
LAW FIRMS AND LEGAL
Responsible AI Governance for Law Firms
Firms are using AI for research, drafting, contract review and e-discovery faster than they can govern it. We engineer the governance that keeps your AI inside the SRA conduct rules, UK GDPR and the EU AI Act, so partners can sign it off with confidence.
For managing partners, general counsel, COLPs, COFAs and Heads of Risk at law firms and in-house teams. AEO and firm marketing handled downstream, engineered to the same conduct standard rather than gamed.
THE EXPOSURE
Why AI Governance Is Now a Partner-Level Risk
Legal practice sits under duties that all reach AI: the SRA conduct rules, UK GDPR, and the EU AI Act where AI touches the administration of justice. Use AI without governing it and the exposure is your practising certificate, not just your reputation.
$5,000
Sanction on lawyers who filed fake AI citations
In Mata v. Avianca (SDNY, June 2023), Judge Castel fined two lawyers 5,000 US dollars after they submitted a brief citing cases ChatGPT invented. Since then, US courts have sanctioned or disqualified lawyers repeatedly for the same failure. The duty to verify sits with the lawyer, not the tool.
Mata v. Avianca, 678 F.Supp.3d 443 (SDNY 2023)
20 Nov 2023
SRA Risk Outlook on AI in the legal market
The SRA states you remain responsible and accountable for the outputs of any AI you use, and cannot delegate that to an IT team or provider. It flags confidentiality loss when client data is transferred to a provider for training as a specific threat.
SRA Risk Outlook, 20 November 2023 (sra.org.uk)
Annex III.8
When legal AI becomes high-risk under the EU AI Act
AI is high-risk only when used by or for a judicial authority to research and apply the law to concrete facts. Most private-practice tools for research, drafting and review sit outside the high-risk category. The line is administration of justice, not general legal work.
EU AI Act, Annex III point 8(a) (artificialintelligenceact.eu)
UK GDPR
The firm is controller for client data in AI tools
Put client personal data into a third-party AI tool and the firm remains the controller, accountable for lawful basis, security and a data protection impact assessment. Feeding privileged material into an external system also risks waiving legal professional privilege.
ICO guidance on AI and data protection (ico.org.uk)
THE POSITION
Govern AI Well and It Becomes an Advantage
Regulation isn't the enemy of AI in law. Govern it properly and you adopt faster than firms still arguing about who owns the risk, and you keep the trust that a legal brand is built on.
Governed AI adopts faster
Firms with a clear AI use policy and verification step let fee earners use AI with confidence. The bottleneck is rarely the tool. It is the absence of an agreed way to use it safely and sign off the risk.
Verification is your moat
Every court sanction since Mata comes back to the same failure: nobody checked. A firm with a mandatory verification step captures the speed of AI without the liability that has sunk others.
Conduct expertise is your trust asset
Your risk and compliance function understands the SRA rules better than any vendor. Turned into governed AI use and into clear, accurate published guidance, that expertise is what clients and AI search engines both reward.
AEO without dark patterns protects the brand
The wider AEO industry is being penalised for manipulative tactics. Done to a Responsible AI standard, AI visibility is engineered cleanly, so accurate, non-misleading firm marketing is also what AI engines cite.
OUR APPROACH
Systems. Strategy. Execution.
The same three-level framework, recast for the AI governance, risk and conduct realities of a modern law firm.
SYSTEMS
AI Governance Operating Model
We architect the governance your managing partner, COLP and Head of Risk can stand behind. Every AI use case, from research to contract review to e-discovery, mapped to the duties it engages under the SRA rules, UK GDPR and the EU AI Act, with clear ownership.
- -AI inventory: which tools, on which matters, owned by whom
- -Governance operating model: roles, supervision, sign-off
- -SRA, BSB, UK GDPR and EU AI Act obligation mapping
- -Partner and board reporting on AI risk posture
STRATEGY
AI Risk and Compliance Roadmap
We build a prioritised AI risk register and remediation roadmap tied to your real duties, with confidentiality, privilege and the verify-before-filing risks first. Where AI touches client work or firm marketing, we set the guardrails before the work runs.
