AI Use Policy

Purpose

This Module establishes the AI Use Policy for legal departments adopting AI tools and services. It defines what AI use is permitted, what is prohibited, how human oversight is maintained, and how compliance is monitored. The policy is authorised by the Defensible AI Governance Framework (GOV-01) and feeds the Defensibility Posture Statement (DPS) as primary governance evidence.

This policy is a sub-instrument of GOV-01 and operates alongside GOV-03 (AI Risk Register) and GOV-05 (AI Incident Response Playbook).

When to use this Module

Use this Module when:

• Deploying AI tools for the first time in a legal department
• Responding to a regulatory inquiry or client audit of AI practices
• Onboarding new legal personnel who will use AI tools
• Conducting the annual AI governance review required by GOV-01
• Addressing a Shadow AI incident identified through GOV-05

Owner: General Counsel + AI Governance Lead

Duration: Initial deployment 2–4 weeks; annual review 1 day

Operating cadence: Per engagement (initial); annual review thereafter

Scope

This policy applies to all legal department personnel — attorneys, paralegals, legal operations staff, and contract staff — using any AI tool or service in connection with legal work. It covers:

• Generative AI tools (document drafting, summarisation, research)
• Predictive AI tools (contract analytics, litigation prediction)
• Agentic AI systems (autonomous multi-step task execution)
• Third-party AI-enabled platforms used for legal workflows

This policy does not cover IT infrastructure AI (security monitoring, spam filtering) unless that infrastructure processes client or matter data.

Section 1 — Policy authority and governance structure

The AI Use Policy operates within a three-tier governance structure:

| Tier | Body | Responsibility |

|—|—|—|

| Tier 1 — Strategic | AI Steering Committee (General Counsel, COO, CISO) | Approves policy; sets risk appetite; reviews annually |

| Tier 2 — Operational | AI Task Force (Legal Operations Lead, practice group leads) | Implements policy; manages approved tool registry; escalates incidents |

| Tier 3 — Practitioner | All legal personnel | Complies with policy; completes training; reports incidents |

The AI Task Force maintains the AI Bill of Materials (AI BoM) — the authorised inventory of all AI systems approved for legal use. No AI tool may be used for legal work unless it appears in the AI BoM.

Section 2 — Permitted AI use

The following AI use categories are permitted subject to the controls in this policy:

Category 1 — Legal research assistance: AI-assisted case law research, statutory analysis, and regulatory monitoring. All outputs require attorney review before reliance.

Category 2 — Document drafting support: AI-assisted drafting of contracts, briefs, correspondence, and legal memoranda. All drafts require attorney review and sign-off before filing, serving, or sending to clients.

Category 3 — Contract review and analytics: AI-assisted contract review, clause extraction, and risk flagging. Attorney review required before any redline or position is communicated to a counterparty.

Category 4 — Administrative automation: AI-assisted scheduling, billing narrative drafting, matter management, and document organisation where no privileged client content is processed.

Category 5 — Approved AI BoM tools only: Any AI tool not listed in the AI BoM is prohibited. Personnel seeking to add a tool must submit a vendor evaluation request to the AI Task Force.

Section 3 — Prohibited AI use and Shadow AI controls

Prohibited activities

The following are prohibited without exception:

• Uploading privileged client communications, unpublished transaction documents, or work product to any AI tool not in the AI BoM
• Using AI tools to generate legal advice communicated directly to clients without attorney review
• Using personal AI accounts (consumer ChatGPT, consumer Claude, etc.) for any matter-related work
• Disabling, circumventing, or bypassing AI oversight controls required by this policy
• Using AI tools to process data subject to export controls, HIPAA, or other regulated data classifications without a compliant data processing agreement

Shadow AI controls

Shadow AI — the use of unapproved AI tools or the approved AI tools in unapproved ways — is a Class 6 risk under the Risk Taxonomy 2026. The following controls apply:

• The IT function monitors network traffic for connections to AI endpoints not listed in the AI BoM
• All legal personnel must annually attest that they have not used unapproved AI tools for matter work
• Any Shadow AI incident must be reported to the AI Task Force within 24 hours of discovery under GOV-05
• Shadow AI incidents involving client data are treated as potential privilege or confidentiality breaches under Class 2 risk protocols

Agentic AI tier controls

Agentic AI — autonomous AI agents that execute multi-step tasks without step-by-step human instruction — requires enhanced controls beyond standard AI tool use:

• Agentic AI systems may only be deployed after completing the full vendor evaluation in GOV-01 Appendix B
• Every agentic deployment must define a human checkpoint at which attorney review occurs before the agent’s output affects any external party
• Agentic systems may not send communications to clients, courts, or counterparties without explicit attorney approval of each communication
• Agentic AI logs must be retained for 36 months and are subject to matter file protocols
• Any agentic system failure or unexpected action must be reported as a Tier 1 incident under GOV-05 within 4 hours

Section 4 — Professional responsibility compliance

This policy implements the following ABA Model Rules as applied to AI use:

ABA Model Rule 1.1 — Competence: Attorneys must maintain competence in the benefits and risks of relevant AI technology. This requires completing the training requirements in Section 8 of this policy and staying current with AI development relevant to their practice area.

