA Model Rules 5.1 and 5.3.
- Fill in every [bracketed] field — firm name, approved tools, policy owner, effective date.
- Match Section 4 to your actual clients — pull the AI clauses from each client's outside counsel guidelines.
- Have leadership approve it, then collect signed acknowledgments from everyone.
- Re-read it against your state bar's AI guidance and ABA Formal Opinion 512 before you adopt it.
This law firm AI policy template gets you started, but a signed PDF is not a program. Layer3 Labs helps firms turn it into working AI governance that satisfies client OCGs and bar ethics — approved tools, consent workflows, and staff training. Book a consultation to scope it.
Book a ConsultationSection 1 — Purpose & Scope
This section says why the policy exists and who it applies to. Keep the scope broad so a contract attorney or a new paralegal cannot say the rules did not cover them.
- Purpose: This policy governs how everyone at [FIRM NAME] uses artificial intelligence (AI) tools in the course of legal work, so the firm meets its duties of competence, confidentiality, supervision, and candor.
- "AI tools" means any generative or machine-learning system that creates, summarizes, drafts, analyzes, or predicts — including [ChatGPT, Microsoft Copilot, Claude, Gemini], legal-specific tools like [list approved legal AI], and any AI feature built into other software.
- This policy applies to all partners, associates, of counsel, contract lawyers, paralegals, legal assistants, and staff, and to any vendor or temp working on firm matters.
- It covers AI used on any device — firm-issued or personal — whenever the work touches a client matter or firm data.
- Where this policy conflicts with a specific client's outside counsel guidelines, the stricter rule controls.
Section 2 — Approved Tools & Approval Process
Lawyers should only use AI tools the firm has vetted for security and data handling. This section names what is approved today and how to get something new approved — so people do not quietly paste client data into whatever free tool they found.
- Only tools on the firm’s Approved AI Tools list may be used for client work. As of [DATE], the approved tools are: [list — e.g., enterprise ChatGPT with data-retention off, Copilot for M365, CoCounsel, Lexis+ AI].
- Approved "enterprise" or "legal" tools are those with a signed data agreement, a no-training-on-our-data commitment, and appropriate security — verified by [IT / POLICY OWNER].
- Consumer or free versions of AI tools may NOT be used for anything involving client information.
- To request a new tool, submit [form / email] to [POLICY OWNER / IT]; do not use it on client work until it is added to the list.
- The Approved AI Tools list is maintained by [POLICY OWNER / ROLE] and reviewed at least [quarterly].
Section 3 — Client Confidentiality & Attorney-Client Privilege
This is the heart of a law firm AI policy. Under ABA Model Rule 1.6, you must protect all information relating to a representation. Entering privileged or confidential facts into a public AI model can expose them to third parties and may risk waiving attorney-client privilege. The rules below keep client data out of any tool that is not locked down.
- Never enter client-identifying information, privileged communications, case facts, or confidential documents into any AI tool that is not on the firm’s approved, secured list.
- Never use a public or consumer AI tool (free ChatGPT, public chatbots, browser AI features) for anything relating to a client matter.
- Assume that anything typed into a non-approved tool could be seen by outsiders and could waive privilege — treat the prompt box like a public email.
- When an approved tool is used, still minimize what you enter: strip names and identifiers where the task does not need them.
- If you are unsure whether information is confidential or whether a tool is safe, do NOT enter it — ask [POLICY OWNER / ROLE] first.
- Report any suspected exposure of client data through an AI tool immediately under Section 9.
Section 4 — Client Consent, Disclosure & Outside Counsel Guidelines
Many corporate clients now write AI rules directly into their outside counsel guidelines (OCGs) — some require notice, some require written consent, and some ban AI on their matters entirely. This section makes those client rules operational so a lawyer cannot use AI on a matter where the client said no. ABA Formal Opinion 512 also advises getting informed client consent before putting client confidences into an AI tool — and says boilerplate engagement-letter language is not enough.
- Before using any AI tool on a client matter, check that client's outside counsel guidelines for AI terms. If the OCG restricts, requires consent for, or prohibits AI, follow it.
