A lawyer uses an AI tool to draft a motion in two hours instead of six. But the prompt included the client's name, the opposing party, and key facts from a confidential memo. The tool's terms of service allow it to use inputs for model improvement. The motion cites three cases. One doesn't exist.
That scenario plays out more often than most firms want to admit. A database tracking AI hallucinations in legal proceedings has identified over 1,400 cases worldwide, with roughly 90% occurring in 2025 alone. And 44% of law firms still have no formal AI governance policy, even as adoption accelerates.
Generative AI can genuinely help legal teams work faster and write better. But the benefits only hold if the firm has clear, enforceable policies that protect clients, preserve professional duties, and keep lawyers accountable. Here's what those policies should cover.
Why AI Use Needs a Law Firm Policy, Not Just Common Sense
Lawyers already operate under strict professional obligations. AI doesn't change those obligations, but it creates new ways to violate them. Confidentiality, privilege, accuracy, supervision, billing, and data security all carry real risk when AI tools enter the workflow without guardrails.
ABA Formal Opinion 512 makes this concrete. It ties AI use to six Model Rules: competence, confidentiality, communication, candor toward tribunals, supervisory responsibilities, and fees. Every one of those rules can be implicated by a single careless prompt.
Individual good judgment isn't a substitute for firm-level governance. As we've written in our practical guide to AI ethics, responsible AI use starts with clear policies that document how your firm uses AI, what safeguards you've implemented, and how you verify outputs. That protects both clients and your practice.
Policy 1: Define Approved and Prohibited Uses
Start with a clear taxonomy of what's allowed, what requires approval, and what's off-limits. Lower-risk uses include brainstorming outlines, summarizing publicly available materials, improving internal drafts, and generating first-pass templates for non-client work. Higher-risk uses include entering confidential client facts into any tool, relying on AI-generated legal research without independent verification, or using AI to draft court filings without full human review.
Clarify Which Tools Are Approved
Firms should maintain a written list of approved AI tools and designate who has authority to add new ones. Lawyers should not use unsanctioned platforms for client work, full stop. Only 40% of legal professionals are using legal-specific AI solutions, which means a significant share are using general-purpose consumer tools that may lack the confidentiality protections legal work requires. Legal-specific tools with clear security practices are generally more appropriate than general-purpose alternatives for client-facing work.
Separate Internal Use From Client-Matter Use
Using AI to draft an internal memo or improve a training document carries different risk than using it to draft a brief, review a contract, or advise a client. Firms should apply stricter approval requirements to any AI-assisted output that reaches a client, a court, or a counterparty.
Policy 2: Protect Client Confidentiality and Privilege
This is the non-negotiable core of any law firm AI policy. Lawyers and staff should not input confidential, privileged, or personally identifying information into AI systems unless the firm has vetted and approved the tool and confirmed that appropriate protections are in place. Attorney-client privilege and work-product protection don't automatically follow data into a third-party AI system.
Set Rules for Client Data Entry
Require lawyers to anonymize prompts where possible, avoid unnecessary detail, limit document uploads, and treat prompts as potentially sensitive records. A question like "Draft an argument that a non-compete is unenforceable in Texas for a software engineer who signed the agreement under duress" can often be reframed without naming the client, the employer, or the specific facts. That habit reduces exposure significantly.
Require Vendor Security Review
Your AI policy should require a security review before any tool is approved for client work. Key questions: Does the vendor retain data? Does it train models on user inputs? What encryption standards apply? What are the breach notification procedures? Are there audit rights?
As we explain in our guide to choosing the right AI for lawyers, any tool handling client data should have SOC 2 Type II certification at minimum, AES-256 encryption for data at rest, and TLS 1.3 for data in transit. Get data-handling commitments in writing. Our own Trust Center documents these practices and can serve as a reference point for what to look for when evaluating any legal technology vendor.
Policy 3: Require Human Review of All AI Outputs
Every AI-generated draft, summary, argument, citation, or research answer should be reviewed by a qualified human before use. Leading legal AI tools hallucinate frequently, with some producing incorrect information more than 34% of the time. That's not a reason to avoid AI. It's a reason to treat every output as a draft, not a final product.
Assign Responsibility to the Lawyer, Not the Tool
Policies should name who is responsible for reviewing AI-assisted work. Under ABA Formal Opinion 512, lawyers remain fully responsible for all work product regardless of how it was generated. Professional judgment cannot be delegated to software. AI output is a starting point, not a finished answer.
Create Review Standards by Task Type
Different tasks warrant different review expectations. Research output should be checked against primary sources. Factual summaries should be verified against the underlying documents. Writing suggestions should be reviewed for accuracy, tone, and strategy. Citation checking requires independent confirmation of every authority. Making these expectations task-specific makes them easier to follow and enforce.
Policy 4: Govern Legal Research, Citations, and Court Filings
AI-generated citations are a documented, growing problem. Courts have already sanctioned dozens of attorneys for filing briefs with fabricated case citations, and a federal court in Alabama noted in July 2025 that sanctions have been too lenient to deter this misconduct. Firms need explicit rules for any AI-assisted work that goes to a court or a client.
Ban Unverified Authorities
No AI-generated citation, quotation, or parenthetical should appear in any filing or client document unless independently confirmed. That means checking that the case exists, that it says what the AI claims, that the quotation is accurate, and that the case hasn't been overruled. As we explain in our piece on hallucinated case law, this step is mandatory, not optional.
Address Court Disclosure Obligations
Disclosure rules vary significantly across federal and state courts and continue to evolve. Some judges require affirmative disclosure of AI use and certification that citations have been verified. Others have no specific requirement. Firms should assign someone to monitor applicable court rules and standing orders, and require lawyers to check before filing any AI-assisted work.