ABA Model Rule 1.6 — Confidentiality: Attorneys must make reasonable efforts to prevent inadvertent disclosure of client information. For AI tools this means: (a) using only AI BoM-listed tools with appropriate data processing agreements; (b) not uploading identifiable client data to AI tools without client consent where required; © understanding the data retention and training practices of each approved AI tool.

ABA Model Rule 5.3 — Supervision of non-attorney assistance: The use of AI tools constitutes use of non-attorney assistance. Supervising attorneys are responsible for the accuracy and appropriateness of AI-generated work product incorporated into legal advice or filings.

ABA Formal Opinion 512 (2024): Attorneys using generative AI tools must: (a) understand the tool’s limitations; (b) verify AI-generated legal content; © ensure fee arrangements reflect actual time and work; (d) comply with confidentiality obligations when using third-party AI tools.

Section 5 — Human oversight standards

All AI-assisted legal work requires human oversight. The following standards apply by content type:

| Content type | Minimum reviewer | Standard |

|—|—|—|

| Court filings (briefs, motions, complaints) | Supervising attorney | Full review; attorney certifies accuracy |

| Client advice (memos, opinions, recommendations) | Responsible attorney | Full review; attorney takes professional responsibility |

| Transactional documents (contracts, agreements) | Matter attorney | Substantive review of all AI-suggested provisions |

| Research memoranda | Reviewing attorney | Verify citations; confirm legal conclusions |

| Internal correspondence | Author | Review before sending |

| Administrative documents | Author | Spot-check for accuracy |

No AI output may be submitted to a court, delivered to a client, or filed with a regulator without completing the applicable review standard above.

Section 6 — Client disclosure and consent

Disclosure obligation

The firm will disclose AI use to clients in accordance with applicable professional responsibility rules and client expectations. Disclosure is required when:

• AI tools process client-identified confidential information
• AI-generated content is incorporated into advice or documents delivered to the client
• The client has specifically requested disclosure of AI use

Opt-out right

Clients may opt out of AI-assisted work on their matters. Personnel must honour opt-out requests and flag opted-out matters in the matter management system.

Sample client disclosure language

“[Firm name] uses AI-assisted tools to support legal research, document review, and drafting efficiency. All AI-assisted work product is reviewed and approved by a qualified attorney before delivery. AI tools we use are subject to data protection agreements that prohibit use of your information to train AI models. If you have questions about our AI practices or wish to request that AI tools not be used on your matter, please contact [designated contact].”

Section 7 — Incident classification and response

AI incidents are classified under the Risk Taxonomy 2026. Personnel must report incidents to the AI Task Force. The AI Task Force escalates under GOV-05.

| Level | Definition | Response time | Escalation |

|—|—|—|—|

| Level 1 — Critical | Client data exposed; privilege breach; court filing error | 4 hours | General Counsel + CISO immediately |

| Level 2 — Significant | AI output error discovered post-delivery; Shadow AI use with client data | 24 hours | AI Task Force; General Counsel within 48 hours |

| Level 3 — Moderate | AI tool behaves unexpectedly; Shadow AI use without client data | 72 hours | AI Task Force |

| Level 4 — Minor | Training gap; policy clarification request; near-miss | 7 days | AI Task Force log |

Section 8 — Training requirements

All legal personnel using AI tools must complete the following training:

| Role | Initial training | Annual refresh | Competency standard |

|—|—|—|—|

| All legal personnel | 2 hours (AI Use Policy orientation) | 1 hour | Pass policy quiz (80%) |

| Attorneys | 4 hours (AI competence + Rule 1.1) | 2 hours | CLE credit where available |

| Legal operations | 4 hours (AI BoM management + oversight) | 2 hours | Operations certification |

| AI Task Force members | 8 hours (full governance curriculum) | 4 hours | Practitioner track certification |

Training records are maintained by Legal Operations and are subject to audit under GOV-01.

Section 9 — Contribution to Defensibility Posture Statement

This policy is a primary evidence artefact for the DPS Governance section. The following policy elements contribute directly to DPS scoring:

| DPS evidence element | Policy section | Evidence type |

|—|—|—|

| AI use policy exists and is current | This document + version date | Governance artefact |

| Shadow AI controls documented | Section 3 | Control documentation |

| Agentic AI tier controls documented | Section 3 | Control documentation |

| Professional responsibility compliance mapped | Section 4 | Regulatory compliance |

| Human oversight standards defined | Section 5 | Oversight evidence |

| Client disclosure procedures documented | Section 6 | Client protection evidence |

| Incident classification and response defined | Section 7 | Operational resilience |

| Training requirements and records | Section 8 | Competence evidence |

When completing the DPS, Legal Operations should attach the most recent version of this policy and confirm the annual review date.

---

Part of the Advanta Legal AI OS — Module Library, Pillar 4: Governance, Risk & Defensible AI