- -AI risk register scored by likelihood and conduct exposure
- -Confidentiality, privilege and data protection gap analysis
- -EU AI Act classification of each AI use case
- -AEO guardrails so firm marketing stays accurate and honest
EXECUTION
Policies, Controls and Compliant AEO
When execution is needed, we engineer the evidence. AI use policies, supervision and verification workflows, vendor and tool assessments, a data protection impact assessment, and answer engine optimisation built to conduct standard so your firm's AI visibility holds up.
- -AI use policy and verification workflow for fee earners
- -Vendor and tool assessments: data handling, training, retention
- -Data protection impact assessment for AI in client work
- -AEO and content engineering without dark patterns, conduct-clean
WHERE WE CREATE VALUE
Typical Legal Engagements
Illustrative scenarios reflecting the types of firms we work with. Specific scope depends on your AI use, practice areas and risk appetite.
LEGAL RESEARCH AND DRAFTING
Firm Using AI for Research and First Drafts
Fee earners use general AI tools to research points and draft documents. There is no verification step and no record of which tools touched which matter. One hallucinated authority reaching a court is a wasted-costs and regulatory risk.
Systems-level engagement: an AI use policy, a mandatory verification step before any AI output is filed or sent, and an inventory that records tool use per matter so supervision is real, not assumed.
CONFIDENTIALITY AND PRIVILEGE
In-House Team Governing Client Data in AI
Lawyers paste client and matter detail into consumer AI tools to speed up work. Under UK GDPR the organisation is the controller, and privileged material in an external system risks waiving privilege.
Strategy-level engagement: a data protection impact assessment, enterprise tool arrangements that keep inputs out of model training, and clear rules on what data can go into which tool.
CONTRACT REVIEW AND E-DISCOVERY
Firm Buying AI for Review at Scale
AI contract review and e-discovery tools are bought from vendors. The firm stays accountable for accuracy and for how client data is processed, but the tools are assessed inconsistently or not at all.
Vendor and tool assessment programme: due diligence on data handling, training and retention, accuracy and human-review controls, and a register the COLP and Head of Risk can rely on.
FIRM MARKETING
Firm Engineering AI Visibility Safely
Marketing uses AI to generate content and wants the firm cited in AI search. Solicitor advertising must not be misleading under the SRA rules, and the wider AEO industry is being penalised for dark patterns.
Governance-led AEO: guardrails for AI-generated marketing, claim substantiation, and answer engine optimisation engineered to conduct standard rather than gamed.
WHY US
We Understand Regulated Professions
Sotiris has 27 years across regulated markets where mistakes cost licences, not just rankings, and is the author of Ethical AI, AI Moats and TRANSFORM. VerityAI is a Responsible AI advisory, not a software platform. We govern your AI and your AI visibility from the same principle: build it so it holds up under scrutiny.
Governance partners can defend
We architect AI governance mapped to the SRA rules, UK GDPR and the EU AI Act, with ownership and an audit trail a regulator can follow. Not a policy PDF. A working operating model with a verification step.
Responsible AI applied to AI search
AI engines reward authoritative, well-structured, expert-attributed content. We engineer that visibility without the dark patterns the AEO industry is being penalised for, so firm marketing stays accurate and not misleading.
Partner language, not jargon
We speak to managing partners, general counsel and Heads of Risk. Reporting connects AI to conduct exposure, confidentiality and client outcomes, not vanity metrics.
FROM THE PUBLIC RECORD
What Ungoverned Legal AI Actually Costs
Named cases here are drawn from the public record, with sources. Composites are built from several engagements and flagged as such. No client is identified.
PUBLIC RECORD
Mata v. Avianca: fake cases, real sanctions
In this SDNY personal-injury case, plaintiff lawyers filed a brief citing several decisions that ChatGPT had invented, complete with fabricated quotes. When challenged, the tool assured them the cases were real. In June 2023, Judge Castel fined the two lawyers 5,000 US dollars, finding they acted in bad faith under Rule 11.
