Skip to main content

How to Build Your Law Firm’s AI Acceptable Use Policy: A Clause-by-Clause Template

This clause-by-clause annotated template helps small-to-midsize law firms draft an AI acceptable use policy that satisfies professional responsibility duties under Model Rules 1.1, 1.6, 3.3, 5.3, and 1.5, with inline ethics citations, supporting appendices, and a 90-day implementation roadmap.

  • contract review
  • legal research
  • compliance monitoring
  • document drafting
  • e-discovery
  • litigation support
  • law firm
  • in-house legal
  • enterprise
  • small firm
  • free tier
  • cloud
  • on-premise
  • RAG
  • agentic

Profile summary

Primary use cases
AI governance policy creation, Model Rule compliance, supervision of AI use
Pricing tier
free
Target audience
law firm
Last reviewed
2026-07-04

Full profile

The policy problem usually does not announce itself as a policy problem. It arrives as a brief with a case that does not exist, a client document pasted into the wrong tool, a paralegal asking whether an AI-generated chronology can go into the file, or a billing partner wondering whether ten minutes of prompt work can be charged as an hour of drafting.

By now, the warning signs are no longer theoretical. In Mata v. Avianca, lawyers were sanctioned after filing materials that included fictitious AI-generated cases; reporting at the time placed the sanction at $5,000, though any firm relying on that figure in training materials should confirm it against the court order before publication.[1] In Couvrette v. Wisnovsky, later reporting described a much larger $110,000 sanction in the District of Oregon; that figure is useful as an alarm bell, but it should also be checked against the underlying order rather than repeated from commentary alone.[2]

At the same time, use is moving faster than governance. Clio’s Legal Trends reporting found that 79% of legal professionals were using AI while 44% said their firms had no AI policy; because Clio is a legal technology vendor, the adoption number should be read as useful but vendor-shaped, not as a neutral census of the profession.[3] The operational point still holds: many firms are letting lawyers and staff discover the boundaries by trial and error.

If you need the sanctions-and-duties overview first, read AI Ethics in Legal Practice 2026. This article has a narrower job: to turn those duties into a law firm AI acceptable use policy template that someone can actually administer.

Legal AI acceptable use policy template with clauses mapped to professional responsibility duties

What an Acceptable Use Policy Must Do

A law firm AI acceptable use policy is not a statement that the firm “uses AI responsibly.” It is an internal operating rule for lawyers, paralegals, legal assistants, docketing staff, billing personnel, and approved outside vendors. It should answer, in plain language, what may be used, who may use it, what information may be entered, what review is required, how client and court obligations are handled, and who maintains the system.

The policy becomes defensible when each clause can be traced to a professional duty. ABA Formal Opinion 512 frames generative AI use through familiar obligations including competence, confidentiality, supervision, candor, communication, and fees.[4] Florida Bar Opinion 24-1 similarly addresses confidentiality, oversight, billing, advertising, and whether client consent may be required in particular circumstances.[5] State-level guidance and templates from Illinois, North Carolina, New Jersey, Texas, and Vermont use different formats, but they keep returning to the same practical center: lawyers remain responsible for the work product and for the people and systems used to produce it.[6][7][8][9]

Policy areaProfessional dutyOperational question
Permitted and prohibited usesModel Rule 1.1 competenceDoes the user understand enough about the tool to use it safely?
Confidentiality and promptsModel Rule 1.6 confidentialityCan client information be entered, stored, reviewed, or used for training?
Human review and supervisionModel Rule 5.3 supervisionWho checks AI-assisted work before it leaves the firm?
Court filings and legal authoritiesModel Rule 3.3 candorWho verifies citations, quotations, record references, and procedural statements?
Billing and client chargesModel Rule 1.5 reasonable feesWhat time may be billed, and how is AI-assisted work described?

Clause-by-Clause Law Firm AI Acceptable Use Policy Template

The clauses below are written as adaptable policy language, followed by annotations explaining why the clause exists. A small firm can adopt a shorter version, but it should not delete the owner, review, verification, and billing mechanics unless another document supplies them.

1. Purpose and Scope

Policy clause: This policy governs the use of generative AI, machine-learning, automated drafting, automated research, document analysis, summarization, transcription, translation, and similar tools in all firm work. It applies to lawyers, paralegals, legal assistants, administrative staff, contract lawyers, temporary personnel, and vendors who perform work for the firm or its clients.

Annotation: The scope clause prevents the common dodge that “AI” only means a public chatbot. Many of the risks arise in ordinary workflow tools: document review platforms, research assistants, meeting transcription, email drafting, intake summaries, billing narratives, and practice-management features. If staff use the tool to handle firm or client information, the policy should reach it.

