Full profile
A useful legal AI hallucination audit checklist has to start earlier than the moment someone checks a citation. By then, the legal team may already have used the wrong tool, fed it confidential facts without an approved posture, framed the prompt to invite agreement, or accepted a draft whose most dangerous defect is not a fake case but a real case used for the wrong proposition.
That is the gap in most published guidance. The ABA’s practical checklist covers responsible use issues such as tool selection, confidentiality, verification, billing, and supervision.[1] LeanLaw’s checklist is strong on citation verification: existence, holding, context, currency, jurisdiction, and docket status.[2] Clio usefully separates output failures into hallucination, omission, and misfit.[3] The National Center for State Courts gives practitioners a typology that includes fabricated cases, distorted holdings, unsupported propositions, falsified procedural information, and blended concepts.[4] Each is useful. None, standing alone, gives a legal team a complete stop/go workflow from tool choice through post-filing response.
The operational problem is simple: different AI failure modes need different gates. A fabricated citation is caught one way. A real case cited for a holding it does not contain is caught another way. A missing contrary authority problem is not caught by proving that every cited case exists. A confidentiality problem should have stopped the work before the prompt was ever sent.

The Six-Phase Audit Protocol
This protocol is a synthesis of existing guidance, not an official standard issued by a court, bar authority, or vendor. Its purpose is narrower and more practical: give attorneys, paralegals, legal operations teams, and risk managers an ordered process that can be assigned, documented, interrupted, and escalated before AI-assisted work goes to a client, opposing party, agency, or court.
| Phase | Gate | Primary question | Stop trigger |
|---|---|---|---|
| 1 | Tool and use-case risk-tiering | Should this tool be used for this task at all? | Unapproved tool, unclear confidentiality posture, prohibited use, or no responsible reviewer |
| 2 | Prompt and input audit | Did the prompt invite a defective, biased, or overconfident answer? | Leading prompt, missing jurisdiction/date limits, client facts entered improperly, or no source instruction |
| 3 | Citation and source verification | Do the cited authorities exist and support the stated propositions? | Any unverifiable citation, wrong holding, outdated authority, wrong jurisdiction, or docket defect |
| 4 | Deeper error detection | What defects survive ordinary citation checking? | Misgrounding, omission, jurisdiction blend, unsupported procedural statement, or sycophantic agreement |
| 5 | Documentation and supervisory signoff | Can the team later prove what was checked, by whom, and against what source? | No audit trail, no reviewer identity, no source record, or unresolved exception |
| 6 | Escalation and incident response | What happens if an error is found late or after filing? | Filed or sent work contains a material AI-related defect, or uncertainty remains about client/court impact |
Why Citation Checking Alone Is Too Narrow
The legal profession’s first wave of AI verification advice understandably focused on fake cases. That was the visible failure: a brief cites cases that do not exist, a court asks for copies, and the lawyers cannot produce them. But by Q3 2026, that is no longer the only serious failure pattern.
Stanford RegLab’s benchmarking work remains important because it tested legal-specific retrieval-augmented generation tools, not just general chatbots. The study reported hallucination rates of 17% for Lexis+ AI, more than 17% for Ask Practical Law AI, and 34% for Westlaw AI-Assisted Research, while general-purpose tools ranged from 58% to 88% on the benchmarked legal queries.[5] Tool-specific rates may have changed since that May 2024 preprint, but the operational lesson has not aged out: a legal-native interface reduces some risks; it does not eliminate the need for auditing.
The more uncomfortable finding is misgrounding. Stanford documented errors where the case is real, but the proposition attributed to it is wrong or unsupported. The researchers described that category as especially dangerous because a basic existence check passes and the reviewer gets false comfort.[5] That is exactly how a 10:40 p.m. review fails: someone confirms the citation appears in a database, sees a familiar reporter, and moves on without reading the portion of the opinion that supposedly does the work.
The National Center for State Courts’ typology points in the same direction. Fabricated cases are only one category; distorted holdings, unsupported propositions, falsified procedural information, and blended legal concepts all require review beyond citation existence.[4] A checklist that stops at “find the case” is therefore a source check, not a hallucination audit.
