AI Governance Checklist for Legal Operations

Executive Summary

Click any blurb text to edit

Organization:

Check items above to generate your priority summary.

ABA Rules Professional Responsibility Obligations

ABA Rule 1.1 Competence

0 / 5

Lawyers must maintain the legal knowledge, skill, thoroughness, and preparation reasonably necessary for representation — including competence with relevant technology. Comment 8 specifically addresses the duty to keep current with technology changes.

You understand, at a functional level, how each AI tool your team uses works — including what it can and cannot reliably do. You can identify when an AI output is likely to be unreliable, hallucinated, or inappropriate to rely on without independent verification. You verify AI-generated legal research, citations, and analysis before using them in client work or filed documents. You have assessed which legal tasks AI can and cannot reliably assist with in your specific practice area. You or someone on your team actively monitors AI developments relevant to your practice and updates policies accordingly.

ABA Rule 1.6 Confidentiality of Information

0 / 5

Lawyers must make reasonable efforts to prevent the unauthorized disclosure or use of client information. AI tools that process client data create disclosure risks that did not exist with traditional software. Reasonable precautions are required.

You have a written policy defining what client information may and may not be entered into AI tools. You have reviewed the data retention and model training policies of every AI tool your team uses for legal work. You know whether your AI vendors use your inputs to train or improve future models — and have acted on that knowledge. You use enterprise or privacy-protected versions of AI tools for client matters where available, rather than consumer tiers. You have obtained client consent where your jurisdiction or engagement terms require it before using AI tools on their matters.

ABA Rule 5.3 Supervision of Nonlawyer Assistance

0 / 5

Supervising attorneys are professionally responsible for work produced with AI assistance. AI tools are treated as nonlawyer assistance under Rule 5.3, meaning lawyers must have appropriate oversight systems in place for AI-generated work product.

A licensed attorney reviews and takes professional responsibility for all AI-generated work product before it reaches clients or courts. Nonlawyer staff who use AI tools have received training on their limitations, appropriate use cases, and prohibited uses. You have written policies governing AI use by associates, paralegals, and support staff — not just informal guidance. There is a designated person with clear responsibility for AI governance and policy compliance in your office. You have a documented process for reporting, reviewing, and addressing AI errors or compliance concerns.

ABA Formal Opinion 512 Generative AI in Legal Practice

0 / 4

ABA Formal Opinion 512 (2024) applies Rules 1.1, 1.6, and 5.3 specifically to generative AI tools. It addresses competence, confidentiality, supervision, candor, and fees in the context of large language models and other generative AI systems used in legal work.

You have read ABA Formal Opinion 512 and understand how it applies to the specific AI tools your team uses. Your AI policies address the disclosure obligations discussed in Opinion 512 for court filings, client communications, and fee arrangements. You have assessed whether applicable court rules or local rules require disclosure of AI use in documents submitted to tribunals. Your billing practices account for the efficiency gains AI provides, consistent with the fee guidance in Opinion 512.

NIST AI RMF AI Risk Management Framework

Core Function — Govern Policies, Roles, and Accountability

0 / 4

The GOVERN function establishes the organizational structures, policies, and culture needed to manage AI risk on an ongoing basis. Without GOVERN, the other three functions have no foundation to operate from.

Your organization has documented AI governance policies that are actively communicated and enforced — not just drafted and filed. Roles and responsibilities for AI oversight are clearly assigned, understood by the people holding them, and reviewed regularly. Leadership is aware of your AI tools, understands the associated risks, and actively supports the governance framework. AI governance is treated as an ongoing operational practice with scheduled reviews — not a one-time compliance checkbox.

Core Function — Map Identifying and Categorizing AI Risks

0 / 4

The MAP function requires organizations to identify, categorize, and understand the AI risks specific to their context. In legal environments, this means knowing what tools are in use, what they touch, and where the stakes are highest.

You maintain a current inventory of all AI tools in use across your organization, including tools adopted informally by individual team members. You have assessed the specific risks of each AI tool relative to your legal work — not just the vendor's general risk disclosures. You have categorized AI use cases by stakes level: high-stakes (filed documents, client advice, privilege decisions) vs. low-stakes (drafting, research starting points, summarization). You understand the known limitations and failure modes of each AI tool you use — including hallucination rates, training data cutoffs, and domain weaknesses.

Core Function — Measure Assessing and Monitoring AI Performance

0 / 4

The MEASURE function requires ongoing assessment of whether AI tools are performing within acceptable parameters. In legal practice, this means tracking errors, defining performance standards, and creating mechanisms to surface problems before they become client issues.

You track AI-related errors, near-misses, or incidents in your practice — with documentation, not just informal awareness. You have defined what acceptable AI performance looks like for each use case before deploying the tool — not assessed retroactively after a failure. Staff have a clear, low-friction mechanism to flag concerns or errors related to AI outputs — and actually use it. You periodically evaluate whether AI tools are performing as expected, and review that assessment against defined standards — not just anecdotal impressions.

Core Function — Manage Responding to and Mitigating AI Risks

0 / 4

The MANAGE function addresses what happens when AI risk materializes. Legal environments require clear response protocols, the ability to quickly contain a failing tool, and a feedback loop that improves policy over time.

You have a documented response plan for scenarios where AI produces a significant error in client work — including who is responsible and what steps to take. You can quickly restrict or discontinue use of an AI tool if a risk is identified — without waiting for a policy update or leadership approval cycle. You review and update your AI governance policies at least annually, or whenever a significant change occurs in the tools, team, or regulatory environment. Lessons learned from AI errors or near-misses are documented and used to improve policies, training, and tool selection decisions.

AI Governance Checklistfor Legal Operations

Executive Summary

AI Governance Checklist
for Legal Operations