How to write an AI policy for a small law firm (with template)

The statistic that should make you uncomfortable: 71% of solo and small-firm lawyers now use AI tools regularly. Only about 43% have any written policy governing how. That means most firms are running AI in the background while the supervising partner, the COLP, and the managing attorney are all assuming someone else has thought it through.

Nobody has. That's the gap.

ABA Formal Opinion 512, issued July 2024, addressed it directly. Under Model Rules 5.1 and 5.3, managerial lawyers are required to establish clear policies on generative AI use. Not guidelines. Not a team conversation. A written policy. If you manage even one other lawyer or non-lawyer staff member, this applies to you.

In the UK the picture is similar. The SRA's AI compliance guidance holds the COLP personally responsible when new technology is introduced without adequate controls. An upcoming Good Practice Note on AI and client data, expected later in 2026, will make "we didn't have a written policy" a very hard answer at a disciplinary hearing.

So what actually goes in it?

Start with the approved-tools list

This is the spine of the document. It answers the question your paralegal or newly-qualified associate is asking before they type client details into something: "is this tool actually OK to use here?"

Keep the list short — not to restrict staff from useful tools, but so that everything on it has been checked by someone who actually read the terms. For each tool, record three things: the tier (consumer vs. business/enterprise), whether you have a signed data processing agreement, and the retention status (zero-retention, configurable, or unknown).

If a tool retains inputs by default and you don't have an enterprise agreement, it goes in the "personal use only, no client data" column. If it has a signed DPA and zero-retention, it can be approved for appropriate client work.

As of mid-2026: ChatGPT Team and Enterprise, Microsoft Azure OpenAI, Anthropic's Claude for Business, and Google Workspace AI all offer configurable retention under enterprise agreements. The consumer versions of those same tools don't. Same login screen, very different risk profile.

Define what data can and can't go in

Your approved-tools list tells staff which tools to use. This section tells them what to put in.

The test that survives regulatory scrutiny: before anything goes into an AI tool, strip out anything that identifies the client, the matter, or the opposing party. Names, dates, case numbers, financial figures that could be identifying, court details. Replace them with generic descriptions: "my client", "the counterparty", "a family law matter in a northern jurisdiction". Brief the model on the shape of the problem, not the people in it.

For some work, anonymisation isn't realistic. If you need an AI tool to work with a full document — a contract, a witness statement, a disclosure bundle — the tool needs to be on the approved list with a DPA, on a tier that retains nothing. No exceptions.

Categorically out of scope: anything covered by a protective order or confidentiality undertaking, anything relating to ongoing proceedings where your court has issued an AI disclosure order, health information, and child-related matters. Those go in the prohibited category. Not "approach with caution" — prohibited.

The supervision clause

This is the section small firms skip and then regret.

AI output is a first draft. The supervising attorney must read, check, and verify it before it goes anywhere near a client or a court. NYSBA guidance on sanctions is clear on this, and case law is catching up fast. In Noland v. Land of the Free, an attorney paid $10,000 in sanctions after AI produced 21 fabricated case citations that went into a filing unchecked. Kruse v. Karlen: $10,000, 22 fabricated citations. None of these were bad intent. All of them were someone treating AI output as accurate by default.

Your policy needs to say — explicitly, in writing — that no AI-generated legal research, citation, or precedent goes into any filing, opinion, or client letter without the supervising attorney having personally verified it against the source. Not "checked the AI's work." Verified each citation against the actual case or statute.

That line is what separates a policy that gives you professional cover from one that just fills a drawer.

Training, and who is responsible

For UK firms: under the SRA's standards, the COLP is responsible for ensuring staff are adequately trained. If a trainee uses an unapproved tool with client data because nobody told them not to, the COLP is in a difficult position regardless of whether a policy document exists in a folder somewhere.

The practical fix is a one-page induction note on AI tools for anyone who joins the firm or gets access to a new tool. It doesn't need to be a training programme. It needs to tell them what's approved, what isn't, and who to ask when they're unsure. A name and an email — usually the COLP or senior responsible partner.

Build in a review date. Regulators, courts, and vendors are all moving fast. A policy written in January 2026 may not cover a tool that launched in September. Quarterly is reasonable for a small firm, twice a year at minimum.

The template (short version)

A starting point that covers the basics for a small firm:

One page. Twelve sentences. That won't satisfy a large-firm risk committee, but it will satisfy your regulator if something goes wrong, and it puts your staff on notice that someone has actually thought about this.

That's what a policy is for.

For a full breakdown of which tools meet the DPA and zero-retention bar, see our Best AI Tools for Lawyers page. And if you want the safe-use checklist in a printable format, the Lawyer's AI Starter Kit is free to download.

FAQ