The legal industry has a complicated relationship with AI.


COMPLIANCE SERIES #2 of 5 —

⬡ The Compliance-Ready AI Stack Series · Issue 2 of 5 · Legal

Tuesday · June 30, 2026 · Issue #037

The legal industry has a complicated relationship with AI.

On one hand, attorneys are among the highest-value users of AI in any professional services category — the research compression alone is transformative. A task that took four hours of database work now takes forty minutes. Contract review that required a junior associate's full day now surfaces every critical clause in under an hour.

On the other hand, legal is the profession where the consequences of getting AI governance wrong are most personal. It's not just regulatory fines. It's bar sanctions, malpractice exposure, and the kind of ethical violations that end careers.

Today's issue is built for the firm that wants to use AI fully — and use it in a way that survives bar ethics review, client audits, and the increasingly common enterprise vendor questionnaire that asks "what is your AI governance policy?"

⬡ The Four Governance Risks Specific to Law Firms

RISK 1 · Confidentiality and Privilege Contamination

Every AI tool that processes client communications, case details, or privileged documents is a potential privilege breach. The question isn't whether you trust the tool — it's whether the tool's data practices, terms of service, and infrastructure design can survive a privilege challenge in court.

Free consumer tiers of ChatGPT, Gemini, and similar tools use input data for model training by default unless you opt out or use an enterprise plan. Pasting client communications into those tools — even to draft a summary or pull a key fact — may constitute a disclosure to a third party. The tool is the third party.

The rule: Any AI tool that touches client communications must be operating under a business associate agreement or equivalent data processing agreement that explicitly prohibits training on your inputs.

RISK 2 · Competence and the Non-Delegation Problem

Bar rules on competence are unambiguous: attorneys remain responsible for all work product, regardless of how it was produced. An AI-generated brief with a hallucinated citation is an attorney's problem, not the model's problem. The Mata v. Avianca case — where AI-generated citations were submitted to court without verification — has been cited in bar guidance across multiple jurisdictions as the exemplar of what not to do.

Competence in the AI era means two things: the ability to use AI effectively, and the independent judgment to verify what it produces. The former is increasingly table stakes. The latter is the governance requirement.

The rule: Every AI-assisted work product requires a documented review checkpoint before it leaves the firm. Not a policy that says "attorneys should review AI output." An actual workflow step that makes review impossible to skip.

RISK 3 · Conflict Contamination Across Matters

Any AI tool used across multiple client matters creates a potential conflict contamination vector. If the same model instance processes information from two clients with adverse interests — even inadvertently, through auto-completion, context windows, or training — you may have a conflict of interest problem that wasn't possible before AI was in the workflow.

The rule: Matter separation must be enforced at the tool level, not just the attorney level. Every AI tool used for client work must have documented data isolation between matters.

RISK 4 · Jurisdiction-Specific Ethics Rules

AI ethics guidance now exists in virtually every US jurisdiction and the EU, and they are not consistent. California, New York, Florida, and Texas have each issued formal guidance with varying requirements around disclosure, competence verification, and supervision of AI-generated work product. If your firm practices across jurisdictions, you need to build to the most restrictive common standard — not average them.

The rule: Build your AI governance policy to the most demanding jurisdiction you practice in. Then document it. The documentation is the compliance.

⬡ Jordan · AI Solutions Director · thepromptory.com

Free · No account required · No sales call after

V

I'm a partner at an 8-person litigation firm. We want to use AI for research and document review but our state bar issued ethics guidance last month and I'm not sure what we can and can't do. I also don't know if the tools we've been using are safe from a privilege standpoint.

J

Good instinct to pause on the privilege question before expanding usage. The first thing I need to know: are any of the tools your firm is currently using running on free consumer accounts — not enterprise or business plans? Because that one answer tells me most of what I need to know about your current exposure. Which tools and which tier?

Jordan · thepromptory.com →

Not sure which tools are safe for your firm? Jordan will assess your current stack → thepromptory.com

⬡ The Compliance-Ready AI Stack for Law Firms · 6 Tools
🛡️

Airia — the governance foundation (start here)

AI Governance · Free / From $50/mo · ✦ Vault Pick

Try it →

Every law firm using AI starts here. Airia sits between your team and the AI models they're using, enforcing policies in real time — which data types can be sent to which models, which team members have access to which tools, what gets logged and audited. It produces the compliance documentation your clients, your bar, and future auditors will ask for. It also stops shadow AI: the associate using personal ChatGPT for client research at 9pm because it's faster.

Covers: Confidentiality protection · Matter data isolation · Audit trail generation · AI usage policy enforcement

⚖️

Casetext CoCounsel — legal research, built for privilege

Legal Research · From $99/mo · ✦ Vault Pick

See it →

Casetext was built specifically for legal use — trained on actual case law, not the general internet — and operates under enterprise-grade data agreements that prohibit using your inputs for training. This is the distinction that makes it legally defensible for privilege-sensitive research. The tool your firm's associates use for case law in 45 minutes instead of 5 hours shouldn't create a privilege problem. Casetext doesn't.

