The ABA Just Published a Law Firm AI Checklist — Here's What It Says and Whether It's Enough
Published March 17, 2026 · By The Crossing Report
Published: March 17, 2026 | By: The Crossing Report | 6 min read
Summary
The ABA Law Practice Division published a practical checklist for using AI responsibly in law firms. The core frame: treat AI like a junior colleague — and apply the same five verification steps you'd apply to any junior associate's work before it reaches a client or a court. Nearly half of law firms using AI still have no formal review process. This article explains what the checklist covers, where it falls short, and what a small firm needs to do with it this week.
The Bar Just Gave You the Minimum Standard
For the past two years, small law firm owners have been asking the same question about AI: "What exactly am I supposed to do before this leaves my desk?"
Now the ABA Law Practice Division has answered it.
The Law Practice Division published a practitioner-facing checklist for using AI responsibly in law firms — a practical operational document that translates bar obligations into a step-by-step verification process. This is not a formal ethics opinion. It's the ABA's answer to the question attorneys are actually asking in 2026: specifically, what do I check?
The core frame is worth understanding before the checklist itself: treat AI like a junior colleague.
That framing is deliberate. It maps AI's review requirements onto a mental model every attorney already has. A junior associate drafts a brief. You don't file it without checking citations, verifying facts, and confirming the analysis applies to your jurisdiction. The same review applies to AI output. Not because the ABA says so — because those are the same professional obligations that have always governed attorney work product. AI doesn't change what's required. It adds a new source of input that requires the same scrutiny as any other.
What the Checklist Actually Covers
The ABA's AI checklist organizes attorney responsibility into five areas. For a small firm owner building or refining an internal AI process, these are the five gates every piece of AI-assisted work must pass before leaving the office.
1. Tool Selection
Before using any AI tool in client work, the checklist asks attorneys to evaluate three things: Does the tool have a documented privacy policy that governs what happens to submitted data? Has the vendor been independently audited (SOC 2 Type II is the standard)? Is the tool designed for professional use, or is it a consumer product that may have different data handling practices?
The practical upshot: most free AI tools don't pass this screen for client work. ChatGPT's free tier, Claude.ai's free tier, and consumer Gemini all have terms of service that permit training on submitted data under certain conditions. For work involving client information, a firm should be using an enterprise-tier AI tool with explicit no-training data protections. Microsoft Copilot with a Microsoft 365 Business subscription, Claude for Enterprise, or legal-specific tools like Clio Copilot or Spellbook all have explicit commitments against training on user data.
For a small firm owner: if your attorneys are using the free version of any AI tool for client work, this checklist just told you that needs to change.
2. Data Security
The checklist's security section gives attorneys three questions to answer before submitting client information:
- Does this vendor's terms of service permit training on submitted data?
- Is the tool SOC 2 Type II certified or equivalent?
- Is client data stored in the US or Canada, and what regulatory frameworks govern it?
On the third point: firms with Canadian clients or offices need particular attention. Canadian law includes additional data sovereignty obligations. The Spellbook/Canadian Bar Association partnership that launched in March 2026 specifically addressed this: all member data stored in Canada, not used for training. That's not coincidence — it's what Canadian data compliance requires.
3. Human Review Requirements — The Five Checks
This is the core of the checklist. The ABA frames it as five verification steps, in order, before any AI-assisted work product reaches a client or court:
Facts. Confirm all factual claims against primary sources. AI tools can confidently present incorrect facts. The attorney's name is on the deliverable, not the AI's.
Citations. Verify every case citation, statute reference, or regulatory citation against Westlaw, LexisNexis, or another primary legal database. AI citation hallucination — generating case citations that don't exist — has led to federal court sanctions and attorney discipline. This step is not optional.
Reasoning. Evaluate whether the AI's legal analysis reaches the correct conclusion for your client's situation. AI tools can produce technically accurate descriptions of law that apply incorrect analysis to a specific set of facts. The reasoning review is where attorney judgment is most essential.
