An AI-use policy for law firms (and why "don't" isn't one)

We've written before about how using a public AI tool with client material can put legal professional privilege at risk. That's the danger. This is the practical other half: what a firm actually does about it. And the honest starting point is that a blanket "don't use AI" is not a policy — it's a wish that fee-earners under deadline pressure will quietly ignore.

A workable AI-use policy for a firm is short, and its job is to replace silence and prohibition with a clear, followable rule. Here's what it covers.

1. Scope — who and what

All fee-earners and support staff, all generative AI tools, all client and matter data. One sentence, so no one can say "I didn't think it applied to my matter."

2. The confidentiality rule (the line that protects privilege)

No client-identifiable or matter-confidential information goes into any tool that isn't on the approved list. The reason this matters for privilege specifically: privilege binds you, not a third party — if confidential material passes to a provider that can be compelled to disclose it, you've created a route around the protection. Keep the rule blunt and early.

3. Approved tools — assessed, not assumed

Name the tool(s) the firm has actually assessed: where the data is processed, who operates the hardware, which jurisdiction can compel it, and whether it trains on inputs. A US-owned tool with a "UK region" answers the geography question but not the jurisdiction one — see our free CLOUD Act exposure checker and the seven questions to ask any supplier. An empty approved list is a valid start: it simply means no confidential data goes into any AI until one is approved.

4. Mandatory review — AI drafts, a lawyer decides

Every AI output is checked by the responsible fee-earner before it's used, sent or filed. AI is a drafting assistant for correspondence, research memos and file notes — not a source of legal advice, and never the final word. This also handles the accuracy risk: AI can produce confident, fabricated case citations, and the duty to verify sits with the lawyer.

5. Reporting and an owner

A route to flag a bad or unsafe output, a named partner who owns the policy, and a review date. That's what turns "we have a policy" into "we can show we manage this" if the SRA, a client or your PII insurer ever asks.

Make the compliant route the easy route

Prohibition fails because the time pressure is real. Pair the rules with one approved tool that keeps matter data on infrastructure you can name, and the safe path becomes the convenient one — which is the only kind of policy that actually gets followed.

Hush AI (hush-ai.uk) is a UK-sovereign AI assistant for regulated professionals. It drafts under fee-earner review — not a source of legal advice. This article is general information, not legal or regulatory advice; check the SRA's current guidance and your firm's own obligations.