Yes, a lawyer can use ChatGPT in legal practice under current ethics frameworks. The safer answer, though, is not “yes, if you are careful.” It is yes if the use is built into a controlled workflow: the lawyer understands the tool well enough to use it competently, keeps client information out of unprotected systems, reviews the output before anyone relies on it, and bills only for the human legal work and properly disclosed costs.
The four rules that do most of the work are familiar: competence, confidentiality, supervision, and fees. ABA Formal Opinion 512, issued in July 2024, says lawyers using generative AI must have a “reasonable understanding of the capabilities and limitations” of the tools they use, and it maps AI use to duties including Model Rules 1.1, 1.6, 1.4, 1.5, 3.3, and 5.3.[1] That sentence is doing more than many lawyers first notice. It means ChatGPT is not treated as magic, and it is not treated as forbidden. It is treated as a tool whose risks the lawyer must know well enough to manage.

The Four-Rule Map for ChatGPT Legal Use
A firm policy that begins with “lawyers may use AI responsibly” is not enough. The policy has to tell a lawyer, paralegal, or legal operations manager what changes at the desk level. These are the four questions the policy should answer before the tool touches client work.
| Ethics Duty | ChatGPT Compliance Question | Firm Control |
|---|---|---|
| Competence | Does the lawyer understand what the tool can and cannot do? | Approved-use training, matter-type limits, source-verification rules |
| Confidentiality | What information may be entered into the tool? | Data classification, approved platforms, prompt restrictions |
| Supervision | Who reviews the output before it is used? | Human review, citation checking, partner or attorney approval where needed |
| Fees | What time or cost may be charged to the client? | Billing narratives, cost disclosure, prohibition on billing saved AI time as lawyer time |

Competence: Rule 1.1 Is Now a Technology Management Duty
Competence does not require every lawyer to become a machine-learning engineer. It does require enough understanding to know when ChatGPT is generating fluent text rather than verified legal analysis, when it may invent or distort authorities, when a prompt may expose protected facts, and when a task needs a different tool altogether.
That is the practical force of ABA Formal Opinion 512. A lawyer who uses generative AI has to understand its capabilities and limitations before relying on it in a professional setting.[1] “I did not know it could do that” is a poor defense when the behavior is one of the tool’s known operating risks.
For ChatGPT legal work, competent use should mean at least this: the lawyer knows whether the tool is connected to current legal sources, whether the output includes citations generated by the model rather than retrieved from a database, whether prompts and responses may be retained or reviewed by the provider, and whether the firm’s version of the product is a consumer tool, enterprise arrangement, or API deployment with different data terms.
The distinction matters because the same prompt can be harmless in one environment and unacceptable in another. Asking ChatGPT to rewrite a public biography in a more concise tone is not the same act as asking a consumer chatbot to summarize a confidential acquisition chronology. The lawyer’s ethical issue is not that both involve AI. It is that one can be done without exposing client secrets, while the other may place protected facts into a system the lawyer has not vetted.
Confidentiality: Rule 1.6 Starts Before the Prompt
The confidentiality problem is not solved by telling lawyers to “be careful with prompts.” The policy has to define what may be entered, which version of the tool may be used, and who approved that environment for client information.
The San Francisco Bar Association has warned lawyers and legal staff about ChatGPT privacy concerns, including the risk that content submitted to consumer-facing systems may be reviewed or used in ways that are incompatible with legal confidentiality duties.[2] Thomson Reuters has separately described how consumer AI tools can create hidden malpractice risks for law firms when personnel paste client information into systems not designed or contracted for legal confidentiality.[3]
A usable confidentiality rule should be written in the negative first: no confidential client information, privileged communications, nonpublic deal terms, personal data, litigation strategy, witness information, or sealed material may be entered into an unapproved consumer AI tool. That rule should apply to lawyers, summer associates, paralegals, contract attorneys, administrative staff, and anyone else who can reach the tool from a browser.
If a firm wants to use ChatGPT or another generative AI system with matter information, the analysis changes from “prompt hygiene” to vendor governance. Someone has to review the governing terms, data retention, training use, access controls, logging, contractual protections, and whether the arrangement is a consumer product, enterprise service, or API with additional data-protection terms. A written policy that never makes that distinction leaves the hardest question to the person least equipped to answer it, often the associate trying to finish a draft at 8:43 p.m.