Policy 5: Set Client Consent and Communication Rules
Not every AI use requires a client conversation. But some do, particularly when confidential information may be processed by a third-party system, when a client's outside counsel guidelines restrict AI use, or when the nature of the matter makes AI involvement material to the representation. Firms should address AI in engagement letters and review client-specific instructions before using AI tools on any matter.
Review Outside Counsel Guidelines
Major clients are already developing their own AI requirements for outside counsel. Some restrict which tools may be used. Others prohibit entering client data into third-party systems entirely. Firms should document and honor those restrictions, and build a process for flagging them at matter intake.
Create a Client-Friendly Explanation of AI Use
Prepare plain-language language explaining how approved tools may support efficiency, drafting, editing, or research while lawyers remain responsible for the work. Keep it honest and simple. Don't promise outcomes or suggest that AI replaces lawyer judgment, because it doesn't.
Policy 6: Address Billing, Timekeeping, and Cost Allocation
AI creates real billing questions that firms should resolve before disputes arise. North Carolina's 2024 Formal Ethics Opinion 1 is direct: if AI completes a task in one hour that previously took three, billing for three hours is not permissible. Fees must remain reasonable and time entries must accurately reflect how work was performed.
Define How AI-Assisted Work Should Be Recorded
Firms should give guidance on whether and how lawyers describe AI-assisted drafting, editing, or research in time entries. Practices should align with client guidelines and professional responsibility obligations. Consistency matters here, both for ethics and for client trust.
Decide Whether AI Costs Are Overhead or Client Charges
Firms should decide upfront whether AI subscriptions are treated as general overhead or as matter-specific expenses that may be passed through to clients when permitted. That decision should be reflected clearly in engagement terms and client communications before any charges are applied.
Policy 7: Train Lawyers and Staff Before Granting Access
A written policy only works if people understand it. Training should cover confidentiality rules, prompting basics, verification requirements, approved tools, prohibited uses, client restrictions, and how to report mistakes. That applies to attorneys, paralegals, legal assistants, summer associates, and administrative staff.
Use Role-Based Training
Partners, associates, paralegals, IT teams, and knowledge-management professionals have different responsibilities and different risk profiles. Training should reflect that. A supervising partner needs to understand how to review AI-assisted work from junior lawyers. An IT professional needs to understand vendor vetting. A paralegal needs to know what they can and cannot do without attorney review.
Require Periodic Refreshers
AI tools change fast. Court rules change. Ethics opinions get issued. Approved-tool lists get updated. Training shouldn't be a one-time event at onboarding. Build in an annual or semiannual review cycle and update training materials when significant changes occur.
Policy 8: Monitor Compliance and Update the Policy Over Time
AI governance is not a one-time document. Firms should designate an AI governance committee or responsible leader, conduct periodic audits, maintain reporting channels for AI-related mistakes, and review the policy at least annually. As we've noted in our work on AI hallucination detection, detection has to be built into your process, not bolted on at the end.
Create an Incident Response Process
Firms need a clear process for when things go wrong. If confidential information is entered into an unapproved tool, if an AI-generated error reaches a client, or if a court filing contains unverified material, the firm should have a defined escalation path. That means knowing who to notify, how to assess whether client notification is required, how to remediate the error, and how to document what happened.
Keep the Policy Practical and Accessible
A policy buried in a handbook doesn't protect anyone. Use plain language, short checklists, clear approval paths, and easy access to approved-tool lists. Build the policy into daily workflows rather than treating it as a compliance document that lawyers only read once.
How Legal Writing Tools Fit Into a Responsible AI Framework
There's a meaningful difference between tools that generate legal content from scratch and tools that help lawyers improve, edit, check, and refine work they remain responsible for. Both categories require vetting, but the risk profile is different. Editing and review tools that operate within a lawyer's existing drafting workflow generally carry less risk than generative tools that produce content independently.
BriefCatch is designed for that editing and review role. It integrates directly into Microsoft Word, providing real-time writing guidance drawn from thousands of elite legal documents and judicial opinions. It helps lawyers sharpen arguments, improve clarity, and catch writing problems without replacing the lawyer's judgment or generating content autonomously. As we describe in our Legal Writing With AI webinar, the focus is on editing, analysis, and quality control, where AI can add value while lawyers remain fully in control of the final work product.
Evaluate Writing Tools for Security, Accuracy, and Workflow Fit
When evaluating any legal writing tool, look at security posture first. Does the vendor have SOC 2 certification? Does it retain your data? Does it train on client inputs? BriefCatch's answer to all three is documented in our AI Disclosure and Trust Center: SOC 2 certified, zero data retention, no model training on client content, and AI features that are off by default and require firm-level activation.
Beyond security, look at whether the tool fits how lawyers actually work. Word integration, citation support, editorial guidance grounded in real legal writing, and controls that keep lawyers in charge of the output all matter. If you're evaluating tools for your firm, you can explore BriefCatch's features or book a demo to see how it fits within a policy-driven workflow.
Build Guardrails Before the Next Prompt
The bigger ethical risk facing the legal profession isn't using generative AI. It's using it carelessly. That's a line we stand behind, and it applies directly to policy design.
Firms that have clear rules on approved uses, confidentiality, human review, citation verification, client communication, billing, training, vendor review, and compliance monitoring are in a fundamentally different position than firms relying on individual judgment alone. The policies described here aren't bureaucratic overhead. They're the infrastructure that makes AI use defensible, ethical, and actually useful.
If your firm hasn't reviewed its current AI practices recently, now is the right time. Start with the policies that carry the most immediate risk: confidentiality, citation verification, and human review. Then build out from there. And if you're looking for a legal writing tool that fits within that framework from day one, try BriefCatch free or book a demo to see how it works in practice.
.svg)
.svg)
.svg)
.svg)