Rule map: Model Rule 1.1 supports a basic understanding of the technology being used; Model Rule 5.3 supports extending the policy to nonlawyer assistants and outside service providers. ABA Formal Opinion 512 expressly treats AI use as part of lawyers’ existing professional obligations rather than a separate ethics category.[4]

2. Approved Tool Requirement

Policy clause: Firm personnel may use AI tools for firm work only if the tool appears on the firm’s approved AI tool list or has received written matter-specific approval from the designated AI policy owner. Personal accounts, free public tools, browser extensions, mobile applications, or unapproved AI features embedded in other software may not be used for client or firm work.

Annotation: This is the clause that keeps the policy from becoming a poster. Someone has to know which tools are allowed, under what settings, and for which matters. The office administrator, IT lead, knowledge-management lawyer, or risk partner should not have to reconstruct that after a problem occurs.

Rule map: Model Rule 1.6 is the main driver because tool approval depends on how client information is handled. Model Rule 5.3 also matters because lawyers must supervise nonlawyer assistance, including technology vendors and staff using those vendors. Florida’s opinion and Illinois ARDC guidance both emphasize that lawyers must understand and control confidentiality and oversight issues when using generative AI tools.[5][6]

3. Permitted Uses

Policy clause: Subject to this policy, approved AI tools may be used to assist with low-risk or internally reviewed tasks, including brainstorming, first-pass outlines, nonconfidential research planning, document organization, issue spotting, internal checklists, deposition preparation questions, chronology drafting, summarization of approved materials, and comparison of documents where confidentiality and vendor requirements are satisfied.

Annotation: A useful policy says what people may do, not only what they may not do. Otherwise, staff either stop using helpful tools or use them quietly. The safer permitted uses are not “safe” because AI is reliable; they are safer because a lawyer or trained staff member can review the output before anyone relies on it.

Rule map: Model Rule 1.1 allows lawyers to use technology competently, but it does not let them outsource judgment. This clause also supports supervision under Model Rule 5.3 by identifying uses that remain subject to review rather than leaving each employee to guess.

4. Prohibited Uses

Policy clause: Firm personnel may not use AI tools to make final legal judgments, provide unsupervised legal advice, file or serve unverified work product, generate final citations without independent verification, replace required attorney review, evaluate a client’s legal position without lawyer oversight, create deceptive communications, or enter client confidential information into a tool not approved for that type of information.

Annotation: This clause is deliberately practical. It does not ban every risky idea in the abstract; it identifies the uses that create the worst professional responsibility failures: fake authorities, leaked confidences, unsupervised advice, and court-facing work that no lawyer has checked.

Rule map: Model Rules 1.1, 1.6, 3.3, and 5.3 all appear here. The Stanford HAI study reporting hallucination rates of 17% to 34% even among legal-specific AI tools is especially relevant to the ban on unverified citations and legal propositions; firms should verify the exact rates against the primary study before using them in formal training materials.[10]

5. Confidentiality and Prompting

Policy clause: Firm personnel may not input client names, opposing-party names, witness names, privileged communications, confidential documents, personally identifying information, financial information, health information, sealed materials, litigation strategy, settlement authority, or other protected information into any AI tool unless the tool is approved for that category of information and the use is consistent with the applicable engagement, protective order, client instruction, and vendor terms.

Annotation: The phrase “do not enter confidential information” sounds clear until someone has to summarize a client email, draft discovery responses, or ask a tool to compare two contracts. The better rule is category-based: what information is involved, what tool is being used, what settings apply, and whether the matter has special restrictions.

Rule map: Model Rule 1.6 is the center of this clause. ABA Formal Opinion 512 and Florida Bar Opinion 24-1 both caution that lawyers must evaluate confidentiality risks before using generative AI, including how information may be stored, reviewed, or used by the provider.[4][5]

6. Human Review and Responsibility

Policy clause: AI-generated or AI-assisted work product must be reviewed by a qualified lawyer or supervised staff member before it is used, sent to a client, sent to opposing counsel, filed with a tribunal, relied on for legal advice, or placed in a final work product file. The responsible lawyer remains accountable for the accuracy, legal sufficiency, confidentiality compliance, and strategic appropriateness of the work.

Annotation: This is the clause associates and paralegals will quote back to partners, so it needs to be unambiguous. “AI helped draft it” cannot become a reason no one owns the final product. Review responsibility should be assigned at the matter level, not discovered after the filing deadline.