Phase 1: Tool and Use-Case Risk-Tiering
The first audit question is not whether the output is accurate. It is whether the output should exist. Before anyone prompts a model, the legal team should assign the tool and task to a risk tier.
- Low-risk internal support: formatting, non-substantive summarization, issue spotting for a supervised reviewer, or drafting a non-final internal outline without confidential facts.
- Moderate-risk legal work product support: first drafts of research memos, contract clause comparison, deposition preparation outlines, or litigation chronology building using controlled inputs.
- High-risk external or adjudicative use: briefs, pleadings, agency submissions, client advice, opinion letters, expert-facing materials, settlement communications, or anything likely to be filed, served, or relied on.
- Prohibited or special-approval use: client confidential information in an unapproved tool, privileged strategy in an uncertain retention environment, unauthorized practice risks, or use that conflicts with court orders, client instructions, or firm policy.
This is where the ABA’s responsible-use checklist is most useful. It tells firms to evaluate tools, protect confidentiality, supervise use, and verify outputs.[1] ABA Formal Opinion 512 also ties generative AI use to professional duties including competence, confidentiality, communication, fees, and supervisory responsibilities under Model Rules 5.1 and 5.3.[6] Those duties are hard to satisfy if the team cannot later identify which tool was used, what data went into it, who approved the use case, and who reviewed the result.
For a small office, this does not require a procurement committee. It can be a one-page intake record: tool name, account type, data-retention setting if known, matter number, task, intended audience, confidentiality level, responsible attorney, and whether the output may leave the office. If any field is unknown for high-risk use, the work stops until a lawyer with supervisory responsibility decides whether the tool is appropriate.
That stop is important. A tool-risk step that merely says “consider confidentiality” will be skipped under pressure. A control gate says: if the tool is not approved for this data and this use, do not prompt it.
Minimum Phase 1 Record
- Tool and version or product environment, to the extent available.
- Whether the tool is general-purpose, legal-native, firm-approved, client-approved, or unapproved.
- Whether confidential, privileged, sealed, personal, or regulated information will be entered.
- Whether the output is internal-only, client-facing, court-facing, agency-facing, or public.
- Named attorney responsible for final review.
Phase 2: Prompt and Input Audit
Prompt review sounds fussy until a bad prompt becomes the reason the model agrees with a false premise. Stanford’s study documented sycophancy failures, including agreement with a leading question that incorrectly asserted Justice Ginsburg dissented in Obergefell.[5] That matters in legal work because prompts often arrive with embedded assumptions: “Draft an argument that the statute clearly preempts the claim,” “Find cases supporting removal,” or “Explain why the complaint is time-barred.”
A prompt audit does not need to make every prompt elegant. It needs to catch instructions that reward the model for agreeing instead of testing. The reviewer should ask whether the prompt defines the jurisdiction, date range, procedural posture, governing law, source universe, and desired treatment of adverse authority. For research tasks, the prompt should require the tool to separate authorities it found from conclusions it is drawing. For drafting tasks, it should require placeholders where support is missing rather than invented citations or confident generalizations.
| Weak prompt pattern | Audit concern | Safer prompt instruction |
|---|---|---|
| “Find cases proving our position.” | Invites one-sided support and omission of contrary authority. | “Identify controlling and persuasive authority for and against this position, and mark any unresolved conflict.” |
| “Draft with citations.” | Invites citation generation without source boundaries. | “Use only authorities found in the approved database or materials I provide; use brackets where authority is missing.” |
| “Explain why the motion should be granted.” | Invites sycophantic agreement with the desired outcome. | “Evaluate whether the motion should be granted under the governing standard, including weaknesses and adverse authority.” |
| “Summarize this area of law.” | Invites jurisdiction blend and overgeneralization. | “Summarize current law in [jurisdiction] as of [date], separating binding law from persuasive authority.” |
Phase 2 should also record what was provided to the tool. If the AI analyzed uploaded cases, contracts, pleadings, transcripts, or discovery materials, the audit record should identify the source set. If the model was allowed to search externally, that should be recorded too. Later, when someone asks why a contrary case was missed, “the AI did not find it” is not an answer unless the team can explain where the AI was allowed to look.