Jurisdiction. Confirm that the law cited applies in your client's jurisdiction. AI tools trained on broad legal data will correctly describe the law of a jurisdiction other than yours. A California statute, correctly described, is useless to a client in New York. This step is especially important for research tasks.
Ethics. Before delivery, confirm that nothing in the AI output triggers disclosure obligations, creates a conflict issue, or violates court-specific AI disclosure requirements. Several federal district courts now require AI disclosure certifications in filed documents. This step catches the compliance requirements that have no analog in traditional associate review.
The ABA frames these five as the same checks you'd run on work from a junior associate. The reframe is useful: attorneys who would never file an associate's brief unchecked now have explicit bar guidance that AI output gets the same treatment.
4. Ethical Compliance and Disclosure
This section maps the checklist to ABA Formal Opinion 512 and state bar requirements. The practical output is three questions an attorney should answer before any AI-assisted work is delivered:
- Does my engagement letter address AI use? (If not, it should.)
- Does this court or filing require an AI disclosure certification?
- Has the client asked about AI use on this matter?
On the second question: court AI disclosure requirements are proliferating. Multiple federal district courts and some state appellate courts now require certification. These requirements are judge-specific in many districts — the same courthouse may have different requirements depending on which judge a case is assigned to. The ABA checklist directs attorneys to confirm this before filing, every time.
5. The "Junior Colleague" Accountability Model
The checklist's final element is less a step than a mindset anchor. When in doubt about whether to apply a review step, the checklist asks attorneys to ask themselves: Would I accept this from a junior associate without checking?
If the answer is no, the review step is required. This is the ABA's way of closing the gap between "I know I should check" and "I actually checked." It's also the best defense against a malpractice claim: the attorney applied the same review standard to AI output that they'd apply to any other supervised work.
What the Checklist Doesn't Cover
The ABA checklist is a starting point, not a complete compliance strategy.
It doesn't address court-specific disclosure variation. The checklist directs attorneys to confirm court AI requirements but doesn't provide a jurisdiction-by-jurisdiction tracker. For firms that practice in multiple jurisdictions, that tracking has to happen at the firm level. Spellbook maintains a state-by-state AI disclosure rule tracker; the ABA's own resources at abatech.org cover federal district court requirements.
It doesn't create firm-wide documentation. The checklist tells individual attorneys what to do. It doesn't generate the written internal policy, the training log, or the engagement letter language that protects the firm — not just the individual attorney — if a claim arises. A solo practitioner applying this checklist personally is in better shape. A three-attorney firm needs the checklist embedded in a written policy that every attorney has signed.
It doesn't address shadow AI. The Clio 2026 data found that 44% of law firms have no formal AI governance policy. But the same data suggests that a much higher percentage of attorneys are using AI individually — often through personal accounts on consumer tools — without firm oversight. The checklist assumes the attorney knows what AI tools they're using. Many firms don't know what tools their attorneys are using.
What a Small Firm Does With This Checklist This Week
The checklist is most useful as the foundation of a one-page internal policy.
Take the five review steps and turn them into a firm-wide standard: every attorney, for every matter that involves AI-assisted work, completes the five-step review before delivery. Put it in writing. One page. Have everyone sign it.
Three additional items that should accompany the policy:
Update your engagement letter. Your engagement letter should state that the firm may use AI tools in client service delivery, that all AI-assisted work is reviewed by a licensed attorney before delivery, and that the firm will disclose AI use where required by bar rules or client request. If you don't have this language, you don't have coverage if a client asks.
Map your court AI disclosure requirements. If your firm practices in federal courts or state appellate courts with standing AI disclosure orders, add that to your matter intake checklist. Missing a court disclosure requirement is a separate compliance failure from the underlying quality review.
Audit your AI tools. Run the tool selection section of the ABA checklist against every AI tool currently in use at your firm. If any tool doesn't pass the privacy and security questions, stop using it for client work — or upgrade to the enterprise version that does.