Takeaway: the duty to verify every authority sits with the lawyer, not the tool. AI is a starting point for research, never a substitute for checking each citation against a real source.
PUBLIC RECORD
Butler Snow: hallucinations get lawyers thrown off a case
In July 2025, a US federal judge disqualified three lawyers from a national firm after they filed motions containing five completely made-up case citations produced by ChatGPT. The judge publicly reprimanded them, referred them to the state bar, and ordered disclosure of the sanctions order to clients and other courts.
Takeaway: this is not a one-off. Two years after Mata, courts are escalating from small fines to disqualification and bar referrals. A single unverified AI citation can pull a whole firm into scrutiny.
COMPOSITE
The tool nobody logged
Composite, built from several engagements. Fee earners across a firm use AI tools nobody signed off: a research assistant here, a drafting tool there, client detail pasted into a consumer chatbot by a junior. No inventory, no verification step, no record of what went where. Nothing has gone wrong yet, which is exactly why it keeps getting deprioritised.
Takeaway: the first control is not a policy PDF. It is an inventory with a named owner for each AI use and a verification step before output leaves the building, so a problem is visible before a court or the SRA makes it visible for you.
Composite lesson, no client identified
ASSESS YOUR READINESS
Start with a Self-Assessment
Free resources built for legal leaders. No signup required. Use them to scope your AI risk before we talk.
AI Risk Register Template
A starting AI risk register for legal teams. Map AI use cases to SRA conduct duties, UK GDPR and EU AI Act exposure. Built for managing partners, COLPs and Heads of Risk.
Open →AI Search Readiness Grader
Score how well AI engines can find, understand and cite your firm, and whether your AI content stays accurate and not misleading.
Open →AEO vs SEO Budget Allocator
Model the split between traditional organic and AI search investment for a law firm, with conduct guardrails in view.
Open →START HERE
Wherever You Are in the Decision
Three routes in, depending on where you've got to. Learn the rules, compare the approaches, or move to a decision.
LEARN THE RULES
Getting oriented
New to how AI rules land on legal practice? Start with what the SRA expects of solicitors using AI, and where accountability and liability actually sit when the tool gets it wrong.
COMPARE YOUR OPTIONS
Weighing approaches
Already scoping the problem? Look at the legal risks buried in how AI models are trained, and how discrimination exposure creeps into AI-assisted decisions before you commit to a tool.
READY TO ACT
Moving to a decision
Ready to govern it properly? Start with the risk register template, then book a conversation about how your firm uses AI and where governance reduces the most risk.
GO DEEPER
Responsible AI Knowledge Base
Briefings and guides on governing AI in legal practice, from SRA duties and professional liability to copyright and AI model training risk.
BY JURISDICTION
UK, US and EU: The Rules Are Not the Same
The same AI use case sits under different rulebooks depending on where you practise. We advise UK-first, and serve US and EU clients in English.
UK
Lead market. We advise UK-first.
- -SRA Standards and Regulations: competence, confidentiality and the duty to the client apply whatever tool drafts the work
- -Bar Standards Board Handbook: the equivalent conduct duties for barristers
- -ICO and UK GDPR: lawful basis, DPIA and security when client data enters an AI tool
US
Served in English.
- -State bar ethics rules on competence and candour to the court, engaged when AI output is filed
- -ABA guidance on the use of generative AI in legal practice
- -Court standing orders requiring disclosure or certification of AI use in filings
EU
Served in English.
- -EU AI Act: high-risk only for AI used by or for a judicial authority under Annex III point 8(a)
- -GDPR: lawful basis, DPIA and rights around client and matter data
- -Most private-practice legal AI sits outside the high-risk category
FAQ
Legal AI Compliance: Questions Partners Ask
Straight answers on the duties that bite first, from using ChatGPT for research to client confidentiality and where the EU AI Act actually applies.
Can lawyers use ChatGPT for legal research?