Covers: Competence (speed + accuracy) · Privilege-safe research · Citation verification layer built in

📄

Loio — AI contract review with human review built in

Contract Analysis · Free / From $49/mo · ✦ Vault Pick

See it →

Loio flags risky clauses, missing terms, and negotiation points — then presents the issues to a human reviewer before anything is acted on. This workflow structure matters for compliance: the AI is the first pass, the attorney is the decision. That's the model bar ethics guidance consistently endorses. No AI tool in a legal context should be making decisions; it should be surfacing them.

Covers: Competence (clause identification speed) · Human oversight requirement · Document confidentiality

⏱️

Toggl Track — billing integrity in the AI era

Time Tracking · Free / From $9/mo · ✦ Vault Pick

See it →

AI compresses legal work significantly. That compression creates a billing question: do you charge the same rate for work that took 40 minutes with AI as you would for work that took 4 hours without it? Some firms are renegotiating their billing models around this. All of them need accurate time tracking to have the conversation at all. Toggl captures actual time at the task level — by matter, by client, by type of work — which gives you the data to make that billing decision ethically and defensibly.

Covers: Billing transparency · Client disclosure support · Fee dispute documentation

📬

SaneBox — client communication triage, no data leakage

Email Triage · From $7/mo · ✦ Vault Pick

See it →

SaneBox processes metadata and email patterns — not email content — to learn priority signals. That architectural distinction matters for privilege: the tool is not reading your client emails; it's learning which senders you respond to first. For attorneys who need email triage without content processing, that distinction is the compliance difference.

Covers: Email triage without content processing · Client responsiveness · Urgent communication surfacing

📅

Reclaim AI — protecting the deep work AI creates room for

Productivity · Free / From $10/mo · ✦ Partner

Try it →

When AI compresses research time from 4 hours to 45 minutes, the question is what happens with the 3+ hours recovered. If those hours immediately fill with meetings and admin, the firm captured none of the benefit. Reclaim protects focus time on the calendar — automatically — so the hours AI frees up actually go to higher-value legal work instead of back into the coordination overhead that was already there.

Covers: SOC 2 Type II certified · GDPR compliant · Calendar data not used for training

⬡ The Non-Negotiable Rule for Legal AI

Client case files, privileged communications, PII, and matter-specific information never go into a general AI tool operating on a free consumer plan.

This applies to every attorney, every paralegal, every clerk, every admin in your firm. It applies at 9pm when someone is finishing a brief and ChatGPT seems faster. It applies on a personal phone when someone checks email between hearings. It applies without exception — not as a policy statement that lives in a handbook, but as a technical enforcement through Airia or equivalent governance infrastructure.

The policy that lives only in a handbook doesn't survive a bar investigation. The technical control that enforces it automatically does.

📬 Tomorrow

Wednesday: The Compliance-Ready AI Stack for Financial Services. SEC AI risk guidelines, OCC model risk management, and fiduciary duty in the age of automated recommendations — plus the stack that keeps advisors moving fast without creating regulatory exposure.

Want a governance assessment for your firm's current AI stack? Jordan walks through it free → thepromptory.com

The Promptory Daily

Stay ahead of AI .Curated AI news, tool spotlights, tips & real-world use cases — delivered every weekday morning in 5 minutes or less.

Read more from The Promptory Daily

!-- FRIDAY · VAULT DROP — ⬡ Shadow AI & Building Your Policy · Issue 5 of 5 · The Template Friday · July 10, 2026 · Issue #038 Happy Friday. We close the week where we said we would — with something concrete you can use. Today you get the one-page AI policy template. Below that, you'll find three things that make AI policies fail after they're published — because writing the policy is only half the job. Getting people to follow it is the other half, and it's the part most firms skip. One...

⬡ Shadow AI & Building Your Policy · Issue 4 of 5 Thursday · July 9, 2026 · Issue #038 Today we start building. Before I get into the framework, one thing I want to be clear about: an AI policy is not a legal document. It doesn't need to be reviewed by a lawyer before it exists. It needs to be reviewed by a lawyer before it becomes binding on employees or clients in high-stakes ways — but the version you write this week is a governance starting point, not a legal instrument. Treat it that way...

⬡ Shadow AI & Building Your Policy · Issue 3 of 5 Wednesday · July 8, 2026 · Issue #038 Before you can write a policy, you need to know what you're governing. Most firms that decide to address AI governance skip straight to the policy document — and end up writing rules around tools they think their team uses, for workflows they assume are the risky ones, based on data they've never actually collected. The policy looks fine on paper. It governs a business that doesn't quite exist. Today's...