Prompt-Level Stop Triggers
- The prompt contains client confidential information before Phase 1 approval.
- The prompt asks only for supportive authority where contrary authority would be material.
- The prompt omits jurisdiction, date, procedural posture, or governing source limits for substantive legal research.
- The prompt asks the tool to generate citations without requiring source verification or placeholders for unsupported claims.
- The prompt frames a disputed premise as true and asks the model to justify it.
Phase 3: Citation and Source Verification
Citation verification remains necessary. It is just not sufficient. LeanLaw’s six-part structure is a practical way to keep this phase from collapsing into a quick database search.[2] Every cited authority that supports a legal proposition should be checked for existence, holding, context, currency, jurisdiction, and docket status.
- Existence: Confirm the case, statute, regulation, rule, order, or secondary source exists in an authoritative database or official source.
- Holding: Read the relevant portion and confirm it supports the proposition in the draft.
- Context: Confirm the procedural posture, facts, standard of review, and quoted language are not being stretched beyond their use.
- Currency: Shepardize, KeyCite, or otherwise update the authority for reversal, abrogation, supersession, negative treatment, or statutory amendment.
- Jurisdiction: Confirm whether the authority is binding, persuasive, distinguishable, or irrelevant for the forum and issue.
- Docket or procedural status: For pending matters, trial court orders, agency actions, or unpublished decisions, confirm filing status, disposition, and any later developments.
The reviewer should not rely on the AI output as the verification source. If the AI gives a quote, pull the opinion. If it gives a pincite, read around the pincite. If it summarizes a regulation, open the current official version. If it cites a docket entry, check the docket rather than the model’s description of the docket.
For high-risk work, the audit record should identify the source checked and the reviewer. A simple notation is enough: “Case exists; proposition confirmed at page X; current through KeyCite on [date]; reviewed by [name].” The point is not paperwork for its own sake. The point is that “verified” without a source, date, and reviewer becomes nearly useless when an error surfaces.

Phase 4: Deeper Error Detection
This is the phase most ordinary checklists underbuild. Once every cited source exists, the dangerous question begins: what is still wrong?
Misgrounding
Misgrounding occurs when the authority is real but the statement attached to it is unsupported, overstated, or wrong. This defect survives an existence check. It may also survive a quick scan if the cited case is in the right legal neighborhood. The audit method is proposition-by-proposition review: isolate each legal claim, identify the cited support, and ask whether the authority actually establishes that claim at the required level of generality.
A useful test is to rewrite the proposition more narrowly until it is exactly supported. If the draft says “courts routinely dismiss these claims at the pleading stage,” but the cited case dismissed after discovery under materially different facts, the proposition is misgrounded even though the case exists. The fix is not to keep the citation and soften the sentence casually; the reviewer must decide whether the argument still works after the authority is stated accurately.
Omission Scanning
Clio’s framework is helpful because it treats omission as a separate output failure, not a less dramatic version of hallucination.[3] In legal work, an answer can be citation-perfect and still be materially defective because it leaves out controlling contrary authority, a statutory exception, a local rule, a preservation issue, or an adverse procedural fact.
The omission scan should not ask the AI to grade itself. It should use independent search paths: controlling jurisdiction search, adverse treatment search, statutory and rule cross-reference review, local rule review, and, where appropriate, a secondary source or treatise check to identify issues the prompt did not surface. If the work product will go to a court, the reviewer should also check whether the judge has an AI disclosure or certification requirement. Ropes & Gray’s tracker reported more than 300 judges with AI disclosure orders.[7]
Jurisdiction Blend
Jurisdiction blend is not always obvious. A generated draft may mix federal and state standards, import a rule from a neighboring state, rely on persuasive authority as though it is binding, or combine majority and minority rules into a sentence that sounds plausible but applies nowhere. The NCSC’s category of blended legal concepts captures this risk.[4]
The audit step is to mark each rule statement with its jurisdictional status: controlling, persuasive, distinguishable, background only, or unsupported. If the draft cannot survive that marking exercise, it is not ready for style editing. It needs legal repair.
