The Defensibility Posture Statement (DPS) is the one-page artefact that captures a legal function’s AI governance posture. It is maintained at the General Counsel level, signed by the GC, and producible within twenty-four hours of any external request that could plausibly result in adversarial scrutiny.
The DPS is the institutional artefact most directly tested by the stress moments Defensibility is designed for. When a regulator asks the function to demonstrate its AI governance posture, the DPS is the document the function produces. When a plaintiff’s counsel seeks discovery on AI-influenced work product, the DPS is the discovery target. When a board member asks for the function’s position on AI, the DPS is the briefing.
What the DPS contains
The Statement names what AI systems are in use (the AI BoM in summary form), what governance framework applies, where the Evidence Register lives, who the named accountable owners are, and what the escalation path is when AI behaviour exceeds expected bounds. It includes the function’s Maturity Band placement (typically Optimised or Defensible at the point of publication), the methodology version against which the Band was assessed, and the date of the most recent governance committee review.
It is not a long document. The most institutional versions are tight: one page of substance with hyperlinks to the supporting evidence cache, the governance committee charter, the Risk Register mapped to Risk Taxonomy 2026, the Vendor Index of approved systems, and the most recent incident review. The brevity is the point. Length signals defensiveness; structure signals readiness.
Why the form binds
Length signals defensiveness; structure signals readiness. A forty-slide AI strategy deck does not survive the test the DPS is designed for. The brevity is the point. Boards that receive a forty-slide AI strategy deck but no one-page DPS should ask why. The discipline of one page forces the function to identify what is essential: who is accountable, what systems are in use, where the evidence lives, how the function responds when something goes wrong.
Cadence
The DPS is reviewed quarterly by the governance committee. Out-of-cycle review is triggered by any material AI system change (a new capability moving through Build to Deploy), any regulatory development (a new sectoral guidance, an EU AI Act enforcement action), or any incident that engages a Risk Taxonomy class (a hallucination that reached the file, a data leakage event, a vendor security disclosure). Functions that maintain the DPS at quarterly cadence pass the stress test of regulator inquiry, plaintiff discovery, board challenge, client audit, and professional conduct review.
Relationship to certification
Only the Advanta Executive Diagnostic, with evidence attestation, certifies a function as Defensible. The Free Baseline Diagnostic caps at Optimised; it surfaces Defensibility aspirants but cannot certify Defensible because self-assessment of Defensibility defeats the standard. The DPS itself is not the certification; it is the artefact the certification process attests to. A function may maintain a DPS at Optimised band without being certifiable Defensible; the gap is independent evidence attestation, not the artefact itself.
The DPS is the deployer-side counterpart to the Vendor Index entry. Where the Vendor Index documents vendor-side defensibility (what the vendor maintains), the DPS documents deployer-side defensibility (what the function maintains around the vendor’s tooling). Both are required for institutional AI use; neither substitutes for the other.