- The [BILLING / MATTER-OPENING TEAM] flags each matter's AI status at intake: (a) AI allowed, (b) AI allowed with client consent/notice, or (c) AI prohibited.
- Where a client's OCG or this firm requires it, obtain the client's written informed consent before entering their confidential information into an AI tool — do not rely on general engagement-letter boilerplate.
- Keep a record of each client's AI position and any consent obtained in [matter management system].
- When in doubt about a client’s stance, treat the matter as "AI prohibited" until [RELATIONSHIP PARTNER] confirms otherwise.
- Never represent to a client that no AI was used if it was; answer client AI questions honestly.
Section 5 — Prohibited Uses
A short, blunt list of things nobody at the firm may do. These are the actions most likely to create an ethics complaint, a malpractice claim, or a waived privilege.
- Do NOT enter privileged or confidential client information into any non-approved or public AI tool.
- Do NOT file, send, or rely on AI-generated legal work — briefs, citations, contracts, advice — without a qualified person reviewing and verifying it first.
- Do NOT let AI output stand in for a lawyer's professional judgment; AI does not practice law and cannot supervise itself.
- Do NOT use AI in a way that gives legal advice to non-clients or that could look like the unauthorized practice of law.
- Do NOT use AI on any matter where the client's OCG or this policy prohibits it.
- Do NOT use AI to create anything false, misleading, or intended to deceive a court, client, or opposing party.
- Do NOT bypass the approval process by using a personal account or unapproved tool for firm work.
Section 6 — Human Review & Competence
AI tools make things up — including fake cases and citations that look real. Lawyers have been sanctioned for filing them. ABA Model Rule 1.1 (competence) and its Comment 8 require you to understand the tools you use and to verify their output. A human always owns the final work product.
- A qualified lawyer must review and verify every piece of AI-assisted work before it is used, filed, or sent.
- Check every citation, quote, and authority the AI produces against the actual source — never assume a case or statute is real.
- Confirm the substance is correct and current: AI can be outdated, wrong on the law, or wrong on the facts.
- The reviewing lawyer is fully responsible for the work as if they had written it themselves — "the AI wrote it" is never a defense.
- Only use AI for tasks you are competent to check; if you cannot evaluate the output, do not rely on it.
- Supervising lawyers must ensure associates, paralegals, and staff follow this review step (Model Rules 5.1 and 5.3).
Section 7 — Billing for AI-Assisted Work
AI can make a task faster. Under ABA Formal Opinion 512 and Model Rule 1.5, you generally may not bill a client for hours you did not actually work just because AI saved you time, and you may not charge a client for the general time you spend learning AI tools. This section keeps billing honest.
- Bill only for time actually spent. If AI cut a 4-hour task to 1 hour, bill the 1 hour — do not bill the 4.
- Do not charge clients for time spent generally learning or setting up AI tools; that is a firm overhead cost.
- Do not add AI software costs to a client bill unless the engagement letter or OCG allows it and the client agreed.
- Follow each client's OCG billing rules on AI, which may require disclosure of AI use or bar AI-related charges.
- If a client specifically asks the firm to use a particular AI tool on their matter, time learning that specific tool may be billable only if the client agrees.
- Time descriptions must be truthful about the work performed.
Section 8 — Court Disclosure Obligations
A growing number of judges have standing orders requiring lawyers to disclose or certify AI use in filings, and Model Rules 3.1 and 3.3 require candor and non-frivolous filings. This section makes checking the court’s rules a required step.
- Before filing anything, check the assigned judge's standing orders and the local rules for any AI-disclosure or certification requirement, and comply with it.
- If a court requires an AI-use certification, the filing lawyer completes it truthfully.
- Never submit AI-generated content to a tribunal without verifying every fact and citation (see Section 6).
- Do not make false statements to a court about whether or how AI was used.
- Track known court AI requirements in [litigation practice group resource] and update as orders change.
- When a court's rule is unclear, disclose or ask the court rather than guess.
Section 9 — Security, Incident Reporting & Roles
This section covers how AI tools are secured, who is responsible, and what to do when something goes wrong — because an AI mistake with client data is a data incident.
- The [POLICY OWNER / ROLE] owns this policy; [IT / SECURITY LEAD] vets tools and maintains security controls.
