The Ethics Floor Has Crystallized: What 47 States and the ABA Now Require
As of February 2026, 47 states have issued formal AI ethics guidance for the legal profession. This is not a patchwork of aspirational recommendations — it is a documented floor of professional obligations that every practicing lawyer must meet, regardless of jurisdiction. The unifying document is the American Bar Association's Formal Opinion 512, published in July 2024, which established six core duties that apply whenever a lawyer uses generative AI tools in practice: competence, confidentiality, communication, fees, candor toward the tribunal, and supervision.
The opinion's central holding is worth reading directly: generative AI tools, the ABA concluded, "lack the ability to understand the meaning of the text they generate or evaluate its context." This is not a technical caveat — it is the doctrinal foundation for the verification duty that now runs through every state-level opinion. If the tool cannot understand what it produces, the lawyer must.
The practical implication is straightforward: a lawyer who uses an AI tool without understanding its data-handling policies, without verifying its output, and without supervising its work as they would a junior associate or a paralegal, is operating outside the ethical floor. The floor is no longer aspirational. It is codified in 47 jurisdictions and counting.
The Four Duties Under Florida Bar Opinion 24-1: Confidentiality, Supervision, Fees, and Advertising
Florida Bar Ethics Opinion 24-1, issued in January 2024, was the first state bar opinion to walk through the ethics of generative AI use end-to-end. It remains the most cited and most structurally complete state-level framework. The opinion organizes AI-related obligations into four distinct duties, each anchored to a specific Model Rule. Understanding these four duties is the fastest way to operationalize the broader ABA framework.
| Duty | Florida Rule | Core Obligation | Practical Action Required |
|---|---|---|---|
| Confidentiality | Rule 4-1.6 | Vet AI provider data policies before sending any confidential client information | Review vendor terms for data retention, training data use, and opt-out provisions; obtain written assurance that client data is not used for model training |
| Supervision | Rule 4-5.3 | AI tools are treated as nonlawyer assistants subject to lawyer supervision | Verify all AI-generated output before filing or using; the lawyer signs the brief, the lawyer signs the memo — the AI does not |
| Fees | Rule 4-1.5 | Cannot bill for AI-saved hours as if a lawyer performed the work | Time saved by AI must be reflected in the fee; billing AI-generated work at the lawyer's hourly rate is impermissible |
| Advertising | Rules 4-7.1 to 4-7.3 | Chatbots and AI-generated client communications must be disclosed as AI-assisted | If a client-facing chatbot is powered by AI, that fact must be clearly disclosed to the client |
The confidentiality duty deserves particular attention because it is the most easily overlooked. Many lawyers assume that entering client information into a commercial AI tool is no different from entering it into a document management system. It is not. The terms of service for most general-purpose AI platforms permit the provider to use input data for model training and improvement. Sending confidential client information to such a platform without vetting the provider's data policy is a prima facie violation of Rule 1.6. Florida Opinion 24-1 requires affirmative vetting before the first query is submitted.
The Sanctions Trajectory: From $5,000 to $110,000 in Three Years
The sanctions timeline is the most compelling evidence that the ethical framework is being enforced, not merely published. In just over two years, courts moved from a $5,000 warning to a six-figure sanction. The trajectory is unambiguous: non-verification of AI output is now professionally indefensible.
| Case | Court | Date | Sanction Amount | Key Fact |
|---|---|---|---|---|
| Mata v. Avianca | S.D.N.Y. | June 2023 | $5,000 | Six fabricated ChatGPT cases cited in a single brief |
| Park v. Kim | 2nd Circuit | January 2024 | Referral to grievance panel | AI-generated citations submitted without verification |
| Lacey v. State Farm | C.D. Cal. | May 2025 | $31,000 | 9 of 27 citations were fabricated; Special Master found 'no reasonably competent attorney should outsource research and writing to this technology, particularly without any attempt to verify' |
| Couvrette v. Wisnovsky | D. Or. | December 2025 | $110,000+ | 15 nonexistent cases and eight fabricated quotations; Judge Mark D. Clarke called it 'a notorious outlier in both degree and volume' |
The language from the Special Master in Lacey v. State Farm is particularly instructive: "no reasonably competent attorney should outsource research and writing to this technology, particularly without any attempt to verify the accuracy of that material." This is not a statement about the technology's limitations — it is a statement about the standard of care. A lawyer who delegates research to an AI tool and files the output without independent verification has, by definition, failed to meet the standard of a reasonably competent attorney.
For a deeper analysis of each case, including docket numbers and procedural history, see our AI Citation Hallucination Sanctions in Federal Courts entry.
Operationalizing Compliance: The Prompt > Verify > Audit Framework
The Prompt > Verify > Audit framework is a structured compliance workflow designed to map directly onto the duties established by Florida Opinion 24-1 and ABA Opinion 512. It is not theoretical — it is a repeatable process that can be documented, audited, and defended in the event of an ethics inquiry or a sanctions motion.
