Law Firm AI Policy Template 2026

Published: May 5, 2026 | By: The Crossing Report

60% of mid-sized law firms have a formal AI policy in place today. Among small firms — under 25 attorneys — that number is below 20%. That gap used to be a governance nicety. In 2026, it is a liability.

Courts are sanctioning firms for AI misuse. In 2025, three Butler Snow attorneys were disqualified from a federal case for submitting hallucinated AI citations. The 5th Circuit levied a $2,500 sanction against attorneys using CoCounsel and vLex without adequate verification. Through Q4 2025, courts across the US documented 729+ incidents of AI-related misconduct in filed documents. The enforcement trend is one direction only.

This page gives you a ready-to-use one-page AI policy, a three-tier tool classification framework, and a 30-minute checklist to implement it. No legal research required. Copy the template below, fill in two fields, and you are done.

A note on urgency: Colorado's AI Act enforcement begins June 30, 2026. Firms in Colorado — and any firm whose clients are Colorado residents — should have documented AI governance in place before that date.

The One-Page AI Policy Template (Copy and Customize)

This is the template. Put your firm name and today's date at the top. Review the three tool tiers and adjust based on the software your firm actually uses. That is it.

[FIRM NAME] AI Usage Policy
Effective: [DATE]

1. Approved AI Tools

[GREEN TIER] General-purpose AI — no client data permitted
Permitted for internal research, drafting that does not contain client PII,
and administrative tasks.
Examples: ChatGPT (free), Claude (free), Perplexity

[YELLOW TIER] Practice management AI — firm-provisioned accounts only
Permitted for client work when accessed through firm-licensed accounts only.
Examples: Clio Duo, CoCounsel (Thomson Reuters), Harvey, Copilot for Microsoft 365

[RED TIER] Prohibited
Consumer AI with unknown data handling; any tool that trains on submitted
content without an explicit waiver; tools not reviewed and approved by
[managing partner / firm administrator].

2. Client Data Rules

No client name, matter number, financial data, or PII may be entered into any
RED TIER tool. YELLOW TIER requires firm-provisioned accounts with confirmed
data protection agreements. All AI output touching client matters must be
reviewed by a licensed professional before transmission to clients or courts.

3. Supervision Requirement

Every AI-generated document, brief, email, or analysis delivered to a client
must be reviewed and approved by a licensed professional. AI output is a
starting point, not a deliverable.

4. Disclosure

When AI materially assisted in client work, we will disclose this upon client
request and in engagement letters where applicable. For court filings, we will
comply with each jurisdiction's standing disclosure requirements.

5. Policy Review

This policy will be reviewed [annually / quarterly] or upon the adoption of
any new AI tool.

Signed: ____________________________
[Managing Partner / Firm Administrator]
Date: ____________________________

To customize this template:

Fill in your firm name and today's date
Replace the Yellow-tier examples with the specific tools your firm has licensed
Set your review cadence (annually is sufficient for most small firms)
Have the managing partner sign it and distribute it to all staff — including paralegals, legal assistants, and administrative staff who may use AI tools

Why Every Small Firm Needs This Now

Three things changed the calculus in 2025, and none of them are going away.

1. Courts are escalating sanctions — not just warnings.

The Butler Snow disqualification was not a one-off. Federal district courts across the country now have standing orders requiring AI disclosure in filed documents. State courts are adopting similar requirements. The 729+ documented AI incidents through Q4 2025 represent cases where firms were caught. The cost is not just the sanction — it is the motion practice, the malpractice exposure, and the client relationship.

A written AI policy is your evidence that the firm applied reasonable professional judgment to AI use. Without it, "we didn't know" is not a defense. With it, you can demonstrate that you established guardrails, trained your staff, and required review of all AI output.

2. Colorado's AI Act enforcement begins June 30, 2026.

Colorado SB 24-205 targets "deployers" of "high-risk AI systems" making consequential automated decisions about individuals. Most small law firms using AI to assist attorney judgment — rather than to make automated decisions — fall outside the Act's direct enforcement scope. But the Colorado AG can investigate complaints, and the standard for what counts as "high-risk" is still being defined.