Sycophancy Testing
Sycophancy testing is the habit of asking whether the tool agreed because the prompt wanted agreement. For material legal conclusions, run a counter-prompt or independent review that asks for weaknesses, contrary authority, and reasons the proposed conclusion may be wrong. This is not a request for the AI to make the final call. It is a way to expose whether the first output was shaped by the user’s desired answer.
A simple pattern works: after receiving an AI-assisted draft, ask a separate reviewer or approved tool workflow to identify the three strongest objections, any missing elements, and any authority that would embarrass the filing if omitted. The result must still be checked by a lawyer. The point is to break the one-directional path from preferred conclusion to polished draft.
Procedural and Factual Claims
Some AI errors are not doctrinal. They are procedural: wrong filing deadline, wrong page limit, wrong judge, wrong local rule, wrong docket history, wrong party name, wrong disposition, or a confident statement that a motion remains pending when it has been denied. The NCSC includes falsified procedural information among hallucination categories.[4] These claims should be checked against dockets, court rules, standing orders, scheduling orders, and client file materials, not against the generated draft.
Phase 5: Documentation and Supervisory Signoff
Documentation is where an AI checklist becomes a control system. A firm may have a policy. A team may have training. Neither proves that this output, in this matter, was checked against reliable sources by someone competent before it left the office.
ABA Formal Opinion 512’s discussion of supervisory duties matters here because generative AI use is rarely a purely individual act in legal practice.[6] A partner may assign research to an associate. An associate may use a tool for a first draft. A paralegal may check docket information. Local counsel may file. If the process fails, the person downstream may be the first one asked to explain a decision made upstream.
The audit trail should be proportionate to risk. A low-risk internal brainstorming use may need only a notation that AI was used and no external reliance occurred. A court filing, client advice memo, agency submission, or settlement position should have a review record.
| Record item | Why it matters |
|---|---|
| Tool and task | Shows whether the use matched approved risk tier and purpose. |
| Prompt or prompt summary | Shows whether the user invited one-sided, leading, or unsupported output. |
| Inputs or source set | Shows what the tool could and could not have considered. |
| Generated output retained or versioned | Allows later reconstruction of what the reviewer saw. |
| Authorities checked | Shows existence, holding, context, currency, jurisdiction, and docket review. |
| Omission and misgrounding review | Shows that the team looked beyond fake citations. |
| Reviewer and signoff | Assigns responsibility and confirms supervisory review. |
| Exceptions and corrections | Prevents unresolved defects from disappearing into a final draft. |
For team workflows, the signoff should be interruptible. If an associate finds that a cited case does not support the proposition, the next step is not to leave a comment and hope the drafter handles it. The audit record should mark the item as failed, assign correction, and prevent external use until the defect is resolved or a supervising lawyer approves a documented alternative.
Phase 6: Escalation and Incident Response
Escalation belongs in the checklist before the emergency happens. If a hallucination or serious AI-related defect is discovered after a filing, client delivery, service on opposing counsel, or agency submission, the legal team should not improvise through hallway conversations and private edits.
The need for escalation is no longer theoretical. Damien Charlotin’s AI hallucination cases database tracked 1,696 hallucination matters as of July 3, 2026.[8] The exact consequences vary by court, jurisdiction, conduct, and timing, but the pattern is clear enough for workflow design: late discovery of a false citation or unsupported legal proposition can trigger questions about competence, candor, supervision, correction, and whether the lawyer tried to minimize the problem rather than fix it.
The first escalation decision is containment. Stop further reliance on the affected work product. Preserve the prompt, output, drafts, filed version, verification notes, correspondence, and source materials. Identify who has received or relied on the work. Determine whether the defect is immaterial, correctable without prejudice, material to a client decision, material to a court or agency submission, or potentially misleading to another party.