Supervision: Rule 5.3 Does Not Let the Machine Become the Reviewer
ChatGPT can produce a first draft, a list of issues to check, a plain-English explanation, or a summary of public material. It cannot become the lawyer of record, the supervising attorney, or the person responsible for candor to a tribunal. The Illinois Supreme Court Commission on Professionalism has emphasized that lawyers must supervise technology use and cannot delegate professional obligations to ChatGPT or similar tools.[4]
Supervision has two parts. First, the firm must supervise people using the tool: who may use it, for what tasks, after what training, and with what approvals. Second, the lawyer must supervise the output: citations, quotations, factual assertions, legal standards, procedural rules, and strategic recommendations must be checked before the work product leaves the firm or is relied on internally.
This is where many casual ChatGPT legal workflows fail. The time saved in drafting reappears as an invisible verification task. If no one is assigned that task, the work has not become efficient; the risk has simply moved downstream to the next reviewer, the client, the court, or the malpractice file.
Fees: Rule 1.5 Requires Billing Discipline, Not AI Theater
The billing issue is easy to state and hard to police. A lawyer may charge for the lawyer’s time reviewing, revising, verifying, and applying AI-assisted work. A lawyer may not turn minutes of AI-assisted drafting into hours of billable time simply because the task would once have taken longer.
Florida Bar Opinion 24-1 is useful here because it translates the fee question into ordinary billing behavior: as summarized in GC AI’s 2026 synthesis, lawyers may bill for time spent supervising and verifying AI output, but they may not bill for time the AI compressed or pass AI subscription costs to a client as a charge without appropriate disclosure under the fee rules.[5]
A compliant billing entry should describe the legal work the lawyer actually performed. “Reviewed and revised AI-assisted draft of indemnity clause; verified citations to governing agreement and applicable law” tells a different story than “Draft motion” if the unspoken fact is that the first version came from a chatbot and the lawyer spent the time checking it. The point is not to perform confession in every invoice line. The point is that the bill should be defensible if the client asks what was done, by whom, and why the charge is reasonable.
A Traffic-Light Policy That Lawyers Can Actually Use
The traffic-light model is not an ethics safe harbor. It is an internal-control device. GC AI’s policy template uses red, yellow, and green categories to sort AI uses by risk, and it is a helpful starting point precisely because it turns abstract duties into choices a person can make before opening a chat window.[5]

| Category | Default Rule | Examples |
|---|---|---|
| Red | Prohibited unless separately approved by firm leadership and ethics counsel | Entering confidential client facts into unapproved consumer ChatGPT; submitting unverified AI-generated cases or quotations; asking the tool to provide jurisdiction-specific legal advice directly to a client; using AI output as final work product without attorney review |
| Yellow | Permitted only with human review, source verification, and jurisdiction checks | Drafting first-pass outlines; summarizing nonconfidential materials; brainstorming deposition topics; creating research checklists; comparing public legal concepts; generating client-friendly explanations for attorney revision |
| Green | Generally permitted if no confidential information is entered | Reformatting public biographies; drafting internal training hypotheticals; creating nonclient administrative templates; improving grammar in public-facing text; summarizing public court rules for later lawyer confirmation |
The red category should be short and enforced. If everything is red, lawyers will route around the policy. If nothing meaningful is red, the policy is decoration. The most important red line is confidential information in unprotected consumer tools. The second is unverified authority in filed or client-facing work. Those are the places where a small shortcut can become a disciplinary problem, a privilege fight, or a credibility wound.
The yellow category is where most legitimate legal work will sit. ChatGPT can be useful for getting past a blank page, creating a structure to interrogate, translating dense language into a client memo draft, or generating a checklist of issues the lawyer may have missed. But yellow uses require a named reviewer and a verification path. “I read it and it looked right” is not a verification path.
The green category should stay modest. Public-information and administrative tasks can still create embarrassment if no one reviews them, but they usually do not require the same controls as legal analysis involving client facts. The policy should let people use the tool where the ethical stakes are low, so that compliance energy is spent where it matters.
Prompt → Verify → Audit
A ChatGPT policy becomes useful only when it tells people what to do in sequence. The sequence should be simple enough to follow during ordinary work and specific enough to reconstruct later.
Prompt
Before the prompt is written, the user should classify the task as red, yellow, or green. If the task is yellow, the prompt should use only permitted inputs: public law, generic hypotheticals, anonymized facts where anonymization is genuinely sufficient, or information approved for the specific AI environment. A firm should not rely on lawyers to invent anonymization standards in the moment.