Illinois HB 3773 is already in effect. More states are following. Firms with multi-state practices cannot afford to track each state's threshold for required documentation separately — a single internal AI governance policy covers the baseline.

3. 34% of law firms experienced a potential privilege breach from AI tool usage in 2025.

Shadow AI — staff using personal AI accounts, consumer apps, or unapproved tools for client work — is the most common source of privilege risk. It happens when there is no policy. People do not use unauthorized tools to be reckless. They do it because it is faster and no one told them not to.

A written policy closes that gap. It also gives you the basis to have the conversation: here are the tools we have approved, here is why the others are off-limits.

The Three-Tier Tool Classification Framework

The Green / Yellow / Red framework in the template above is designed to be practical for a small firm. Here is how to think about each tier.

Green Tier — General-purpose AI, no client data

These are consumer AI tools you or your staff might already use for personal productivity. They are useful for drafting internal memos, researching general legal concepts, generating template language for common documents, and administrative tasks. The constraint: no client names, matter numbers, case details, or PII.

Common Green-tier tools: ChatGPT (free plan), Claude (free plan), Perplexity, Gemini (free).

Yellow Tier — Practice management AI, firm accounts only

These are tools your firm has specifically licensed under a business or enterprise agreement with a data processing agreement (DPA) in place. The DPA confirms the vendor does not train on your submitted content and provides adequate data protection. These tools are cleared for client-specific work.

Common Yellow-tier tools for law firms: Clio Duo (firm account), CoCounsel by Thomson Reuters, Harvey (enterprise), Microsoft Copilot for Microsoft 365 (with enterprise agreement), Spellbook.

Red Tier — Prohibited

Any tool that has not been reviewed and approved, trains on user submissions without explicit waiver, or cannot provide a DPA on request.

The easiest rule of thumb: if your staff accessed an AI tool from a personal account or found it on their own, it is Red tier until approved.

Accounting firm adaptation

The same framework applies. Replace the legal-specific Yellow-tier tools with accounting equivalents:

Yellow tier: Karbon AI (firm account), CCH Axcess Advisor, Basis, QuickBooks AI (ProAdvisor account), Canopy
Green tier: ChatGPT / Claude for non-client work
Red tier: Any tool without a DPA; any personal AI subscription used for client matters

ABA Formal Opinion 512 Compliance Checklist

For law firms, ABA Formal Opinion 512 (July 2024) specifies how the existing Model Rules apply to AI. Your written policy addresses each of the following requirements:

Attorney understanding of AI limitations — Staff training and supervision protocol in place; all staff who use AI tools have been briefed on hallucination risk and output verification requirements
Client confidentiality in AI tool use — Tool tiers establish which tools are cleared for client data; Red-tier prohibition prevents unauthorized submission of client information
Non-lawyer staff supervision — Policy applies to all staff, not just licensed attorneys; review requirement covers all AI-generated content before client delivery
Disclosure obligations — Policy includes explicit disclosure language for engagement letters and court filings
Court filing compliance — Policy references jurisdiction-specific disclosure requirements; managing partner or designated attorney maintains current jurisdiction grid

If your jurisdiction's state bar has issued AI guidance beyond ABA 512 — New York, Texas, California, and Florida have all issued parallel guidance as of 2026 — review that guidance against this checklist and adjust accordingly.

How to Roll Out This Policy in 30 Minutes

You do not need a consultant, a policy committee, or a firm retreat. Here is the 30-minute rollout:

Step 1 (15 min): Fill in your tool tiers. Open the template. Write down every AI tool your firm uses right now. Sort them: does it have a firm-licensed enterprise account with a DPA? Yellow tier. Is it a personal or free account? Green tier until reviewed, Red if it touches client data. If you do not know, it is Red tier until you find out.

Step 2 (5 min): Fill in the template. Firm name. Today's date. Your actual Yellow-tier tools (replace the generic examples). Sign it.

