Most firms that get into difficulty with AI do so because nobody set rules the team can follow. A policy does not need to be long. It needs to be clear enough that a new paralegal reads it on a Monday and knows by lunchtime what they may and may not do.
Say what is allowed, and what is not
List the approved tools by name, and the tasks they may be used for, such as research support, first drafts and summaries. Then list what they may not do, such as producing final advice without review, or handling anything that carries client identifiers in a tool the firm has not cleared. The instruction to use your judgement is not a policy.
Protect client information
State plainly that client data goes only into approved tools, that free consumer chatbots are off limits for client matters, and that privileged or special category material needs extra care. The detail behind this sits in client confidentiality when using AI tools.
Keep a human in charge
Require that a person checks every output before it reaches a client or a court, and that the check is recorded. The responsibility stays with the fee earner, and the policy should say so in those words.
Give it an owner and a review date
The tools move quickly, so name someone to own the policy and set a date to revisit it. A policy nobody returns to goes stale within a year.
A page or two, written in plain terms, signed off by the partners and known to the staff, is worth more than a thick manual nobody reads.
Anchor the policy to the SRA Principles, which are short enough to read alongside it.
If your firm's AI policy is still a blank page, we write them with partners in a day, in plain language staff follow: start with a conversation.
