The AI Lifecycle is the temporal frame for institutional AI use in legal functions. Every AI capability the function deploys moves through five canonical stages: Concept, Build, Deploy, Operate, Sunset. Each stage applies distinct governance disciplines, exposes distinct Risk Taxonomy classes, requires distinct Defensibility evidence, and produces distinct ROAI return.
The Lifecycle frame rejects the procurement-event model that dominates first-generation legal AI conversations. AI capabilities are not procurement events; they are operating disciplines that have stages. The function that recognises the stages and applies the correct governance at each compounds posture over time. The function that treats AI as procurement repeats the same governance failures on every new tool.
The five stages
Concept: the function identifies a candidate AI use case, specifies success criteria including which ROAI quadrants matter most, maps the candidate against the Risk Taxonomy to surface classes the use case will introduce or amplify, and the governance committee decides pursue or do not pursue. Exit gate G1 is committee approval to enter Build. Risk classes most exposed at Concept: hallucination (when the use case requires AI output the lawyer will rely on), Shadow AI proliferation (when the candidate is being driven by existing informal use), accountability dilution (when the named owner is not clearly assigned).
Build: vendor selection scored against the six Vendor Index dimensions, contracting that includes data isolation and exit-assistance and notice SLAs on model upgrades, configuration against the function’s data handling standards, pilot design with cohort-controlled methodology so the post-pilot evaluation produces credible numbers, training programme design, Risk Register update with the new capability’s entries. Exit gate G2 is committee approval of pilot results. Risk classes most exposed: vendor lock-in (in contract negotiation), data leakage (in configuration), regulatory non-compliance (when the use case meets EU AI Act high-risk criteria).
Deploy: cutover from baseline to AI-assisted workflow, user training rollout, audit trail operationalisation, monitoring for early-stage issues. Committee receives weekly status reports during the first month and shifts to monthly. Any material exception in the first month is reviewed by the committee directly. Exit gate G3 is the steady-state declaration. Risk classes most exposed: professional conduct exposure (as lawyers adapt to AI-assisted work), Shadow AI proliferation in the opposite direction (if the official tool fails to meet user needs early, informal alternatives proliferate), hallucination as production volume surfaces edge cases the pilot did not.
Operate: the longest stage; quarterly Evidence Register refresh, Risk Register review, ROAI performance review against the original Concept-stage hypothesis, annual vendor relationship review, incident logging and root-cause analysis when failures occur, model upgrade impact assessment whenever the vendor ships a new version. Exit gate G4 is the annual deep-dive against the original Concept memo. Risk classes most exposed: model drift (the dominant Operate concern; it only surfaces in production over time), data leakage continuing through ongoing vendor contact and configuration drift, accountability dilution when the original named owner moves on without explicit succession.
Sunset: structured retirement triggered by vendor failure, capability replacement, use case obsolescence, or regulatory change. Data egress in portable format, Evidence Register archive (Defensibility evidence retains relevance post-retirement), lessons captured for the Continuous Learning loop, vendor closeout per contract exit terms. Exit gate G5 is the final ROAI report comparing realised return against the Concept-stage hypothesis. Risk classes most exposed: vendor lock-in (acute at exit), client confidentiality breach (around data egress).
Three operational artefacts
The Lifecycle becomes operational through three artefacts: the Capability Portfolio registers every AI capability with its current stage, surfacing portfolio-balance signals (a function with all capabilities in Operate is not renewing; a function over-extended in Build is over-extending governance attention). The Governance Cadence maps committee attention to stage-appropriate cadences (Concept-stage candidates at the standing intake meeting; Operate-stage capabilities at the quarterly review). The Defensibility Posture Statement lists capabilities by Lifecycle stage so readers see at a glance which capabilities are in production, which are being built, and which are being retired.