Ethics & Risk

    Writing Your Firm's AI Use Policy: A Practical Template Walkthrough

    JE
    Judicio Editorial TeamLegal Technology Experts
    Jul 8, 202611 min read
    Drafting a law firm AI use policy section by section from a practical template

    TL;DR: An AI use policy does not need to be long; it needs to be specific. Six sections cover the ground: scope and definitions (what counts as AI use, who is bound); approved tools by name, in three tiers, with a request path; client-data rules (what may enter which tools, anchored to vendor commitments like no training on your data); the verification duty (no output relied on until a lawyer checks it against its cited source); client disclosure (a standing engagement-letter sentence plus case-by-case candour); and training, breach handling, and a six-month review. Write it in plain language, keep it under three pages, and name an owner.

    By mid-2026 the question inside firms is no longer whether lawyers use AI - they do, approved or otherwise - but whether the firm has written down the rules. The gap matters: unwritten norms produce shadow use on personal accounts, inconsistent client disclosure, and the worst possible position after an incident (we had no policy). The fix is neither a ban nor a fifty-page framework nobody reads. It is a short, specific policy that makes the safe path the easy path. This walkthrough builds one, section by section, with the drafting choices explained so you can adapt each to your firm.

    Why your firm needs this in writing now

    Three forces converge on the same conclusion. Regulators and bars have moved from silence to expectation: competence duties are now widely read to include understanding the AI tools used on client matters, and a growing body of bar guidance addresses confidentiality, supervision, and candour with courts about AI-assisted work. Clients have moved too - outside counsel guidelines increasingly ask what tools touch their data and under what controls, and a firm that answers with a shrug loses the panel spot. And the incidents are real: courts have sanctioned lawyers for filing fabricated AI citations, a failure mode a one-line verification rule would have prevented.

    A written policy converts each pressure into an answer: it is the artefact you show the client audit, the training baseline for new joiners, and the evidence of a system of supervision if something goes wrong despite it. For the broader governance picture around the policy, see our guide to AI governance for law firms.

    Section 1: Scope and definitions

    Open by drawing the boundary. Who is bound: everyone who touches client work - partners, associates, trainees, paralegals, staff, and contractors, on firm or personal devices. What counts as AI use: define it functionally rather than technically - any tool that generates, summarises, analyses, translates, or extracts from text or documents - so the policy covers the AI features quietly embedded in ordinary software, not just the obvious chatbots. What the policy is for: one sentence - to let the firm use AI productively while protecting client confidences, work quality, and professional obligations - so readers understand the policy enables rather than merely forbids.

    Resist the temptation to define AI by named technologies; the definitions rot in months. The functional definition plus the approved-tools appendix (next section) does the same work and survives updates.

    Section 2: Approved tools and the approval path

    This is the section that determines whether the policy governs reality or coexists with shadow use. Name tools explicitly, in three tiers, in an appendix updatable without re-approving the policy:

    TierMeaningExample criteria
    Approved for client workMay process client and matter dataNo training on firm data; encryption; role-based access; audit trail; vendor terms reviewed
    Permitted for non-client workInternal drafting, learning, admin - never client dataGeneral tools without the guarantees above
    ProhibitedNot for firm work at allConsumer tools on personal accounts; tools with training rights over inputs

    Two drafting details carry the weight. State the criteria for the approved tier, not just the names - it teaches the firm what good looks like and speeds the next approval. And give the policy a request path: a named person to whom anyone can propose a new tool, with a committed response time. Shadow use is mostly a symptom of a missing legitimate route; build the route into the policy.

    Section 3: Client data and confidentiality rules

    The confidentiality section should fit on an index card, because it must be recalled at the moment of pasting. Three rules do it. Client data only in approved-tier tools - never in consumer chatbots, never on personal accounts. The vendor guarantees are the reason: approved tools must not train on your data (Judicio commits to this), must encrypt, must control access by role, and must keep an audit trail - so the rule is anchored to verifiable commitments rather than vibes. Anonymisation is not a loophole: stripping names rarely strips identifiability from legal facts, so anonymised client scenarios in unapproved tools still need permission.

    Add the engagement-specific overlay: some clients impose their own AI terms in outside counsel guidelines, and the policy should require checking them at matter open - the firm default yields to the stricter client rule. For the underlying security analysis your approved-tier criteria should reflect, see legal AI data security and confidentiality.

    Section 4: Verification and supervision duties

    This is the section that prevents the sanctions headlines, so make it personal and unambiguous: no AI output is relied on, filed, or sent until a lawyer has verified it - and for anything citing authority, verification means opening the cited source, not admiring the citation's formatting. Assign the duty to the lawyer using the tool, and make supervision explicit for delegated work: the supervising lawyer owns verification of AI-assisted work product exactly as they own a trainee's research memo.

