advanta

HomeModule LibraryData

Module DAT-02 sigil: Data pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module DAT-02. The Pillar geometry encodes Data (Pillar 2); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SDAT-02
P2· L-G· Bands FoundationalOperationalIntegratedOptimisedDefensible

· DAT-02

Data Inventory & Classification Methodology

An AI governance program cannot govern data it cannot describe. The Data Inventory and Classification Matrix produces the canonical record of every data class the legal function holds — by sensitivity, by client-attribution, by AI-touchable status, by retention obligation, and by owner. It is the inventory underneath the data governance framework: every classification rule in DAT-01 operates against this inventory. Without it, data governance is policy without scope. Methodology v2026.1.

Operational

·

Annual

·

Initial build 4–6 weeks; quarterly updates 1–2 days; annual review 3–5 days

Methodology v2026.1·Verified 23 May 2026·Reviewed 23 May 2026

Executive Summary

DAT-02 defines a structured Data Inventory and Classification Matrix for legal departments preparing for Defensible AI. It introduces a four-level classification model (Public, Internal, Client Confidential, Privileged) aligned with ABA ethics, GDPR, the EU AI Act, and the Risk Taxonomy 2026. The module prescribes discovery, assessment, legal review, and final classification steps, then links each level to concrete security controls and AI usage permissions. It embeds AI Bill of Materials (AI BoM) checks, vendor DPA requirements, and Agentic Tier controls for privileged data. Class 6 Shadow AI is tightly governed through an escalation protocol integrated with STR-07 and GOV-03. Templates and checklists support inventories, classification decisions, AI processing assessments, and ongoing quarterly/annual reviews. Outputs form a DPS-grade defensibility evidence package for regulators, clients, and internal assurance.

Defensibility Evidence Produced

All classification decision records, AI BoM alignment reports, Class 6 Shadow AI incident records, Agentic Tier Data Gate confirmations, and DPA verification records retained 7 years as DPS Defensibility lens evidence. Quarterly review findings and training completion records retained 5 years as DPS Adoption lens evidence.

Elements:

Decision traceabilityEvidence framework

Metric 0 Pre-Check

Complete all five gates before any data inventory or reclassification:

  • M0.1 — GOV-02 verified: AI Use Policy current; classification rules align with approved AI usage categories.
  • M0.2 — AI BoM verified: AI Bill of Materials entries exist for any AI tool that will process inventoried data.
  • M0.3 — GOV-03 verified: AI Vendor Risk Register current; vendor risk ratings inform processing permissions.
  • M0.4 — DAT-01 verified: Data Governance Framework in force; this Matrix implements DAT-01 rules.
  • M0.5 — STR-07 verified: AI Task Force Charter active; Class 6 Shadow AI incidents trigger immediate STR-07 notification.

All five gates must be confirmed before data inventory work begins.

1. Purpose and When to Use

The Data Inventory and Classification Matrix enables legal departments to systematically catalogue and classify data assets by sensitivity level, ensuring appropriate security controls and AI readiness. It underpins Defensible AI adoption while maintaining compliance with ABA ethics, GDPR, EU AI Act, Risk Taxonomy 2026, and related regulations.

Use this module:

  • In Blueprint Stage, Pillar 2 — Data and Infrastructure.
  • For initial inventory, quarterly updates, and annual review.
  • When preparing for AI deployment, vendor evaluation, data governance, or compliance audits.

Operational Signals

dat-02.inventory-coverage

Defensibility Posture Statement

Proportion of data domains with current classification entry — DE-1 Decision traceability record.

Quarterly

dat-02.classification-currency

Annual Legal AI OS Index

Inventory entries refreshed within annual review window feeds the Annual Legal AI OS Index data signal.

Quarterly

dat-02.reclassification-rate

Console

Class transitions per quarter (e.g. internal → client confidential) for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • Head of Legal Operations

Approvers

  • General Counsel
  • Risk & Compliance
  • Data Protection Officer

Contributors

  • Engineering / IT
  • AI Task Force

Informed

  • Board
  • Audit Committee

Inputs · Outputs

Inputs

  • · AI BoM (AI Bill of Materials)
  • · GOV-02 AI Use Policy (approved AI usage categories)
  • · GOV-03 AI Vendor Risk Register (vendor risk ratings)
  • · DAT-01 Data Governance Framework (classification governance rules)
  • · STR-07 AI Task Force Charter (escalation authority for Class 6 incidents)

Outputs

  • · Classified data inventory with Risk Taxonomy 2026 class assignments
  • · AI BoM alignment report (registered vs. active tools)
  • · Class 6 Shadow AI incident log with GOV-03 entries
  • · Agentic Tier Data Gate confirmations for Level 4 processing tools
  • · DPA verification records by classification level
  • · Annual classification review report for DPS Defensibility evidence package

Framework Crosswalk

ABA Model Rules of Professional Conduct

American Bar Association

Maps confidentiality, competence, and supervision duties (Rules 1.1, 1.4, 1.6, 5.1–5.3) to data classification, AI oversight, and Shadow AI controls.

GDPR

European Union

Aligns Levels 2–4 with lawful basis, data minimisation, data subject rights, and automated decision-making restrictions.

EU AI Act

European Union

Treats legal AI tools handling Levels 3–4 as potential high-risk systems, linking classification to risk management, documentation, and human oversight duties.

Risk Taxonomy 2026

Advanta

Integrates all nine risk classes into data classification, AI usage permissions, and Shadow AI escalation rules.

NIST AI Risk Management Framework

NIST

Supports mapping of data classification and AI BoM controls to govern, map, measure, and manage AI risks in legal contexts.

Operational Artefacts

  • Data Inventory and Classification Spreadsheet

    xlsx · v2026.1

    Gated
  • Classification Decision Worksheet

    docx · v2026.1

    Gated
  • AI Processing Assessment Checklist

    checklist · v2026.1

    Gated
  • Quarterly and Annual Review Template

    pdf · v2026.1

    Gated

Diagnostic Relevance

Running the Data Inventory and Classification Matrix strengthens the Defensibility lens — expected Band progression: Foundational → Operational.

Confidence: high

Key Takeaways

  • Establish a four-level data classification scheme tailored to legal risk and AI usage.

  • Run structured data discovery across all repositories and AI tools before classification.

  • Apply legal review to distinguish client confidential from privileged information.

  • Tie each classification level to specific security controls and AI permissions.

  • Use the AI BoM to govern which AI tools may process which data classes.

  • Escalate all Class 6 Shadow AI incidents via STR-07 and log them in GOV-03.

  • Retain classification and review records as DPS-grade defensibility evidence.

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal Operations

Strengthens

Defensibility lensSophistication lens

Module Details

Format
Module
Difficulty
Foundational
Pillar
P2
Owner
Head of Legal Operations
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Where this Module lives

The Data Inventory and Classification Matrix is the scope substrate that makes the Data Governance Architecture (DAT-01) operationally meaningful. It consumes the classification rules from DAT-01 and produces the inventory that AI BoM (DAT-06) entries are scoped against. The Module produces DE-1 (Decision traceability) and DE-3 (Evidence framework) records into the DPS. Without it, vendor evaluation and AI deployment operate over unbounded data scope.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.