- Approved AI tools must use firm-managed accounts with data-retention and training settings configured for confidentiality.
- Access to AI tools handling client data is limited to authorized personnel; no shared or personal logins for firm work.
- If you suspect client data was exposed to a non-approved tool, or an AI tool behaved unexpectedly with confidential data, report it to [POLICY OWNER / IT] within [24 hours].
- The firm will assess each reported incident for client-notification and privilege-protection steps, consistent with Model Rule 1.6 and applicable breach rules.
- Retaliation for good-faith reporting is prohibited.
Section 10 — Review & Update Cadence
AI tools and bar guidance change fast. This section keeps the policy from going stale.
- This policy is reviewed at least [annually] and whenever bar rules, major client OCGs, or the firm’s tools change.
- [POLICY OWNER / ROLE] is responsible for scheduling and running the review.
- Material changes are communicated to all personnel, and updated acknowledgments are collected.
- The Approved AI Tools list (Section 2) is reviewed more often — at least [quarterly].
How to Customize This Policy for Your Firm
Every firm's version of this policy looks a little different. Use these notes to tailor it before you adopt it.
Solo and small firms: keep it lean. You may be the policy owner, IT lead, and reviewer all at once — say so plainly, and lean on approved legal-specific tools rather than building heavy internal review committees. Section 4 still matters if you do any work for corporate clients with OCGs.
Midsize and BigLaw: name real roles and committees (AI/technology committee, GC, practice-group leads), tighten Section 2’s approval workflow, and build Section 4 around a real OCG-tracking process since you likely have dozens of clients with different AI terms.
Litigation-heavy firms: expand Section 6 (citation verification) and Section 8 (court standing orders) — these are where your exposure is highest.
Transactional firms: emphasize Section 3 and Section 4 — confidentiality of deal data and client consent — and be precise about which drafting tools are approved.
Whatever your size, run the final version past your state bar's AI guidance and, ideally, outside ethics counsel before adopting it.
Frequently Asked Questions
- Yes. The full policy is on this page to read and copy at no cost, and the editable DOCX download is free too. Fill in the [bracketed] fields with your firm name, approved tools, and client requirements, then have your leadership approve it. It is a starting point — have counsel review your final version.
- Because a generic policy skips the issues that create the most risk for lawyers. It does not address attorney-client privilege, client outside counsel guidelines, court AI-disclosure orders, bar ethics duties, or the no-billing-for-AI-time rule. A firm that adopts a generic policy is still exposed everywhere a regulator, malpractice carrier, or client actually looks. This template is built around those law-firm-specific concerns.
- Yes. Section 3 keeps privileged and confidential client information out of any non-approved or public AI tool, because entering it can breach ABA Model Rule 1.6 and risk waiving privilege. The template also reflects ABA Formal Opinion 512 (2024) on informed client consent, competence and verifying AI output, supervision, and reasonable fees.
- A lot. Many corporate clients now put AI rules in their outside counsel guidelines (OCGs) — some require notice, some require written consent, and some ban AI outright. Section 4 makes those client rules operational: check each client’s OCG, flag the matter’s AI status at intake, and get written consent where required. Where a client’s OCG is stricter than your policy, the OCG controls.
- Sometimes, yes. For clients, ABA Formal Opinion 512 advises getting informed consent before putting their confidential information into an AI tool, and many OCGs require notice or consent — boilerplate engagement-letter language is not enough. For courts, a growing number of judges have standing orders requiring you to disclose or certify AI use in filings. Section 4 and Section 8 of the template make checking and complying with both a required step.
- A partner or committee responsible for firm risk — a managing partner, general counsel, or an AI/technology committee. Under ABA Model Rules 5.1 and 5.3, lawyers with managerial authority must make reasonable efforts to ensure everyone at the firm follows the ethics rules, so leadership should approve the policy and collect signed acknowledgments from all lawyers and staff.
Turn this template into a real AI program for your firm
A policy on paper is step one. Layer3 Labs helps law firms stand up AI they can actually defend — approved tools, OCG compliance, staff training, and the supervision trail your bar and clients expect.
Book a Consultation