Rule map: Model Rule 5.3 supports supervision of nonlawyer work and technology-assisted processes. Model Rule 1.1 supports competent review. The New Jersey Courts starter policy and Texas Bar Practice template materials are useful here because they treat review and approval as workflow requirements, not as ethics decoration.[8][9]

Policy clause: No AI-generated citation, quotation, legal standard, procedural rule, record reference, factual assertion, or characterization of authority may be included in a filing, client advice, demand letter, opinion letter, mediation statement, discovery response, or other substantive legal work unless it has been independently verified against an authoritative source by a lawyer or trained legal professional.

Annotation: This clause is where the policy earns its place in a litigation file. A research tool can speed triage; it cannot be the final source of truth. Verification should mean opening the case, statute, rule, regulation, transcript, exhibit, or docket entry and confirming that the cited proposition is there.

Rule map: Model Rule 3.3 is the obvious duty for court-facing work, but Model Rule 1.1 is also involved because competent representation includes knowing whether the authority actually supports the proposition. The Mata sanctions and later reported sanctions in Couvrette are not proof that hallucinated filings are common, but they show the consequence when verification fails in public.[1][2]

Policy clause: The responsible lawyer must determine whether a client must be informed of, or consent to, AI use in a particular matter. Client notice or consent is required when AI use is material to the representation, when confidential information will be disclosed to or processed by a third-party AI provider in a way not already authorized, when the engagement agreement requires disclosure, when the client has restricted technology use, or when applicable law, court order, protective order, or ethics guidance requires it.

Annotation: A blanket rule requiring consent for every spell-check-like use will be ignored. A blanket rule requiring no communication will miss the matters where the client reasonably cares. The policy should push the question to the responsible lawyer and give that lawyer triggers to evaluate.

Rule map: This clause draws from Model Rules 1.4 and 1.6, even though the core acceptable-use framework often centers on Rules 1.1, 1.6, 5.3, 3.3, and 1.5. Florida Bar Opinion 24-1 is especially useful on the question of when consent or communication may be needed.[5]

9. Billing and Fees

Policy clause: Time entries for AI-assisted work must reflect the actual time reasonably spent by firm personnel performing, reviewing, revising, verifying, and applying the work. The firm may not bill a client for time not actually spent merely because an AI tool produced work more quickly than a lawyer or staff member would have produced it manually. Any separate technology charge, subscription recovery, or expense allocation must be authorized by the engagement agreement or otherwise permitted by applicable law and ethics rules.

Annotation: This clause belongs in the AI policy, not only in the billing manual, because billing pressure is one of the places AI use becomes distorted. The billing lawyer needs a rule before the invoice is drafted, not after the client asks why a first draft generated in minutes was billed as if it were written from scratch.

Rule map: Model Rule 1.5 requires reasonable fees. ABA Formal Opinion 512 addresses fees in the AI context, including the need to charge for actual work rather than capture an unearned windfall from technology-assisted efficiency.[4]

10. Training Requirement

Policy clause: Before using approved AI tools for firm work, personnel must complete firm-approved training covering permitted uses, prohibited uses, confidentiality, prompt handling, verification, filing review, billing, and incident reporting. Practice groups may require additional training for litigation, transactional, probate, family law, criminal, immigration, or regulated-industry matters.

Annotation: Training should not be a recorded webinar everyone clicks through once. The probate paralegal, the litigation associate, and the billing partner do not face identical risks. They need enough common language to follow the policy and enough role-specific instruction to recognize the problem while there is still time to fix it.

Rule map: Model Rule 1.1 supports technological competence, and Model Rule 5.3 supports training and supervision of nonlawyer personnel. The NC Bar Association’s January 2026 analysis is useful because it treats AI governance as an applied professional responsibility issue rather than a one-time technology purchase.[7]

11. Records, Logs, and Matter File Notes

Policy clause: The firm will maintain records sufficient to identify approved AI tools, approval dates, permitted use categories, material vendor terms, training completion, and policy exceptions. For matter-specific AI uses that affect substantive work product, the responsible lawyer must ensure the matter file reflects the nature of the use and the review performed, unless a practice group or risk committee has approved a different recordkeeping protocol.

Annotation: Do not build a logging system so burdensome that no one uses it. A firm does not need a diary entry for every grammar suggestion. It does need enough recordkeeping to answer basic questions: Was this tool approved? Was confidential information allowed? Who reviewed the final work? Was an exception granted?

Rule map: This clause supports Model Rules 1.1, 1.6, and 5.3. It also makes later internal review possible if a filing, disclosure, invoice, or confidentiality issue is questioned.