Step 3 (5 min): Send it to your team. Email it to every attorney, paralegal, and staff member. One sentence in the subject line: "Here is our AI tools policy — please read before using any AI tools for client work." No presentation needed.

Step 4: Add the AI disclosure to your engagement letter. Your engagement letter is where the client-facing disclosure lives. Add a sentence: "We may use AI-assisted tools for research and drafting. All AI-generated work product is reviewed by a licensed attorney before use or delivery." Run it by your malpractice carrier at next renewal.

Step 5: Calendar a 90-day review. Set a reminder for 90 days out. Review the tool list, update the tier classifications if you have added or removed tools, and re-distribute the updated policy. After the first review, annual cadence is sufficient for most small firms.

That is it. You now have the documented AI governance framework that malpractice carriers are starting to ask about, the state bar expects you to have, and that courts will look for if an AI-related filing error ever comes before a judge.

Frequently Asked Questions

Does the ABA require law firms to have a written AI policy?

ABA Formal Opinion 512 (July 2024) does not mandate a written policy by name, but it requires attorneys to understand AI tool limitations, protect client confidentiality, supervise non-lawyer AI use, and disclose material AI assistance. A written policy is the practical way to demonstrate compliance. Bar associations in New York, Texas, Florida, and California have issued parallel guidance making written AI policies the de facto standard of reasonable care for law firms.

What should a small law firm's AI policy include?

At minimum: (1) a list of approved and prohibited AI tools, (2) rules about what client information can and cannot be entered into AI tools, (3) a requirement that a licensed attorney review all AI-generated work before it reaches clients, and (4) a disclosure statement. A one-page policy covering these four elements satisfies ABA Formal Opinion 512 and most current state bar AI guidance.

How do I know if an AI tool is safe for client data?

Check the vendor's data processing agreement (DPA) and terms of service for three things: (1) Does the vendor train on your submitted content? (2) Is a Business Associate Agreement (BAA) or DPA available? (3) Can you get a dedicated instance or is your data pooled? Consumer-tier products — free ChatGPT, free Claude — typically train on submissions. Enterprise agreements typically do not. When in doubt, never submit client names, matter numbers, or PII.

Does the Colorado AI Act require small law firms to have an AI policy?

For most small law firms, the Colorado AI Act (SB 24-205, enforcement begins June 30, 2026) does not directly require an AI policy. The Act targets "deployers" of "high-risk AI systems" making consequential automated decisions about individuals. If your firm uses AI to assist attorney judgment rather than to automatically make consequential decisions, you likely fall outside enforcement scope. However, documenting your AI governance approach is best practice regardless — and the Colorado AG can investigate complaints.

Can I use this template for an accounting firm?

Yes, with modifications. Replace legal-specific references (ABA, attorney review) with accounting equivalents (AICPA, CPA review). Approved tools will differ: Karbon AI, CCH Axcess Advisor, Basis, and QuickBooks AI are common accounting firm Yellow-tier tools. The AICPA's AI guidance mirrors ABA requirements: professional oversight, confidentiality protection, and disclosure where material. The same three-tier tool framework applies.

The Crossing Report covers the AI transition for professional services firm owners — accounting, law, consulting, staffing, and marketing agencies. Subscribe here for weekly insights on what's changing and exactly what to do next.

Law Firm AI Policy Template for Small Firms (2026 Edition)

The One-Page AI Policy Template (Copy and Customize)

Why Every Small Firm Needs This Now

The Three-Tier Tool Classification Framework

ABA Formal Opinion 512 Compliance Checklist

How to Roll Out This Policy in 30 Minutes

Frequently Asked Questions

Does the ABA require law firms to have a written AI policy?

What should a small law firm's AI policy include?

How do I know if an AI tool is safe for client data?

Does the Colorado AI Act require small law firms to have an AI policy?

Can I use this template for an accounting firm?

Frequently Asked Questions

Does the ABA require law firms to have a written AI policy?

What should a small law firm's AI policy include?

How do I know if an AI tool is safe for client data?

Does the Colorado AI Act require small law firms to have an AI policy?

Can I use this template for an accounting firm?

Get the weekly briefing

Related Reading