- Do not include client names, counterparties, employees, witnesses, transaction terms, settlement positions, medical facts, financial account information, litigation strategy, or privileged communications in unapproved systems.
- Use placeholders that do not allow the matter to be reconstructed from context.
- State the permitted task clearly, such as “create a checklist of issues to research,” rather than “tell me the answer.”
- Ask for assumptions to be identified, not hidden inside a polished conclusion.
For example, a permitted yellow prompt might ask for a general checklist of issues a lawyer should research when drafting a limitation-of-liability clause in a commercial services agreement. It should not paste the client’s draft agreement into a consumer chatbot unless the firm has approved that use under its confidentiality and vendor-review process.
Verify
Verification must be independent of the output. If ChatGPT gives a case name, statute, quotation, deadline, filing requirement, or legal standard, the lawyer must confirm it through an authoritative source. If it summarizes a document, someone must compare the summary against the document. If it suggests a strategy, the lawyer must test it against the facts, forum, client objectives, and governing law.
This is also where jurisdiction enters the workflow. The lawyer should check not only the substantive law of the matter, but also local AI ethics guidance, court standing orders, judge-specific requirements, and client outside-counsel guidelines. New York has published guidance discussing ethical and technical challenges of ChatGPT, and other jurisdictions have taken their own approaches.[6] GC AI’s 2026 synthesis reports that at least 10 states have issued AI ethics opinions, but no lawyer should treat a national summary as a live fifty-state clearance memo.[5]
The verification step should be documented more heavily when the output will be filed, sent to a client, relied on in negotiations, or used to advise on legal rights. A research checklist used privately may need a lighter trail. A motion with AI-assisted citations needs a very different record.
Audit
Audit does not mean saving every experimental prompt forever. It means preserving enough information to answer later questions from a client, court, insurer, regulator, or ethics committee: what tool was used, what category of information went into it, what output was relied on, who reviewed it, what sources were checked, and how the time or cost was billed.
| Record | When to Keep It |
|---|---|
| Tool name and version or approved platform | For yellow uses tied to client work |
| Prompt category, not necessarily full prompt text | When full prompt retention would create unnecessary confidentiality or data-retention risk |
| Reviewer name and review date | For client-facing, filed, or advice-related output |
| Authorities or source materials checked | Whenever the output includes legal claims, quotations, citations, procedural requirements, or factual summaries |
| Billing treatment | When AI assistance affects time spent, cost charged, or client disclosure |
A good audit trail is not built for the perfect file. It is built for the uncomfortable email that arrives eighteen months later asking why a brief cited a case, why a fee entry looks inflated, or whether a client’s confidential fact was placed into a consumer AI system.
Disclosure: What Needs to Be Said, and to Whom
Not every use of ChatGPT requires client or court disclosure. A lawyer who uses AI to brainstorm a generic outline may not need to announce that fact any more than the lawyer would disclose use of a grammar tool. But disclosure may be required by a client agreement, a court order, a judge’s standing requirement, a state ethics opinion, the nature of the fee arrangement, or the lawyer’s duty to communicate material information about the representation.
Disclosure should come after the firm has defined the workflow. Otherwise the disclosure is too vague to help anyone. “We may use AI” does not tell the client whether confidential information will be entered, whether human lawyers will review the work, whether the client will be charged for the tool, or whether the firm is using a consumer product or a protected enterprise environment.
| Situation | Disclosure Posture |
|---|---|
| AI used only for nonconfidential administrative drafting | Usually no special disclosure unless required by client guidelines or local rule |
| AI used to assist with client-facing legal work | Consider engagement-letter or matter-level disclosure describing human review and confidentiality controls |
| Client confidential information entered into an AI environment | Use only if the environment is approved and the disclosure or consent analysis has been completed |
| AI-related cost passed through to client | Disclose the cost basis and obtain any consent required by the applicable fee rule |
| Court, judge, or jurisdiction requires AI certification | Follow the specific required wording and filing procedure |
Sample engagement language can be plain, provided it is true:
The firm may use approved technology tools, including generative artificial intelligence tools, to assist with legal research, drafting, document review, summarization, and administrative tasks. The firm will not use unapproved consumer AI tools to process confidential client information. All legal advice, filings, and client-facing work product remain subject to attorney review and professional judgment. If the firm proposes to use an AI tool in a manner that materially affects confidentiality, cost, or the scope of the representation, the firm will address that use with the client as required by applicable rules and agreements.A shorter matter-specific disclosure may be more useful when the client cares about one defined workflow:
For this matter, the firm may use an approved generative AI tool to assist with first-draft summaries and research checklists. The tool will not be used as the final source of legal advice. A firm attorney will review and verify any output before it is used in client advice, negotiations, or court submissions.These samples are not a substitute for state-specific wording. They are starting language for a policy conversation that should include the client’s guidelines, the court’s requirements, and the governing jurisdiction’s ethics rules.
