Law Firm AI Governance Has a Documentation Problem — AllRize's GRC Module on Microsoft Purview Is One Answer

Every law firm using AI now has a bar compliance obligation to supervise it. Most have no system to document that supervision. AllRize just released a GRC module built on Microsoft Purview that addresses the governance documentation gap from inside a firm's existing Microsoft 365 environment.

---

Summary

AllRize announced a Governance, Risk, and Compliance module on March 4, 2026, built on Microsoft Purview and designed specifically for law firm AI governance. For small and mid-size firms using Microsoft 365, it may be the lowest-friction path to defensible AI governance documentation — the audit trail that demonstrates supervised AI use when bar counsel, clients, or insurers come asking. The catch: it only works inside the Microsoft Dynamics 365 ecosystem.

---

The Problem AllRize Is Solving

Here's the documentation problem facing every law firm that uses AI:

ABA Formal Opinion 512, issued in 2024, established that lawyers have a professional responsibility to supervise AI used in client matters — including the work product AI generates. The partner who reviews a brief the associate drafted is responsible for that brief. The same logic applies when AI drafts the clause, summarizes the deposition transcript, or pulls the precedents. If something goes wrong, "the AI did it" is not a defense.

Meanwhile, state bars are moving. New Hampshire SB 640, which passed the Senate in March 2026, requires "meaningful oversight" of AI providing licensed professional services — and the standard remains undefined, meaning the first enforcement cases will define what it means. Oregon HB 4154 already requires disclosure when AI interacts with clients. The regulatory environment is building toward documentation requirements even if no rule yet mandates a specific format.

The result: law firm owners are caught between adopting AI (because the efficiency gains are real and competitors aren't waiting) and meeting a supervision obligation that has no clear documentation standard. Most firms' current answer is either a one-page policy document sitting in a shared folder or nothing at all.

That's not defensible. Not against bar counsel. Not against a client who claims their matter was AI-handled without proper supervision. Not against a malpractice insurer who wants to see your AI governance controls.

The gap is not just having a policy. It's documenting that the policy was actually followed — at the matter level, for every matter, over time.

---

What AllRize GRC Actually Does

AllRize GRC is an add-on to the AllRize Practice Management Platform, a legal practice management system built on Microsoft Dynamics 365. On March 4, 2026, AllRize announced the GRC module built on Microsoft Purview — Microsoft's enterprise data governance and compliance platform.

First, what Microsoft Purview is: it's the compliance infrastructure already inside many Microsoft 365 subscriptions. It handles data classification, audit logging, access controls, and compliance visibility across Microsoft applications like Outlook, Teams, SharePoint, and Word. Large enterprises use it to meet data governance requirements. For law firms, it's the infrastructure most of them already have but haven't connected to their AI governance problem.

AllRize GRC extends Purview with law-firm-specific intelligence:

AI usage policy definition and enforcement. Firms can define acceptable AI use across the practice — which tools are approved, which data can be processed by which tools, and what oversight is required before AI output reaches a client. This is the policy layer. It defines the rules.

Matter-level governance. This is the distinguishing feature. AllRize GRC doesn't just set firmwide settings — it applies governance at the matter level. Who used AI on this matter? What tools? What oversight was applied before the output was delivered? Each matter gets its own governance record, which is what you need if a specific client matter becomes the subject of a complaint or dispute.

Auditable oversight documentation. The system generates an audit trail: a timestamped record of AI tool usage, the human review applied, and the sign-off chain. This is the documentation layer. When bar counsel asks "show me how this brief was supervised," you have a record — not a policy statement.

Confidentiality protection via Purview. Because it's built on Purview, client data classification and access controls are part of the same system. The AI governance documentation and the underlying matter data are both inside Microsoft's compliance infrastructure — reducing the risk that AI tools are feeding client-confidential data outside the firm's control perimeter.

---

Who This Is For

This is a practical fit if your firm meets most of these conditions:

You're already on Microsoft 365. AllRize is built on Microsoft Dynamics 365, so the integration value multiplies if your email, documents, and calendar are already in the Microsoft ecosystem. Firms using Google Workspace or other systems would need to evaluate the migration cost as part of the decision.

You've been asked about your AI governance practices. If a client, insurer, or bar association has already raised the question — "what's your AI policy?" or "how do you supervise AI use?" — you're behind. AllRize GRC is a structured answer to that question, not a verbal one.

You're using AI across multiple practice areas or matters. A solo who uses ChatGPT occasionally to draft emails probably doesn't need enterprise GRC infrastructure. A 10–30 attorney firm with paralegals and associates using AI across dozens of active matters — that's where the audit trail starts to matter. Governance documentation becomes valuable when you have enough AI use that "I supervise everything personally" stops being credible.