12. Exceptions and Escalation

Policy clause: Requests to use an unapproved AI tool, enter restricted information, depart from this policy, or use AI in a matter subject to special confidentiality, privilege, court, government, or client restrictions must be submitted to the AI policy owner or risk committee before use. Emergency exceptions must be documented as soon as practicable and reviewed after the fact.

Annotation: Exceptions are going to happen. The policy should make them visible. A partner who wants to test a new deposition-summary tool should not have to pretend the policy does not apply; the firm should have a path for approving or rejecting the request.

Rule map: Exceptions implicate confidentiality, competence, supervision, and sometimes candor. A written escalation route is what turns those duties into something administrable.

13. Incident Reporting

Policy clause: Firm personnel must promptly report suspected AI-related errors, unauthorized disclosures, hallucinated authorities, inaccurate summaries, improper tool use, vendor security concerns, or billing issues to the responsible lawyer and the AI policy owner. The firm will evaluate whether corrective action, client notice, court notice, vendor action, billing adjustment, or additional training is required.

Annotation: The first person to notice the problem may be a legal assistant, a docketing clerk, or a junior associate. If reporting feels like an admission of incompetence, the firm will learn about the issue from the client, the court, or opposing counsel instead.

Rule map: Model Rules 1.6 and 3.3 may drive corrective action depending on the incident. Model Rule 5.3 supports a reporting channel for staff and vendors. The clause should connect directly to the firm’s existing incident-response, malpractice, and client-communication procedures.

14. Ownership and Review Cycle

Policy clause: The firm designates [role or committee] as the AI policy owner. The policy owner will maintain the approved tool list, coordinate training, track ethics and court-rule developments, review vendor changes, approve or deny exceptions, and present the policy for review at least every [six or twelve] months or sooner if material tool, rule, court, vendor, or ethics guidance changes occur.

Annotation: A policy without an owner becomes stale quickly. AI vendors change terms. Courts issue standing orders. Bars publish new guidance. Practice groups discover uses that the original drafter did not anticipate. Someone has to be responsible for turning those changes into a revised document.

Rule map: This clause supports all five core duties. Justia’s 50-state survey is useful as a monitoring source because it reflects the continuing spread of state AI ethics guidance; firms should confirm the current count of state bars converging around a shared duty framework as guidance changes.[11]

Appendix A: Approved AI Tool List

The approved tool list is the document people will actually look for on Tuesday afternoon. Keep it short enough to maintain and specific enough to prevent guesswork.

FieldWhat to record
Tool nameProduct name and version or plan level, if relevant
Approved usersLawyers only, all staff, specific practice group, or named users
Approved usesDrafting support, summarization, document review, research triage, transcription, translation, or other defined uses
Information allowedNo client information, de-identified information only, approved confidential information, or matter-specific approval required
RestrictionsNo court filings, no privileged documents, no client names, no regulated data, or other limits
Vendor review dateDate the firm last reviewed terms, privacy, retention, training, and security materials
ApproverRisk partner, managing partner, IT lead, knowledge-management lawyer, or committee
Next reviewScheduled review date or trigger

For a small firm, this can be a spreadsheet. For a midsize firm, it may belong in the intranet or document-management system. The important point is that the list has an owner and a review date. The Texas Bar Practice template materials and the Vermont Bar Association model policy descriptions are helpful starting points for firms that want a policy-plus-appendix structure rather than a single narrative memo.[9][12]

Appendix B: Safe-Prompting Guide

A safe-prompting guide should be written for the person using the tool, not for the lawyer who drafted the policy. It should separate three categories.

Prompt categoryDefault treatmentExample
Public or nonconfidential informationAllowed in approved tools if the use is permittedDraft a general checklist for preparing a witness outline
De-identified matter informationAllowed only if re-identification risk is low and the tool is approved for that useSummarize these generic contract provisions without names, dates, amounts, or party identifiers
Client confidential or privileged informationAllowed only in tools approved for that information category and only when matter restrictions permitSummarize an uploaded client email chain in an approved closed system

The guide should also give users prompt habits that reduce risk: remove names unless needed, avoid settlement authority, avoid privileged legal strategy in unapproved tools, do not paste full pleadings into public systems, and ask for a structure rather than a final answer when the task involves law. These are not substitutes for tool approval, but they reduce the chance that a routine drafting task becomes a confidentiality event.

Appendix C: Court-Filing Verification Checklist

This checklist should sit where filings are finalized, not buried in the AI policy. It applies whenever AI assisted with research, drafting, summarizing, citation generation, record review, or argument framing.

