Advanta is currently undergoing final system calibration ahead of launch. Selected infrastructure and experiences may still be in active refinement.

advanta

HomeModule Library

Module DAT-02 sigil: Data pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module DAT-02. The Pillar geometry encodes Data (Pillar 2); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SDAT-02

P2

L-G

DAT-02

Data Inventory and Classification Matrix

Classify every data asset by sensitivity level, assign AI processing permissions by classification, and build the governance record that proves Defensible AI adoption.

ModuleFoundationalAnnualAdoption lensDefensibility lens

Audience

GC / CLOLegal Operations

·

Initial build 4–6 weeks; quarterly updates 1–2 days; annual review 3–5 days

Executive Summary

DAT-02 defines a structured Data Inventory and Classification Matrix for legal departments preparing for Defensible AI. It introduces a four-level classification model (Public, Internal, Client Confidential, Privileged) aligned with ABA ethics, GDPR, the EU AI Act, and the Risk Taxonomy 2026. The module prescribes discovery, assessment, legal review, and final classification steps, then links each level to concrete security controls and AI usage permissions. It embeds AI Bill of Materials (AI BoM) checks, vendor DPA requirements, and Agentic Tier controls for privileged data. Class 6 Shadow AI is tightly governed through an escalation protocol integrated with STR-07 and GOV-03. Templates and checklists support inventories, classification decisions, AI processing assessments, and ongoing quarterly/annual reviews. Outputs form a DPS-grade defensibility evidence package for regulators, clients, and internal assurance.

Metric 0 Pre-Check

Complete all five gates before any data inventory or reclassification:

  • M0.1 — GOV-02 verified: AI Use Policy current; classification rules align with approved AI usage categories.
  • M0.2 — AI BoM verified: AI Bill of Materials entries exist for any AI tool that will process inventoried data.
  • M0.3 — GOV-03 verified: AI Vendor Risk Register current; vendor risk ratings inform processing permissions.
  • M0.4 — DAT-01 verified: Data Governance Framework in force; this Matrix implements DAT-01 rules.
  • M0.5 — STR-07 verified: AI Task Force Charter active; Class 6 Shadow AI incidents trigger immediate STR-07 notification.

All five gates must be confirmed before data inventory work begins.

---

1. Purpose and When to Use

The Data Inventory and Classification Matrix enables legal departments to systematically catalogue and classify data assets by sensitivity level, ensuring appropriate security controls and AI readiness. It underpins Defensible AI adoption while maintaining compliance with ABA ethics, GDPR, EU AI Act, Risk Taxonomy 2026, and related regulations.

Use this module:

  • In Blueprint Stage, Pillar 2 — Data and Infrastructure.
  • For initial inventory, quarterly updates, and annual review.
  • When preparing for AI deployment, vendor evaluation, data governance, or compliance audits.

Defensibility Evidence

All classification decision records, AI BoM alignment reports, Class 6 Shadow AI incident records, Agentic Tier Data Gate confirmations, and DPA verification records retained 7 years as DPS Defensibility lens evidence. Quarterly review findings and training completion records retained 5 years as DPS Adoption lens evidence.

Operational Artefacts

  • Data Inventory and Classification Spreadsheet

    xlsx · v2026.1

    Gated

  • Classification Decision Worksheet

    docx · v2026.1

    Gated

  • AI Processing Assessment Checklist

    checklist · v2026.1

    Gated

  • Quarterly and Annual Review Template

    pdf · v2026.1

    Gated

Framework Crosswalk

ABA Model Rules of Professional Conduct

American Bar Association

Maps confidentiality, competence, and supervision duties (Rules 1.1, 1.4, 1.6, 5.1–5.3) to data classification, AI oversight, and Shadow AI controls.

GDPR

European Union

Aligns Levels 2–4 with lawful basis, data minimisation, data subject rights, and automated decision-making restrictions.

EU AI Act

European Union

Treats legal AI tools handling Levels 3–4 as potential high-risk systems, linking classification to risk management, documentation, and human oversight duties.

Risk Taxonomy 2026

Advanta

Integrates all nine risk classes into data classification, AI usage permissions, and Shadow AI escalation rules.

NIST AI Risk Management Framework

NIST

Supports mapping of data classification and AI BoM controls to govern, map, measure, and manage AI risks in legal contexts.

Operational Details

Inputs

  • · AI BoM (AI Bill of Materials)
  • · GOV-02 AI Use Policy (approved AI usage categories)
  • · GOV-03 AI Vendor Risk Register (vendor risk ratings)
  • · DAT-01 Data Governance Framework (classification governance rules)
  • · STR-07 AI Task Force Charter (escalation authority for Class 6 incidents)

Outputs

  • · Classified data inventory with Risk Taxonomy 2026 class assignments
  • · AI BoM alignment report (registered vs. active tools)
  • · Class 6 Shadow AI incident log with GOV-03 entries
  • · Agentic Tier Data Gate confirmations for Level 4 processing tools
  • · DPA verification records by classification level
  • · Annual classification review report for DPS Defensibility evidence package

Owner

General Counsel + Legal Operations

Telemetry & Observability

Telemetry-ready

Key Takeaways

  • Establish a four-level data classification scheme tailored to legal risk and AI usage.

  • Run structured data discovery across all repositories and AI tools before classification.

  • Apply legal review to distinguish client confidential from privileged information.

  • Tie each classification level to specific security controls and AI permissions.

  • Use the AI BoM to govern which AI tools may process which data classes.

  • Escalate all Class 6 Shadow AI incidents via STR-07 and log them in GOV-03.

  • Retain classification and review records as DPS-grade defensibility evidence.

Get This Module

This module is available as part of an Advanta Advisory engagement.

Explore Advisory

Module Details

Type

Pillar

P2

Layer

G · Governance

Duration

Initial build 4–6 weeks; quarterly updates 1–2 days; annual review 3–5 days

Advisory

Yes

Access

Member access

Certification

Practitioner

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Risk Classes Mitigated

Available Through

Related Resources

P2 · DataModule Library →Take the Free Baseline Diagnostic →

Governance

Methodology
v2026.1
Last reviewed
23 May 2026
Verified
23 May 2026

ADVISORY

Need help implementing this — and the 49 modules around it?

Advanta Advisory works with legal departments to deploy the full Legal AI OS framework — governance design, implementation roadmap, and team capability — structured around your maturity baseline.

Explore Advisory →Run the Diagnostic first
← Back to Module Library