Step 1: Prompt
The prompt stage is where the lawyer exercises competence (Rule 1.1) and confidentiality (Rule 1.6). Before entering any client information into an AI tool, the lawyer must: (a) confirm the tool's data-handling policy permits confidential legal work; (b) ensure the prompt does not include privileged or confidential information unless the tool has been vetted for that purpose; and (c) structure the prompt to produce output that can be independently verified. A prompt that asks for "cases supporting X proposition" is a verification trap. A prompt that asks for "cases from the Second Circuit between 2020 and 2025 addressing Y issue, with full citations" is at least verifiable.
Step 2: Verify
The verification stage is where the supervision duty (Rule 5.3) and candor duty (Rule 3.3) are operationalized. Every citation, every legal proposition, and every factual assertion generated by an AI tool must be independently verified against primary sources before it is used in any client work product or court filing. This is not optional. The sanctions trajectory makes clear that courts will not accept "the AI made me do it" as a defense. Verification means: (a) pull the cited case from Westlaw, Lexis, or a free public source like Google Scholar or CourtListener; (b) read the relevant passage; (c) confirm the proposition is actually supported by the cited authority.
Step 3: Audit
The audit stage is where the firm or individual lawyer creates a documented record of the verification process. This is the step that most lawyers skip — and it is the step that would have protected every sanctioned lawyer in the cases above. An audit trail does not need to be elaborate. A simple log recording: (a) the date and tool used; (b) the prompt submitted; (c) the output received; (d) the verification steps taken; and (e) the final disposition (output used, output modified, output discarded) is sufficient to demonstrate compliance with the supervision duty.
One-Page Traffic-Light AI Use Policy Template
The most common question from law firms in mid-2026 is not "should we use AI?" — it is "what can we use AI for, and how do we document our decision?" The traffic-light policy template answers that question directly. It categorizes AI use into three risk tiers, each with a corresponding set of obligations.
| Tier | Category | Examples | Obligations |
|---|---|---|---|
| Red | Prohibited | Generating legal citations without verification; submitting AI-generated briefs without human review; using unvetted AI tools for confidential client data | No use permitted under any circumstances; violation is a professional responsibility matter |
| Yellow | Supervised | AI-assisted legal research (with verification); AI-generated first drafts of internal memos; AI-assisted document review | Requires documented Prompt > Verify > Audit workflow; output must be reviewed and approved by a licensed attorney before use |
| Green | Permitted | AI-assisted grammar and style checking; AI-generated summaries of public documents; AI-assisted document formatting and organization | Standard professional judgment applies; no additional documentation required beyond normal practice |
The template is designed to be adopted as a firm-wide policy and distributed to every attorney and staff member. It should be signed, dated, and maintained as part of the firm's professional responsibility records. In the event of an ethics inquiry or a sanctions motion, a documented policy that was actually enforced is the single strongest defense available.
Why the Governance Gap Creates Ethics Exposure
The 8am 2026 Legal Industry Report, based on a survey of more than 1,300 US legal professionals conducted in late 2025, found that only 9% of firms have a written, actively enforced AI policy. The North Carolina Bar Association's May 2026 synthesis of the same data confirms that 57% of solo practitioners and 55% of small firms have no AI policy at all. Across the entire profession, 43% of firms have no formal AI policy and no plans to create one.
This governance gap is not a neutral fact — it is a direct ethics exposure. A lawyer who uses an AI tool without a documented policy, without a verification workflow, and without an audit trail is operating without the procedural safeguards that the ethical framework now requires. If that lawyer's AI-generated work product contains a fabricated citation, the lawyer cannot point to a policy, a training record, or a verification log as evidence of compliance. The court will see only the fabricated citation and the absence of any documented process to prevent it.
The 9% figure is not the article's main argument — it is the evidence that most firms are operating without the documented framework they need to defend against sanctions or ethics complaints. The ethical floor exists. The question is whether your firm has built the procedural staircase to reach it.
Practical Implementation Steps for Mid-2026
The ethical framework has crystallized. The sanctions trajectory is clear. The question for Q3 2026 is not whether to act — it is what to do first. The following checklist provides a concrete starting point for any firm or individual practitioner.
- Adopt the traffic-light AI use policy. Distribute it to every attorney and staff member. Have each person sign and date it. File the signed copies in the firm's professional responsibility records.
- Implement the Prompt > Verify > Audit workflow for all AI-assisted legal work. Create a simple log template (date, tool, prompt, output, verification steps, disposition) and require its use for any Yellow-tier activity.
- Complete CLE on AI ethics. The GC AI program has already been completed by more than 6,000 lawyers and is CLE-eligible. Many state bars now require or strongly recommend AI-specific ethics training as part of the competence duty under Rule 1.1.
- Conduct a vendor due diligence review for every AI tool currently in use at the firm. Use the seven-question checklist from GC AI or a comparable framework. Document the review results and retain them with the firm's vendor records.
- Review the specific risk profile of each AI tool in use. For example, our Harvey AI Risk Profile documents known hallucination patterns and the verification paradox that arises when a tool presents confident but incorrect output.
- Schedule a quarterly review of the firm's AI policy and vendor list. The technology changes faster than any static policy can keep up with. A policy that is not reviewed is a policy that is already outdated.
Comments
Join the discussion with an anonymous comment.