Purpose
This Module establishes the governance infrastructure for a defensible Legal AI programme. Every legal function that deploys AI needs three things before regulators, boards, or clients can scrutinise the programme: a documented accountability structure, a classified risk register, and a working policy that practitioners follow. This Module delivers all three.
The primary output is the governance section of the Defensibility Posture Statement — the board-ready evidence that the legal function’s AI programme operates under institutional control.
Operating cadence: Once per programme setup (2–4 weeks). Annual review thereafter (1 day).
When to use this Module
- Starting a formal Legal AI programme — before any system is deployed at scale
- Preparing for regulatory scrutiny: EU AI Act audit, ABA competence assessment, client due diligence
- After acquiring a new AI system — to extend governance coverage to the new system
- Annual governance review — updating the DPS governance section, risk register, and policy suite
Section 1 — The three-tier governance structure
A defensible governance structure has three tiers. Each tier has defined authority, accountability, and cadence.
Tier 1 — Executive Governance: AI Steering Committee
The AI Steering Committee holds strategic authority. It approves AI strategy, allocates budget, and signs off on high-risk implementations.
Composition: General Counsel (Chair), Head of Legal Operations, Chief Information Officer, Chief Risk Officer, Chief Privacy Officer, and a rotating business unit representative where relevant.
Cadence: Monthly meetings; quarterly comprehensive review.
Charter requirement: A formal charter documents the Committee’s mandate, decision-making authority, and escalation paths. The charter is the first DPS evidence artefact.
Tier 2 — Operational Governance: AI Task Force
The AI Task Force handles operational implementation — vendor management, use case approval, incident response coordination, and performance monitoring.
Composition: Legal Operations Director (Chair), Legal Technology Lead, IT Security representative, Data Protection Officer, and rotating practice group representatives.
Cadence: Bi-weekly meetings; monthly comprehensive review.
Authority: Operational AI decisions, vendor selection within defined spend limits, and policy implementation.
Tier 3 — Specialist roles: AI Governance Lead and AI Champions
The AI Governance Lead (a named role, not a committee) owns day-to-day governance execution: risk assessments, vendor oversight, compliance monitoring, and DPS maintenance. This role reports to the Head of Legal Operations or General Counsel.
AI Champions are practice group representatives who bridge governance requirements and daily practice. They communicate policy requirements, surface user feedback, and support incident escalation. They are not a governance authority.
Section 2 — The minimum viable policy suite
Three policies constitute the minimum viable policy suite for a defensible AI programme.
AI Use Policy
Scope: all AI systems used in legal practice.
Approved usage includes: legal research, document review with oversight, contract drafting assistance with lawyer review, data analysis with methodology validation, and client communication support with lawyer review before sending.
Prohibited usage includes: unauthorised AI systems not approved through the governance process; processing of privileged communications without documented safeguards; automated decision-making without human review; and sharing client data with vendors for model training.
Compliance anchors: ABA Model Rule 1.6 (Confidentiality), Rule 1.1 (Competence), Rule 5.3 (Supervision of Non-Lawyer Assistance). For EU-domiciled functions: EU AI Act Article 16 (human oversight obligations).
Vendor Management Policy
Scope: all AI vendors, service providers, and technology partners.
Minimum vendor approval requirements:
- Signed Data Processing Agreement prohibiting client data use for model training