    Two practical notes strengthen the section. First, prefer tools that make verification cheap: where every finding, extracted date, and research answer links to the page and passage it came from - as in Judicio - the verification duty costs minutes, which is why it gets done. Second, require that verification be evidenced where the stakes demand it: a note that citations were checked, or reliance on a platform activity trail showing the review happened. The policy's credibility rests on this duty being enforced the one time it is breached - see our piece on human-in-the-loop legal AI for why the loop is the safety mechanism.

    Section 5: Client disclosure and engagement letters

    Disclosure is where firms most want a bright line and the landscape least provides one: bar positions vary and continue to evolve, and client expectations range from indifference to detailed questionnaires. Draft for that reality with a two-layer approach. The standing layer: a sentence in the engagement letter - the firm uses secure, professionally supervised AI tools to assist with document review, research, and drafting; all work product is reviewed by the responsible lawyer - which normalises routine, verified use. The specific layer: a duty of candour for uses that materially shape the representation or that a court or client has specifically asked about, escalated to the relationship partner.

    Pair the section with a billing note - AI-accelerated work should be billed honestly for the time actually spent - and a pointer to the firm's answers for outside counsel guideline questionnaires, so the disclosure story is consistent across the front door and the fine print. Track your bar's current guidance by jurisdiction; our survey of state bar AI ethics opinions is a starting map.

    Section 6: Training, breaches, and review cadence

    Close with the operational spine. Training: a short onboarding module for new joiners and an annual refresher - the verification duty and the data rules, taught on the firm's actual approved tools rather than in the abstract. Breach handling: a no-fault reporting path for near misses (the pasted document, the unapproved tool) so the firm learns before an incident, and proportionate consequences for knowing violations. Review: the policy names an owner and a six-month review cycle; each review reconciles the approved-tools appendix against observed use - platform activity records make this factual rather than anecdotal - and against whatever the bar published since.

    Keep the whole document under three pages. Every section beyond these six is a candidate for deletion: a policy lawyers read beats a framework they navigate around, every time.

    How Judicio helps: a platform your policy can point to

    A policy is easier to write - and to keep - when the approved tool already embodies its rules. Judicio gives the approved tier its criteria in practice: no training on your uploads, encryption with role-based access through projects and organisation roles, and a searchable activity trail of who ran what, on which files, and when - the supervision and review sections' evidence base. The verification duty runs on citations: every review finding, matrix cell, timeline event, and research answer links to the page and passage behind it, so checking is a click rather than a re-performance. And shared templates let the firm standardise the workflows the policy approves.

    See the law firms solution page for the platform view, and our AI governance guide for the structures around the policy.

    Getting started with Judicio

    Draft the policy this month: one partner, one afternoon, the six sections above, under three pages. Then make the approved tier real by evaluating a platform against the criteria your own policy sets - the 7-day free trial (500 credits, no credit card) lets the evaluation run on real workflows, and Professional access is $200 per month for 5,000 credits when it passes. Explore the feature set or contact us for the security details your appendix will ask about. And as your own policy will now say: verify every output - including this one - against its sources; outputs are not legal advice.

    Frequently Asked Questions

    Yes - arguably more than a large one, because there is no risk department catching problems informally. A two-page policy that names approved tools, sets the client-data rule, and states the verification duty covers most of the risk. The walkthrough in this post scales down to a solo practice without losing the load-bearing parts.

    The verification duty: no AI output is relied on, filed, or sent until a lawyer has verified it - for citations, against the cited source. Court sanctions for fabricated citations have made this the most enforced norm in legal AI, and it belongs in the policy as an unambiguous, personal obligation.

    Yes. Approved for client work, permitted for non-client work, and prohibited - by name, in an appendix that can be updated without re-approving the whole policy. Vague policies (use AI responsibly) produce shadow use; named tools with a request path for new ones produce compliance.

    It depends on the use and the jurisdiction - bar guidance increasingly expects candour about uses that materially affect the representation, and some clients now ask in outside counsel guidelines. The practical approach: a standing sentence in the engagement letter covering secure, lawyer-verified AI assistance, with specific disclosure for anything beyond it. Check your bar's current position; this area is moving.

    Every six months, with a named owner - the tools, the bar guidance, and your own use patterns all change fast enough that an annual cycle leaves the policy describing last year's practice. Each review should reconcile the approved-tools appendix against what the activity records show people actually using.

    TopicsEthics & RiskAI GovernanceLaw Firm ManagementLegal AIHow-To Guides

    Ready to Transform Your Legal Workflow?

    Try Judicio free for 7 days — no credit card required.

    Start Free Trial

    Related Articles

    Get started

    Bring cited AI to your practice

    Run your first review free in minutes — or book a demo and see Judicio on your own matters.

    Free trial · No credit card required