  • Every cited case, statute, rule, regulation, and secondary source has been opened in an authoritative database or official source.
  • Every quoted passage has been checked against the source text.
  • Every parenthetical accurately describes the holding or proposition.
  • Every record citation, exhibit reference, transcript page, and docket reference has been checked.
  • The filing complies with any judge-specific, court-specific, or standing order disclosure requirement concerning AI use.
  • The responsible lawyer has reviewed the final version and accepts responsibility for the filing.

The checklist should not ask, “Was AI used?” and stop there. The filing risk is not the mere fact of assistance; it is unverified authority, inaccurate record references, or a disclosure obligation that no one noticed until after filing.

Appendix D: Vendor Due Diligence Checklist

Vendor due diligence is where a confidentiality clause either becomes real or collapses. A firm does not need to turn every lawyer into a security engineer, but it does need a repeatable review before client information goes into a system.

QuestionWhy it matters
Will the vendor use firm or client inputs to train models?Training use may affect confidentiality and client consent analysis.
Where is data stored and processed?Location may matter for client commitments, regulation, or protective orders.
Who can review user inputs and outputs?Human review by the vendor may be a disclosure issue.
How long are prompts, uploads, outputs, and logs retained?Retention affects confidentiality, discovery, deletion, and breach response.
Can the firm disable training, sharing, or retention features?Settings may determine whether a tool is approved for confidential information.
What security documentation is available?The firm needs enough information to evaluate vendor safeguards.
Does the contract address confidentiality, breach notice, subcontractors, and data return or deletion?Contract terms should match the level of information the tool will receive.
Does the tool produce citations, summaries, translations, or legal conclusions?Output type affects the required human review.

Vendor disclosures should not be treated as independent proof that a tool is safe. They are inputs to the firm’s analysis. The policy owner should preserve the version reviewed, because vendor terms and product settings can change.

Five-part legal AI governance framework connecting competence confidentiality supervision candor and fees

A 90-Day Rollout Plan

The policy should not arrive as a PDF attached to a Friday afternoon email. Rollout is part of the control system.

TimingActionOwner
Days 1-15Inventory AI tools already in use, including embedded features in research, document, transcription, email, and practice-management systems.AI policy owner with IT and practice group leaders
Days 16-30Review vendor terms, classify tools by permitted information type, and create the first approved tool list.Risk committee or designated approver
Days 31-45Adopt the policy clauses, appendices, exception process, and incident-reporting route.Managing partner or executive committee
Days 46-60Train lawyers and staff by role, using practical examples from the firm’s actual workflows.Policy owner and practice group leaders
Days 61-75Pilot the filing checklist, safe-prompting guide, billing rule, and matter-file notation process in selected practice groups.Practice group leaders
Days 76-90Revise the policy based on pilot issues, publish the approved tool list, and schedule the next review.Policy owner

The first review should ask unglamorous questions. Did anyone know where the approved tool list was? Did staff understand what counted as client information? Did the filing checklist add a review step that actually happened, or just another signature line? Did billing lawyers change time entries when AI shortened a task? Did anyone request an exception instead of working around the policy?

A defensible law firm AI acceptable use policy is not the one with the most polished opening paragraph. It is the one mapped to identifiable duties, supported by usable appendices, assigned to real owners, and maintained as tools, court expectations, vendor terms, and ethics guidance change.

References

  1. Lawyers submitted bogus case law created by ChatGPT. A judge fined them $5K, ABA Journal, June 22, 2023.
  2. Couvrette v. Wisnovsky: Court Imposes $110,000 Sanction for AI-Hallucinated Filing, GC AI, 2025.
  3. Legal Trends Report, Clio.
  4. Formal Opinion 512: Generative Artificial Intelligence Tools, American Bar Association, July 29, 2024.
  5. Ethics Opinion 24-1, The Florida Bar, January 19, 2024.
  6. Generative AI and the Rules of Professional Conduct, Illinois Attorney Registration and Disciplinary Commission.
  7. AI and the Practice of Law: Ethical Considerations, North Carolina Bar Association, January 2026.
  8. Artificial Intelligence Policy for the New Jersey Judiciary, New Jersey Courts, March 2026.
  9. AI Acceptable Use Policy Template, Texas Bar Practice.
  10. Hallucination-Free? Assessing the Reliability of Leading AI Legal Research Tools, Stanford HAI, 2024.
  11. 50-State Survey of AI and Attorney Ethics Rules, Justia.
  12. Model AI Policy, Vermont Bar Association.

Corrections & feedback

Submit corrections to factual information, flag stale data, or share deployment experience. Comments are moderated. Nothing in comments constitutes legal advice.

Comments

Join the discussion with an anonymous comment.

Loading comments...
Blogarama - Blog Directory