Use Cases That Fit the Controls
The best early ChatGPT legal use cases are not the most glamorous ones. They are tasks where the output is useful precisely because a lawyer will interrogate it: issue spotting, outline creation, plain-language translation, first-pass summaries of nonconfidential materials, training hypotheticals, and drafting alternatives for lawyer revision. ABA Law Practice Division materials have described practical legal uses of ChatGPT, including drafting support, research assistance, and prompt-based workflows, but those materials should be read as use-case discussions rather than ethics clearance.[7][8]
A lawyer might ask ChatGPT for a checklist of provisions commonly reviewed in a vendor services agreement, then compare that checklist against the client’s actual contract, industry requirements, and governing law. A litigation team might ask for categories of deposition questions for a hypothetical employment dispute, then revise them for the actual pleadings and jurisdiction. A legal operations team might use it to convert a public policy into a shorter internal training draft. In each example, the tool helps create something to review; it does not become the authority.
Adoption data should not be overread. Vendor-published surveys have reported that generative AI adoption among law firms rose from 24% in 2024 to 31% in 2025, but those figures are indicative benchmarks rather than audited measures of ethical readiness. A firm can be late to experimentation and still be safer than an early adopter with no prompt rules, no confidentiality review, and no billing discipline.
The Jurisdiction Check Is Not Optional
ABA Formal Opinion 512 gives a national spine, not the last word. State bars, courts, and clients can add requirements. Some courts have required certifications about AI use. Some clients now regulate AI in outside-counsel guidelines. State ethics opinions may differ in emphasis on consent, supervision, fees, or court disclosure.
California deserves particular caution because AI-specific amendments to its Rules of Professional Conduct were under active consideration as of Q2 2026. That does not mean California lawyers cannot use ChatGPT. It means a policy written in 2024 or 2025 may need revision before the next training cycle if the rules change.
Two frontier issues should stay on the risk committee’s radar without swallowing the whole policy. First, the line between permissible AI assistance and unauthorized practice of law remains unsettled at the margins, especially where tools interact directly with consumers or produce legal conclusions without lawyer supervision. Second, privilege and work-product questions can become difficult when prompts, outputs, or tool logs are retained by third parties. GC AI’s 2026 synthesis flags recent litigation and privilege disputes in this developing area, including the Nippon Life v. OpenAI filing in March 2026 and the Heppner-Warner privilege split in February 2026.[5]
Those unresolved issues do not make every ChatGPT use reckless. They do make undocumented experimentation hard to defend. The question for a firm is not whether someone can imagine a safe use. The question is whether the firm can prove, after the fact, that the actual use was safe enough for the task, the client, the court, and the jurisdiction.
The Defensible Position
ChatGPT use is not categorically forbidden for lawyers. Under the current ethics framework, the defensible version looks ordinary in the way good law-firm controls often look ordinary: a written policy, approved tools, protected data handling, trained users, human verification, clear billing rules, and a jurisdiction check before deployment. The lawyer who can explain what went into the tool, what came out, who reviewed it, what rule was checked, and what was billed is in a much better position than the lawyer who merely says the technology was efficient.
References
- ABA issues first ethics guidance on a lawyer's use of AI tools (Formal Opinion 512), American Bar Association, July 2024.
- Heads Up: New ChatGPT Privacy Concerns for Lawyers and Legal Staff, San Francisco Bar Association.
- How consumer AI tools create hidden malpractice risks for law firms, Thomson Reuters.
- Ethical Considerations for Chat GPT for Legal Professionals, Illinois Supreme Court Commission on Professionalism.
- AI Legal Ethics in 2026: 6 Cases, 4 Rules, 1 Policy Template, GC AI.
- Navigating the Ethical and Technical Challenges of ChatGPT, New York State Bar Association.
- Practical Uses of ChatGPT in Your Legal Practice, American Bar Association, 2026.
- Legal ChatGPT: Tips, Prompts, and Use Cases, American Bar Association, 2025.
Comments
Join the discussion with an anonymous comment.