- Escalate to supervising attorney when any cited authority cannot be verified or does not support the proposition.
- Escalate to risk management or ethics counsel when the work has left the office or may affect a tribunal, client decision, or opposing party.
- Escalate immediately when a filed document contains a fabricated citation, misquoted authority, false procedural statement, or omitted controlling adverse authority.
- Preserve the audit trail before revising prompts, deleting chats, replacing drafts, or editing source notes.
- Do not ask the same tool to certify that its own defective work is harmless.
The correction path depends on duties that are outside the scope of a general workflow article and may require jurisdiction-specific ethics advice. But the checklist can still define the operational trigger: once a material AI-related error is found in external work, the matter leaves ordinary drafting workflow and enters incident response.
A Working Checklist for Legal Teams
For actual use, the six phases should fit on a matter-level form. The form should not ask reviewers to certify vague confidence. It should ask for completed actions, exceptions, and signoff.
- Classify the tool and use case: approved tool, confidentiality posture, intended audience, risk tier, and responsible attorney.
- Audit the prompt and inputs: jurisdiction, time frame, source limits, procedural posture, adverse authority instruction, and no unapproved confidential information.
- Verify citations and sources: existence, holding, context, currency, jurisdiction, and docket or procedural status.
- Test for deeper defects: misgrounding, omission, jurisdiction blend, unsupported procedural claims, factual mismatch, and sycophantic agreement.
- Document the review: tool, prompt or summary, inputs, output version, sources checked, reviewer, date, exceptions, and corrections.
- Escalate when required: unresolved defect, external reliance, filed error, client impact, tribunal impact, or uncertainty about correction duties.
That list is deliberately ordered. If Phase 1 fails, there should be no prompt. If Phase 2 fails, there should be no output used for legal work. If Phase 3 or Phase 4 fails, there should be no external draft. If Phase 5 fails, the team may not be able to prove what it did. If Phase 6 is missing, the first serious mistake becomes a scramble.
What Changes in Practice
A phase-gated audit changes the work allocation. Junior lawyers and paralegals can still use AI tools to reduce blank-page work, organize materials, and surface issues. But the workflow makes clear which tasks belong to the tool, which tasks belong to the human reviewer, and where supervisory judgment is required.
It also changes the meaning of “verified.” In a defensible workflow, verified does not mean someone glanced at the citations. It means the use case was approved, the prompt did not invite a distorted answer, the authorities were checked against reliable sources, hidden error modes were tested, the review was documented, and escalation was available if something failed.
No single published checklist currently covers that full lifecycle. The ABA materials give responsible-use and supervisory framing.[1][6] LeanLaw supplies a practical citation verification sequence.[2] Clio and the NCSC broaden the error categories beyond fake authorities.[3][4] Stanford explains why legal-native tools and existence checks still leave serious risk.[5] Court-order tracking and hallucination case databases show why the issue now belongs in ordinary matter workflow, not just annual AI governance training.[7][8]
The result is not a promise that AI-assisted legal work will be error-free. It is a process that can stop the work at the point where the risk appears. In Q3 2026, that is the practical baseline: hallucinations can enter through tool choice, prompt framing, generated citations, misgrounded authorities, omitted law, weak documentation, and delayed escalation. A single-point citation check cannot carry all of that weight.
References
- A Practical Checklist for Using AI Responsibly in Your Law Firm, American Bar Association, 2026.
- The Hallucination Problem: A Checklist for Verifying AI-Generated Legal Citations, LeanLaw.
- How to Verify Legal AI Output: A Framework for Legal Professionals, Clio.
- Legal Practitioner’s Guide to AI & Hallucinations, National Center for State Courts.
- AI on Trial: Legal Models Hallucinate in 1 out of 6 (or More) Benchmarking Queries, Stanford HAI.
- Formal Opinion 512, American Bar Association.
- Artificial Intelligence Court Order Tracker, Ropes & Gray.
- AI Hallucination Cases Database, Damien Charlotin.
Comments
Join the discussion with an anonymous comment.