Outside Counsel Guidelines AI Requirements: What Law Firms Need Now (2026)

Published April 18, 2026 · Updated April 2026 · By The Crossing Report · 6 min read

Share on LinkedInShare on X

Summary

  • Corporate clients have standardized AI clauses in outside counsel guidelines — four requirements are now consistent across updated OCGs from major clients
  • Law firms without written AI policies are being screened out in RFP processes before the engagement letter stage
  • The compliance question shifted from "do you use AI?" to "show me your written policy, approved tool list, and review workflow documentation"
  • A 200-word AI policy covers the substantive OCG requirements — the barrier is not complexity, it is the existence of the document

What Changed in Outside Counsel Guidelines

For law firms serving corporate clients, outside counsel guidelines have always been the governing document for the relationship — setting expectations on billing, communication, staffing, and conflict management. In 2025–2026, corporate legal departments began systematically adding AI clauses to their OCGs.

The change is now widespread. Thomson Reuters' 2026 State of the Legal Market report found AI policy requirements have moved through AmLaw 100 relationships and are now standard at the mid-market corporate legal level. General counsel offices at companies of all sizes have updated their OCG templates to include AI-specific terms.

The significance: OCG compliance is a baseline vendor qualification requirement, not a negotiating point. Firms that cannot demonstrate compliance with their clients' OCG AI requirements when asked are — in an increasing number of documented cases — not invited to participate in RFPs for new matters.

The Four Standard OCG AI Requirements

Requirement 1: Disclosure Mandate

The requirement: Outside counsel must identify all AI tools used in connection with the client's matters, upon request or as part of matter intake.

What compliance requires: An approved AI tools register — a maintained list of the AI tools your firm uses, organized by purpose (research, drafting, document review, practice management). This register must be producible in response to a client request.

Common failure mode: Firms that have informal AI use (individual attorneys choosing their own tools without firm-level approval) cannot produce a consistent approved tool list. The OCG requirement is often the forcing function for firms to establish formal tool governance.

Requirement 2: Data Restriction

The requirement: Client data may not be input into AI systems that use client inputs for model training or that lack a data processing agreement with the law firm.

What compliance requires: For each tool in your approved register, document the data processing terms. Enterprise-tier tools (ChatGPT Enterprise, Claude for Business, Harvey AI, Clio Duo) typically include DPAs that prohibit training on client inputs. Free consumer tiers do not.

Common failure mode: Attorneys using personal Claude.ai or ChatGPT free accounts for client work — outside the firm's enterprise agreement. This is the data restriction violation that most firms are unknowingly committing. A one-time audit of actual AI tool use (not just the approved list) typically reveals the gap.

Requirement 3: Hallucination Liability

The requirement: The law firm's licensed attorney, not the AI, is responsible for all AI-assisted work product. The engagement letter and matter billing should reflect this — AI assistance is not a basis for reduced attorney accountability.

What compliance requires: A written review workflow that documents: which attorney reviews AI-assisted work product before delivery, how that review is conducted, and how the reviewing attorney documents that review. The workflow does not need to be complex — "all AI-assisted drafts are reviewed by the responsible attorney before delivery, and the attorney is responsible for accuracy" satisfies the substantive requirement. It needs to be written and consistently followed.

Requirement 4: Audit Rights

The requirement: The client may request documentation of AI use on specific matters — which tools were used, for which tasks, reviewed by whom.

What compliance requires: A usage log capability. This does not require sophisticated technology — a matter-level note in your practice management system noting "AI tools used: [tool name] for [task]; reviewed by [attorney name] on [date]" satisfies most clients' audit requests. What matters is the consistency of documentation, not the sophistication of the system.

The Model 200-Word AI Policy

This policy satisfies the substantive requirements of current OCG AI clauses. Adapt to your firm's specific tools and structure:

[Firm Name] AI Use Policy

Our firm uses AI-assisted tools to support legal research, document drafting, document review, and practice management. Approved AI tools are maintained in our firm's AI Tool Register, which is available to clients on request.

All approved tools operate under data processing agreements that prohibit the use of client information for AI model training. Attorneys and staff are prohibited from using consumer AI accounts for any work involving client information.

All AI-assisted work product is reviewed by the responsible attorney before delivery. The reviewing attorney is responsible for the accuracy and completeness of all deliverables, including those produced with AI assistance.

Upon client request, we will provide documentation of AI tool use on specific matters, including which tools were used, for which tasks, and which attorney reviewed the output.

Our AI Tool Register and review workflow documentation are updated quarterly and made available to clients under our outside counsel guidelines compliance program.

Questions regarding our AI use policies should be directed to [Responsible Attorney/Operations].

Effective: [Date]

Building the Compliance Stack

The policy exists on paper; the compliance stack makes it real. Three components:

1. AI Tool Register: A maintained list of approved tools with their data handling terms. Update quarterly. Make it available to clients on request.

2. Review Workflow: A written description of how AI output is reviewed before delivery. Share with attorneys and include in client-facing compliance documentation.

3. Usage Documentation: A process for noting AI use at the matter level. Practice management software note or email confirmation — the medium matters less than the consistency.

The barrier to OCG AI compliance is not complexity. The policy text is 200 words. The compliance stack takes an afternoon to set up. The firms that are being screened out of RFPs are not failing on technical capability — they are failing on the existence of the documentation.

Sources

  • Thomson Reuters Institute: State of the Legal Market 2026
  • ABA Standing Committee on Ethics and Professional Responsibility: Formal Opinion 512
  • Association of Corporate Counsel: 2026 OCG Survey Results

The Crossing Report covers the AI transition for professional services firm owners. The premium tier includes a complete OCG AI compliance kit — AI Tool Register template, review workflow documentation, and usage log system for law firms. Subscribe here →

This is the kind of intelligence premium subscribers get every week.

Deep analysis, cross-sector patterns, and the frameworks that help professional services firms make the crossing.

Subscribe freeGo premium — $190/yr (save 17%)$19/mo

Related Reading

This is a sample issue — new ones go to subscribers

New issues of The Crossing Report ship exclusively to subscribers every week. Free in your inbox.