AI governance starter checklist for law firms

What AI governance actually means for a law firm

AI governance is the set of controls a firm puts in place so that AI use by lawyers and staff stays inside the firm's professional, regulatory, and contractual obligations. It is not a single product or a single policy. It is an inventory, a rules map, a written policy, training records, and an audit cadence, all kept current and tied together by who is accountable for each piece.

Most firms already do this for conflicts, document retention, and trust accounting. AI is the same shape of problem with a new surface area. The firms that handle it well treat it as a standing operational discipline, not a one-off project.

Why most firms get the first 90 days wrong

The two most common failure modes are buying a tool before doing the inventory, and writing a policy before talking to the partners who will be subject to it. Both produce documents that look like governance but do not survive contact with how the firm actually works.

The right sequence is inventory, rules map, policy, training, audit. Skipping inventory means you write a policy against tools you do not know exist. Skipping the rules map means the policy is generic and your associates cannot tell what they are actually allowed to do with a client matter.

Inventory the AI tools your firm is actually using

Start with what is real, not what is approved. Ask every practice group lead which AI tools their team uses and why. You will get a clean, plausible list. It will also be incomplete, because people forget the trial they signed up for last quarter, the personal ChatGPT account they use for drafting, and the Copilot tab that has been quietly running in the background for six months.

Pair the survey with a passive scan: a browser extension across the firm and a lightweight desktop agent on managed devices. Run both for two weeks. The delta between the survey and the scan is your shadow AI footprint, and it is almost always where the highest-risk usage lives.

• Every public, paid, and self-hosted AI tool in use, by name
• Who is using each tool, on what matter type, and how often
• Which tools touch client material and which are internal-only
• Which tools have a no-training contract and which do not

Map your obligations to the evidence you can produce

Every firm operates under at least three regimes at once: the bar's professional rules, statutory requirements like the EU AI Act where applicable, and client contracts that increasingly include AI clauses. ABA Opinion 512 in the US, the FLSC guidance in Canada, the SRA in England and Wales, and the EU AI Act each impose overlapping but distinct duties.

Build a single matrix: obligation on one axis, the evidence your firm can produce on the other. The point is not to chase every rule. The point is to know exactly where you stand on each, so that when a client, regulator, or insurer asks, the answer is a record and not a guess.

Write a policy a junior associate can follow on a Friday afternoon

A good firm AI policy is one page, in plain English, with worked examples. It covers confidentiality, supervision, billing disclosure, the specific tools that are approved and not approved, and who to ask when in doubt. The test is whether a second-year associate can read it once and know what to do.

A policy nobody reads is worse than no policy at all, because it creates the illusion of governance without the substance. If your current policy is six pages of cross-references, the rewrite is the work, not the original draft.

Train, attest, and timestamp

Every lawyer and staff member with AI access completes a short training, then signs an acknowledgement. The training does not have to be long. It has to be specific to the firm's approved tools and policy. The acknowledgement has to be timestamped and stored somewhere you can pull from later.

When the question comes up, either from a regulator or from your malpractice carrier at renewal, you want to point at the record. Reconstructing training history after the fact is how firms end up with awkward gaps in the very evidence they need.

Run quarterly audits before a regulator runs one for you

Decide now what a quarterly review looks like: who runs it, which records they pull, what triggers an escalation. A reasonable cadence is the inventory diff, a sample of flagged activity, the training completion report, and any policy exception requests, all in a sixty-minute meeting with the AI governance lead and a managing partner.

The firms that handle this well treat AI governance the way they treat conflicts checks: routine, boring, and never skipped.

Common mistakes to avoid

• Writing the policy first and discovering the tools later
• Counting only enterprise contracts and ignoring personal accounts on firm work
• Training without an attestation, so completion cannot be proven
• Letting the approved-tools list go stale between quarterly reviews
• Treating partners as exempt from the supervision and disclosure rules

Stand up an AI governance program with CounselGuard

CounselGuard runs the inventory, maps your obligations to the evidence you can produce, captures activity through a desktop agent and Chrome extension, manages policy approvals, and keeps the audit log a regulator would actually expect. Firms typically reach a defensible first pass in four to six weeks.