Yes, but the output has to be checked before it goes anywhere near a court or a client. The SRA takes a principles-based approach: you can use whatever technology you think fit, provided you still meet the SRA Principles and the Code of Conduct. Its Risk Outlook on AI, published 20 November 2023, is explicit that you remain responsible and accountable for the outputs, and cannot delegate that to an IT team or an external provider. General AI tools hallucinate case law that looks real. In Mata v. Avianca (SDNY, 2023), two lawyers were fined 5,000 US dollars after filing a brief with fake ChatGPT-generated citations. The tool is fine for a first draft or a starting point. It is not a substitute for verifying every authority against a real source.
Does using AI breach client confidentiality or privilege?
It can, if you feed client information into a third-party tool without controlling where that data goes. The SRA Risk Outlook warns that confidential data can be exposed when it is transferred to an AI provider for training, and that a system can replicate confidential details from one matter in its answer on another. Under UK GDPR the firm is the controller and stays accountable for that processing. There is a separate risk that putting privileged material into an external system waives legal professional privilege. The fix is governance, not a ban: know which tools staff use, keep client and privileged data out of consumer tools, use enterprise arrangements that stop your inputs training the model, and run a data protection impact assessment before you deploy. We build that framework so AI helps without putting your duty of confidentiality at risk.
Is legal AI high-risk under the EU AI Act?
Most private-practice legal AI is not automatically high-risk. Annex III point 8(a) makes an AI system high-risk when it is intended to be used by a judicial authority, or on its behalf, to help research and interpret facts and the law and apply the law to a concrete set of facts. That targets AI used in the administration of justice by or for a court, not a law firm using AI to draft or review documents. A tool a solicitor uses to speed up research or first-draft a contract generally sits outside the high-risk category, unless it feeds a judicial decision. General-purpose obligations and GDPR still apply. We classify each of your AI use cases against the Act so you can tell, with evidence, which sit in scope and which do not, rather than assuming the worst or ignoring it.
What are the professional-liability risks of AI in a law firm?
The exposure runs through the conduct rules you already hold. Under the SRA Standards and Regulations you owe duties of competence, confidentiality and acting in the client's best interests, and those duties do not change because a tool wrote the first draft. Filing hallucinated authorities can bring wasted-costs orders, court sanctions and a referral to the regulator, as US courts have shown repeatedly since 2023. Barristers sit under the equivalent Bar Standards Board Handbook. The practical liabilities are unchecked hallucinations reaching a court, confidential or privileged data leaking into a third-party model, and no record of which tools were used on which matter. We map those risks to your conduct obligations and build the controls, supervision and audit trail that keep AI use defensible.
Does copyright law create exposure when a firm uses AI?
It can, on two fronts. Inputs: many AI models are trained on copyrighted material scraped without a licence, and that has driven active litigation over how models are built. Outputs: AI-generated text or images can reproduce protected work closely enough to infringe, and UK law is unsettled on who, if anyone, owns purely AI-generated output. For a firm the risk is advising a client on an AI product built on questionable training data, or publishing AI-generated marketing that lifts someone else's work. We assess where copyright exposure sits in how you use AI and in what you advise on, and set guardrails that keep your firm and your clients on defensible ground.
Do UK law firms need a separate AI governance framework?
Not a separate framework bolted on the side. The SRA is technology-neutral: AI is governed through duties you already hold under the SRA Principles and Code of Conduct, with the COLP and COFA accountable for compliance and the firm's board expected to oversee how new technology is bought and used. What most firms lack is the connective tissue: a single inventory of which AI tools are in use on which matters, a clear owner for each, a data protection impact assessment, and a supervision and verification step before AI output leaves the building. We build that operating model so AI is governed through the conduct rules partners already understand, not in a parallel silo.
START HERE
Let's Discuss Responsible AI for Your Firm
A conversation about how your firm uses AI, your conduct duties, and where governance will reduce the most risk. No pitch decks. No proposals on the first call.
Request a Consultation