advanta

HomeModule LibraryData

Module DAT-01 sigil: Data pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module DAT-01. The Pillar geometry encodes Data (Pillar 2); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SDAT-01
P2· L-G· Bands FoundationalOperationalIntegratedOptimisedDefensible

· DAT-01

Data Governance Architecture

Data Governance Architecture establishes the canonical four-level data classification, AI handling rules, and vendor data protection baseline for Legal AI. Anchored to Pillar P2 (Data & Knowledge Infrastructure) on the Governance Layer, the Module advances the function from Band 2 Operational to Band 4 Optimised on the Defensibility lens. It embeds Risk Taxonomy 2026 across all nine classes, anchors the AI Bill of Materials as canonical scope, and introduces five mandatory Agentic Tier data provisions. The output is a defensible, audit-ready data governance regime mapped to ABA, GDPR, EU AI Act, and state privacy laws. Methodology v2026.1.

Foundational

·

Lift 3 · Programme-grade

·

Annual

·

3–6 weeks for initial framework; 1–2 weeks for annual review and updates

Methodology v2026.1·Verified 23 May 2026·Reviewed 23 May 2026

Executive Summary

This module provides a complete Data Governance Framework for legal departments implementing AI. It defines a four-level data classification model, AI-specific handling rules, and mandatory vendor data protection requirements aligned with VEN-04 and DAT-03. It embeds Risk Taxonomy 2026 across nine classes, with upgraded Class 6 Shadow AI governance, immediate STR-07 escalation rules, and GOV-03 Risk Register integration. The framework integrates the AI Bill of Materials (AI BoM) as the canonical scope for data governance and monitoring, and introduces five mandatory Agentic Tier Data Provisions for Level 4 (AI as Executor) tools. It maps controls to ABA Model Rules, GDPR, EU AI Act, and key US state privacy laws, and specifies DPS-grade evidence retention for defensibility. Use this module to design, implement, and maintain a defensible, audit-ready data governance regime for legal AI, from blueprint through ongoing monitoring and incident response.

Defensibility Evidence Produced

Signed framework and amendments, data classification records, vendor DPAs, Class 6 Shadow AI incident records, Agentic Tier data provision assessments, data breach response records, and AI BoM data governance scope records are DPS Defensibility lens evidence demonstrating systematic, governed data management for legal AI. Retained for 5 years (training records, STR-07 briefings) and 7 years (framework, DPAs, incident records, breach response).

Elements:

Decision traceabilityEvidence frameworkGovernance posture

Metric 0 Pre-Check

Before establishing or updating the data governance framework, confirm all five gates are satisfied.

| Gate | Check | Status |

|—|—|—|

| M0.1 — GOV-02 Alignment | AI Use Policy (GOV-02) is current; data governance framework aligns with policy provisions | Confirm |

| M0.2 — GOV-03 Alignment | Risk Register (GOV-03) is current; data-related risk entries are up to date | Confirm |

| M0.3 — AI BoM Currency | AI BoM is available; all deployed AI tools have entries for data governance scoping | Confirm |

| M0.4 — STR-07 Authorisation | AI Task Force has reviewed the governance framework scope; high-risk classifications confirmed | Confirm |

| M0.5 — VEN-04 Alignment | VEN-04 Security and Compliance Checklist provisions are reflected in Vendor Data Protection section | Confirm |

Purpose

This Data Governance Framework establishes policies and procedures for the secure, ethical, and compliant use of data in AI applications within the Legal Department. It ensures AI initiatives enhance legal service delivery while maintaining the highest standards of client confidentiality, professional responsibility, and regulatory compliance.

Operational Signals

dat-01.classification-coverage

Defensibility Posture Statement

Percentage of legal data inventory classified to the four-level model — DE-1 evidence record.

Quarterly

dat-01.shadow-ai-incidents-resolved

Annual Legal AI OS Index

Shadow AI (RC-6) incidents resolved per quarter feeds the Annual Legal AI OS Index governance signal.

