advanta

HomeModule LibraryData

Module DAT-05 sigil: Data pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module DAT-05. The Pillar geometry encodes Data (Pillar 2); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SDAT-05
P2· L-E· Bands FoundationalOperationalIntegratedOptimisedDefensible

· DAT-05

Integration Architecture

AI tools that don't reach matter data either fail to deliver value or get bridged with shadow workflows. The Integration Architecture defines how Legal AI connects into matter-management, knowledge, and case data — with canonical integration patterns, authentication standards, data-classification handling at each boundary, and audit-log requirements at every integration point. Without disciplined integration architecture, AI tools become privilege-leaking shadow workflows or stop short of the data that would make them useful. Methodology v2026.1.

strategic

·

Per-engagement

·

6–12 months for initial rollout; 1–2 weeks for annual review and major change assessments.

Methodology v2026.1·Verified 23 May 2026·Reviewed 23 May 2026

Executive Summary

DAT-05 defines the Integration Architecture Blueprint for connecting AI capabilities to core legal technology in a secure, scalable and defensible way. It provides a three-tier reference architecture, security and compliance controls, and an implementation roadmap that align with the AI Bill of Materials (AI BoM), data governance, and the AI Task Force charter. The module is used during initial AI platform design, major system upgrades, and annual reviews to ensure that document management, CRM, eBilling, matter management, and communication systems integrate with AI tools through an API-first, event-driven, vendor-neutral architecture. It embeds Class 6 Shadow AI detection, Agentic Tier (Level 4) safeguards, and Risk Taxonomy 2026 controls into the integration layer. Outputs include integration design artefacts, testing and validation frameworks, governance processes, and DPS-grade evidence for regulators and clients. When executed, DAT-05 reduces breach and privilege risk, supports GDPR, EU AI Act and ABA compliance, and enables measurable ROAI across Protect, Comply, Grow and Transform quadrants.

Defensibility Evidence Produced

All integration architecture decision records, AI BoM alignment reports, Agentic Tier Architecture Gate confirmations, Class 6 Shadow AI incident records, security assessment reports, and vendor SLA verification records retained 7 years as DPS Defensibility lens evidence; ROAI dashboard reports and training completion records retained 5 years as DPS Adoption lens evidence.

Elements:

Decision traceabilityEvidence framework

Metric 0 Pre-Check

Complete all five gates before any integration architecture design or implementation:

  • Gate M0.1 — GOV-02 verified: AI Use Policy is current; AI usage categories define permissible integration patterns.
  • Gate M0.2 — AI BoM verified: All AI systems to be integrated are registered in the AI Bill of Materials.
  • Gate M0.3 — DAT-01 verified: Data Governance Framework is in force; integration must respect data rules per category.
  • Gate M0.4 — STR-07 verified: AI Task Force Charter is active; escalation channels open for Class 6 Shadow AI.
  • Gate M0.5 — VEN-04 verified: AI Vendor Security Checklist completed for all AI vendors in scope.

All five gates must be confirmed before integration work begins.

1. Executive Summary and Strategic Context

Integration vision: Enable secure, compliant integration between core legal systems and AI capabilities, creating a unified ecosystem that enhances legal service delivery while preserving confidentiality, security, and professional responsibility.

Business objectives include: improving operational efficiency, maintaining security and compliance, enabling scalable AI, reducing complexity, supporting resilience, and demonstrating ROAI across Protect, Comply, Grow, and Transform.

Architectural principles:

  1. Security by design
  2. API-first approach
  3. Event-driven architecture
  4. Data minimisation (DAT-04)
  5. Vendor neutrality
  6. Defensible AI governance (AI BoM, Agentic Tier, Class 6 detection)
  7. Operational excellence (monitoring and optimisation)

A ROAI alignment table maps how integration supports each quadrant.

2. Current State Assessment and System Inventory

  1. Core systems inventory: Catalogue DMS, CRM, eBilling/financial, matter management, and email/communications platforms, including current integration points and constraints.
  2. AI BoM registration assessment: For each system, record whether AI components exist, are BoM-registered, and operate at Agentic Tier; register any missing entries before design proceeds.
  3. Class 6 Shadow AI audit: Identify ad-hoc or unapproved AI tools processing legal data. Any unregistered AI constitutes a Class 6 incident and must be escalated via STR-07 before continuing.
  4. Gap analysis: Document legacy limitations, API quality issues, security gaps, manual processes, data silos, unregistered AI tools, and absence of Agentic Tier controls.

3. Target Architecture and Integration Design

3.1 Three-Tier Integration Architecture

  • Tier 1 — Core Legal Systems: DMS, CRM, eBilling, matter management, email and other data sources. Integrate via standardised, authenticated, monitored APIs. All data classified per DAT-02 before entering Tier 2.
  • Tier 2 — Integration Layer (Middleware): API gateway, message broker, data integration platform, service mesh, and AI BoM registry hook that validates all AI-to-system calls.
  • Tier 3 — AI Processing Infrastructure: GPAI platforms, legal-specific AI, enterprise AI services, and Agentic AI layer, all registered in the AI BoM.

3.2 API-First Integration Strategy

Design REST/GraphQL APIs with OpenAPI specs, versioning, and standard error handling. Use OAuth 2.0/OIDC, JWT, scoped API keys, certificate-based auth where required, and MFA for admin access. Implement rate limiting, circuit breakers, load balancing, and caching.

3.3 Event-Driven Architecture

Adopt publish-subscribe, request-reply, and queuing patterns. Define event categories: system, data, business, AI, and Class 6 events (unauthorised AI attempts). Use Kafka or cloud-native brokers for streaming and routing.

3.4 Data Synchronisation and Consistency

Apply real-time, near real-time, or scheduled sync based on criticality. Use strong consistency for financial/compliance data and eventual consistency for analytics. Enforce DAT-02 classification checks and enhanced controls for Level 3–4 data.