The ABA has given you the standard. The firms that act on it this week are in a different risk position than the ones still operating without a documented process.
Sources: ABA Law Technology Today — Checklist for Using AI Responsibly in Your Law Firm (2026) | North Carolina Bar — Beyond the Ban: Why Your Law Firm Needs a Realistic AI Policy in 2026 | Clio 2026 Legal Trends Report
The Crossing Report is a weekly intelligence newsletter for owners of professional services firms. Subscribe here.
Frequently Asked Questions
What does the ABA's AI checklist for law firms cover?
The ABA Law Practice Division's 2026 checklist covers five areas: (1) tool selection — how to evaluate whether an AI tool is appropriate for law firm use; (2) data security — what to check before submitting client information to an AI system; (3) human review requirements — the verification steps an attorney must complete before AI-assisted work reaches a client or court; (4) ethical compliance — how to meet bar disclosure obligations and conflict-check requirements when using AI; and (5) the 'treat AI like a junior colleague' framework, which requires attorneys to verify facts, citations, legal reasoning, jurisdictional accuracy, and ethical compliance in any AI-generated output.
How is the ABA Law Practice Division checklist different from ABA Formal Opinion 512?
ABA Formal Opinion 512 is a formal ethics ruling that specifies how existing professional conduct rules apply to AI — it creates binding ethical obligations. The ABA Law Practice Division checklist is operational guidance: a practical document that tells attorneys specifically what to check, in what order, before AI-assisted work leaves the office. The checklist is not binding in the same way as a formal opinion, but it represents the bar's official guidance on what 'responsible use' of AI looks like in practice. Small firms should treat it as the standard against which their internal process will be measured if a complaint or claim arises.
Which small law firms most need this checklist?
Any law firm that uses AI tools for any part of client work needs a documented review process. That includes using AI for research, drafting, document review, contract redlining, or client communications. The Clio 2026 Legal Trends data found that 44% of law firms have no formal AI governance policy — meaning nearly half of firms using AI are operating without a documented review framework. For those firms, the ABA checklist is the fastest path to a baseline compliance posture.
What does 'treat AI like a junior colleague' actually mean for attorney review?
The ABA frames it as five verification steps that must happen before AI-assisted work reaches a client or court: (1) Fact verification — confirm all factual claims against primary sources; (2) Citation verification — check every case, statute, or regulation citation against Westlaw or LexisNexis; (3) Reasoning review — evaluate whether the AI's legal analysis is sound and reaches the correct conclusion for your jurisdiction; (4) Jurisdictional accuracy — confirm that the law cited applies in your client's jurisdiction, not another state or a different era; (5) Ethical check — confirm that nothing in the output violates disclosure obligations, conflict rules, or court requirements. A junior associate would get the same five checks. So does AI output.
Does the ABA checklist address data security for small firms?
Yes. The checklist's security section focuses on three questions every attorney should answer before submitting client information to an AI tool: (1) Does this vendor's terms of service permit training on user-submitted data? If yes, client information submitted to this tool may become training data — a confidentiality risk under Rule 1.6. (2) Is this tool SOC 2 Type II certified or equivalent? This indicates a verified security audit. (3) Does this tool store data in the US or Canada, and is it subject to GDPR or other regulatory frameworks that may affect client data? Most consumer AI tools (ChatGPT free, Claude.ai free tier, Gemini consumer) do not meet the bar's data security standard for client work.
Is the ABA checklist enough by itself?
No. The ABA checklist is a starting point, not a compliance strategy. Several gaps remain: (1) It doesn't address court-specific AI disclosure requirements, which vary by district and individual judge. (2) It doesn't address state bar rules that go beyond ABA guidance — some state bars have more specific requirements. (3) It doesn't address firm-wide documentation: the checklist tells individual attorneys what to do, but doesn't create the internal policy, training log, and engagement letter language that protects the firm if a claim arises. Treat the ABA checklist as the foundation, then layer on your court disclosure tracking, state bar rules, and firm documentation.