Quarterly

dat-01.agentic-provisions-attested

Console

Agentic Tier (Tier 4) data provision compliance status for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • General Counsel

Approvers

  • General Counsel
  • CIO / CISO
  • Risk & Compliance

Contributors

  • Head of Legal Operations
  • Engineering / IT
  • Procurement

Informed

  • Board
  • Data Protection Officer

Inputs · Outputs

Inputs

  • · Current AI Use Policy (GOV-02)
  • · Risk Register with data-related entries (GOV-03)
  • · AI Bill of Materials (AI BoM) with all deployed AI tools
  • · DAT-02 Data Inventory and Classification Matrix
  • · VEN-04 Security and Compliance Checklist
  • · DAT-03 Vendor DPA Checklist
  • · Applicable regulatory requirements (ABA Model Rules, GDPR, EU AI Act, US state privacy laws)
  • · Existing enterprise data governance and privacy policies

Outputs

  • · Approved Data Governance Framework for legal AI
  • · Documented four-level data classification scheme and handling rules
  • · Completed vendor DPAs and VEN-04-aligned safeguards for AI vendors
  • · Shadow AI (Class 6) governance policy and escalation procedures
  • · Agentic Tier Data Provisions assessment records for Level 4 tools
  • · Updated AI BoM with data governance scope annotations
  • · GOV-03 Risk Register entries for data and Class 6 incidents
  • · DPS Defensibility evidence pack for data governance and incidents

Framework Crosswalk

NIST AI Risk Management Framework

NIST

Aligns data governance, monitoring, and incident response controls with NIST AI RMF functions (Map, Measure, Manage, Govern).

EU AI Act

European Union

Maps AI BoM, risk classification, data governance, and high-risk controls to EU AI Act obligations, including registration and oversight.

GDPR

European Union

Implements GDPR principles of processing, DPIA requirements, and data subject rights for AI-related processing.

ABA Model Rules of Professional Conduct

American Bar Association

Connects AI data governance to Rules 1.1, 1.6, and 5.3 on competence, confidentiality, and supervision.

Operational Artefacts

  • DAT-01 Data Governance Framework Template (Policy Document)

    docx · v2026.1

    Gated
  • DAT-01 Data Governance Implementation Checklist

    checklist · v2026.1

    Gated
  • DAT-01 DPS Evidence Register for Data Governance

    xlsx · v2026.1

    Gated

Diagnostic Relevance

Running Data Governance Architecture strengthens the Defensibility lens — expected Band progression: Operational → Optimised.

Confidence: high

Key Takeaways

  • Define and enforce a four-level data classification scheme tailored to legal AI workloads.

  • Use the AI BoM as the authoritative scope for all AI-related data governance and monitoring.

  • Apply strict vendor data protection controls, including no-training clauses and DPAs, before any data access.

  • Treat Shadow AI as Risk Taxonomy 2026 Class 6 with immediate STR-07 escalation and GOV-03 logging.

  • Implement the five Agentic Tier Data Provisions before allowing Level 4 tools to touch Level 3–4 data.

  • Map data governance controls to ABA Model Rules, GDPR, EU AI Act, and US state privacy laws.

  • Retain framework artefacts as DPS Defensibility evidence to withstand regulatory and client scrutiny.

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal Operations

Strengthens

Defensibility lensSophistication lens

Module Details

Format
Module
Difficulty
Operational
Pillar
P2
Owner
General Counsel
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Where this Module lives

Data Governance Architecture produces the Defensibility Element 1 (Decision traceability) and DE-3 (Evidence framework) records that anchor the Defensibility Posture Statement’s data section. Vendor DPAs, Shadow AI incident logs, and Agentic Tier provisioning records feed the Annual Legal AI OS Index. Without this Module, the DPS sits without data-lineage evidence and downstream Modules (Vendor Evaluation, AI BoM, Risk Register) operate without canonical classification.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.