3.5 Agentic Tier Architecture Provisions

For any Level 4 (AI as Executor) tool:

  1. Scope-limited API access: Only the minimum systems and objects needed.
  2. Kill-switch API endpoint: Standardised endpoint that halts processing and revokes access within 60 seconds.
  3. Audit API: Complete, privilege-protected logs of actions, data accessed, and decisions.
  4. Intervention callback: Mechanism for attorneys to pause, review, and override actions.
  5. Cross-system data isolation: Matter-level partitioning to prevent cross-matter access.

No Agentic Tier integration goes live until all five provisions are documented and verified; exceptions require STR-07 approval.

4. Security and Compliance Framework

4.1 Data Protection and Encryption

Use AES-256 and TDE for data at rest, encrypted backups, and HSM-backed key management. Enforce TLS 1.3, end-to-end encryption for Level 3–4 data, VPN tunnels, and message-level encryption for streams.

4.2 Access Controls and Identity Management

Require MFA for admin access, integrate with corporate IdPs, and apply RBAC aligned to legal roles with just-in-time elevation. Validate all AI API access against AI BoM entries.

4.3 Network Security and Segmentation

Implement DMZs, internal segmentation, a dedicated AI processing segment, micro-segmentation, IDS/IPS, DDoS protection, and zero-trust principles for remote access.

4.4 Regulatory Compliance

Map controls to ABA Model Rules (1.1, 1.4, 1.6, 5.3), GDPR (data minimisation, rights, DPIAs), EU AI Act (high-risk documentation, oversight, monitoring), and Risk Taxonomy 2026 classes.

4.5 Class 6 Shadow AI Detection

Operational Signals

dat-05.integration-coverage

Defensibility Posture Statement

Proportion of AI tools deployed via canonical integration pattern — DE-1 Decision traceability record.

Quarterly

dat-05.audit-log-completeness

Annual Legal AI OS Index

Audit log coverage across active integrations feeds the Annual Legal AI OS Index data-lineage signal.

monthly

dat-05.boundary-incidents

Console

Data-boundary incidents per quarter for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • CIO / CISO

Approvers

  • General Counsel
  • CIO / CISO
  • Risk & Compliance

Contributors

  • Engineering / IT
  • Head of Legal Operations
  • AI Task Force

Informed

  • Board
  • Audit Committee
  • Data Protection Officer

Inputs · Outputs

Inputs

  • · GOV-02 approved AI tools list
  • · AI BoM registered tool inventory
  • · DAT-01 Data Governance Framework
  • · STR-07 AI Task Force security requirements
  • · VEN-04 vendor security requirements and SLA specifications
  • · Current system inventory (DMS, CRM, eBilling, Matter Management, Email)
  • · Regulatory compliance requirements (GDPR, EU AI Act, ABA Model Rules, state bar rules)

Outputs

  • · Integration architecture documentation (three-tier design with Agentic Tier provisions)
  • · AI BoM alignment report confirming all integrated AI tools registered
  • · Class 6 Shadow AI Detection Architecture with 5-step STR-07 alerting pipeline
  • · Agentic Tier Architecture Gate confirmations for Level 4 AI-as-Executor tools
  • · ROAI implementation dashboard (Protect, Comply, Grow, Transform quadrants)
  • · System integration map with API patterns and data flow documentation
  • · Security and compliance framework documentation
  • · Phased implementation roadmap (4 phases)

Framework Crosswalk

NIST AI Risk Management Framework

NIST

Maps integration controls to AI RMF functions for governance, data management, and technical robustness.

ISO/IEC 42001 AI Management System

ISO

Supports AI management system requirements for lifecycle control, risk, and technical integration safeguards.

EU AI Act

European Union

Implements technical hooks for high-risk AI oversight, logging, and post-market monitoring via the integration layer.

GDPR

European Union

Enforces data minimisation, purpose limitation, security, and data subject rights at integration points.

ABA Model Rules of Professional Conduct

American Bar Association

Supports duties of competence, confidentiality, supervision, and client communication in AI-enabled workflows.

Operational Artefacts

  • DAT-05 Integration Architecture Blueprint Workbook

    xlsx · v2026.1

    Gated
  • DAT-05 Integration Design and Testing Template

    docx · v2026.1

    Gated
  • DAT-05 Implementation and Governance Checklist

    checklist · v2026.1

Diagnostic Relevance

Running the Integration Architecture Blueprint strengthens the Sophistication lens — expected Band progression: Integrated → Optimised.

Confidence: high

Key Takeaways

  • Establish a three-tier integration architecture linking core legal systems, middleware, and AI services.

  • Require AI BoM registration and Metric 0 gate checks before any integration work begins.

  • Use an API-first, event-driven approach with strong authentication, rate limiting, and monitoring.

  • Embed Class 6 Shadow AI detection and blocking at the API gateway, DNS, and DLP layers.

  • Apply five mandatory Agentic Tier controls before granting Level 4 AI tools execution access.

  • Align integration design with Risk Taxonomy 2026, GDPR, EU AI Act, and ABA Model Rules.

  • Retain integration artefacts and logs as DPS Defensibility evidence for at least seven years.

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal Operations

Strengthens

Adoption lensDefensibility lens

Module Details

Format
Module
Difficulty
Advanced
Pillar
P2
Owner
CIO / CISO
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Where this Module lives

Integration Architecture is the technical spine of operational AI deployment. It implements the data-classification rules from DAT-01, supports the AI BoM (DAT-06) integration inventory, and produces DE-1 (Decision traceability) records into the DPS at every data-boundary crossing. Without this Module, integration patterns drift per project and the firm loses the auditable data lineage that regulators expect.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.