You're thinking about NH SB 640 or ABA Opinion 512 compliance. If you've read ABA Opinion 512 and started wondering how you'd demonstrate supervision in a bar inquiry, AllRize GRC is building the documentation infrastructure to answer that question. The module was clearly designed with ABA Opinion 512's supervision standard in mind.

---

Who This Is NOT For

Be direct about this, because a bad-fit purchase wastes money and creates configuration overhead that doesn't actually solve the problem.

Clio, MyCase, or PracticePanther users. AllRize GRC is an add-on to AllRize Practice Management, which is a different platform. If your core practice management system is not AllRize (or you're not willing to migrate), this module is not currently available to you. Switching practice management platforms is a significant undertaking and is not a reasonable decision to make in order to get the GRC module alone.

Solos or very small firms without a complex AI footprint. If you're a one-attorney shop using a single AI tool for a well-defined workflow, enterprise-grade compliance infrastructure is overhead without proportionate benefit. A documented policy, a supervision log in your case management system, and disciplined review habits may be sufficient for your actual compliance exposure.

Firms not in the Microsoft ecosystem who don't want to be. The value of Purview-based governance depends on being inside Microsoft's environment. Firms committed to non-Microsoft tools won't get the full integration benefit.

---

The Governance Documentation Test

Here's a practical diagnostic. Imagine bar disciplinary counsel calls tomorrow and asks: "For Matter 4421, show me how AI was used and what human supervision was applied before the output reached the client."

What do you pull up?

Most small law firms would have: nothing specific to that matter. Maybe a general AI policy document. Maybe a memory that "we always review AI output." None of that is documentation.

Defensible documentation looks like: a timestamped record showing which AI tools touched which matter, what output was generated, who reviewed it, and when sign-off happened. The kind of thing you'd find in a compliance audit at a large regulated financial institution — but applied to a law matter.

AllRize GRC generates that record. Manual supervision logs could generate it too, if someone builds and maintains them. The choice is whether you automate the audit trail or create it by hand.

A useful self-assessment checklist:

• Do you know which AI tools each member of your firm is using on active matters?
• Can you produce a matter-specific AI usage log if asked?
• Is your AI supervision process documented anywhere other than your own memory?
• Have you defined which AI tools are approved, which data can go into them, and who is responsible for reviewing output?

If the answer to any of these is no, you have a governance documentation gap. AllRize GRC addresses that gap for firms in the Microsoft ecosystem. For firms outside that ecosystem, the same questions apply — the answer just looks different.

---

Alternatives Worth Knowing

Governance documentation doesn't require AllRize GRC. Here's the honest comparison:

Manual policy + supervision log (lowest cost, lowest defensibility). Write an AI policy. Create a supervision log template in your case management system or a shared spreadsheet. Require attorneys to log AI use and sign off before delivery. This costs almost nothing but depends entirely on consistent human behavior — which is why it tends to fail under workload pressure.

Clio-native AI settings (limited scope). If you're on Clio, Clio's built-in settings let you manage access to Clio's own AI features. This doesn't extend to AI tools outside Clio — ChatGPT, Claude, Microsoft Copilot, or document review tools your firm uses independently. It's a start but not a complete governance layer.

Microsoft Purview standalone (enterprise tool without legal context). Purview alone can log access and data activity. It doesn't understand matters, clients, or legal workflow context. You'd get data governance infrastructure without the law-firm–specific layer that makes the documentation legally meaningful.

AllRize GRC (highest integration, Microsoft ecosystem required). The most complete solution for firms in the Microsoft stack. Built-in legal workflow context. Matter-level governance. Auditable documentation designed for the ABA Opinion 512 supervision standard. Cost: AllRize Practice Management subscription + GRC add-on pricing (check directly with AllRize for current pricing as of 2026).

The right answer depends on your platform, your firm size, and your actual compliance exposure. Enterprise-grade GRC infrastructure isn't right for every firm. But the underlying problem — documenting AI governance in a way that's defensible, not just declarative — applies to every firm using AI on client matters.

---

The Bottom Line

The governance documentation problem is not hypothetical. Bar associations are issuing opinions. State legislatures are passing bills. Malpractice insurers are starting to ask questions. Clients in regulated industries — financial services, healthcare, government — are beginning to require vendor AI governance disclosures.

A one-page AI policy isn't documentation. It's intent. Documentation is the audit trail that shows intent was followed, at the matter level, consistently over time.

AllRize GRC is one structural answer to that problem for law firms in the Microsoft ecosystem. Whether it's the right answer for your firm depends on your existing stack, your firm size, and how quickly your compliance exposure is growing.

The question worth asking right now is not "do I need AllRize GRC?" The question is: "If bar counsel called tomorrow about a specific matter, what would I show them?"

If the answer is "I don't know," that's the governance gap. Start there — with or without AllRize.

---

The Crossing Report covers AI adoption, regulation, and compliance for professional services firm owners every week. Subscribe here for intelligence on what's changing and what to do about it.