advanta

HomeModule LibraryGovernance

Module GOV-02 sigil: Governance pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module GOV-02. The Pillar geometry encodes Governance (Pillar 4); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SGOV-02
P4· L-G· Bands FoundationalOperationalIntegrated

· GOV-02

AI Use Policy

AI Use Policy codifies what AI use is permitted, prohibited, and supervised across the legal function. Anchored to Pillar P4 (Governance, Risk & Defensible AI) on the Governance Layer, the Module operationalises GOV-01’s governance framework into binding behavioural controls. It mandates AI Bill of Materials registration, restricts legal work to approved tools, codifies Shadow AI and Agentic Tier controls, and maps requirements to ABA Model Rules and ABA Formal Opinion 512. The signed Policy is primary DE-4 Governance posture evidence for the Defensibility Posture Statement. Methodology v2026.1.

Foundational

·

Lift 1 · Self-serve

·

Per-engagement

·

Initial deployment 2–4 weeks; 1 day for annual review

Methodology v2026.1·Verified 22 May 2026·Reviewed 22 May 2026

Executive Summary

This Module establishes the AI Use Policy for legal departments adopting AI tools and services. It defines what AI use is permitted, what is prohibited, how human oversight is maintained, and how compliance is monitored. Operating under the Defensible AI Governance Framework (GOV-01), it sets a three-tier governance structure, mandates use of an AI Bill of Materials (AI BoM), and restricts legal work to approved tools only. The policy codifies controls for Shadow AI and agentic AI, maps requirements to ABA Model Rules and Formal Opinion 512, and sets explicit human review standards by content type. It also defines client disclosure and opt-out rights, incident classification and response aligned to the Risk Taxonomy 2026, and role-based training requirements. Outputs from this Module feed directly into the Defensibility Posture Statement (DPS) as primary governance evidence, demonstrating that AI-enabled legal work is supervised, compliant, and defensible to regulators, courts, and clients.

Defensibility Evidence Produced

Adopted AI Use Policy document; AI Bill of Materials (AI BoM) — approved tool inventory; Shadow AI controls documentation; Agentic AI tier controls; Client disclosure procedures; Human oversight standards by content type; Incident classification matrix; Training records by role

Elements:

Methodology transparencyGovernance posture

Purpose

This Module establishes the AI Use Policy for legal departments adopting AI tools and services. It defines what AI use is permitted, what is prohibited, how human oversight is maintained, and how compliance is monitored. The policy is authorised by the Defensible AI Governance Framework (GOV-01) and feeds the Defensibility Posture Statement (DPS) as primary governance evidence.

This policy is a sub-instrument of GOV-01 and operates alongside GOV-03 (AI Risk Register) and GOV-05 (AI Incident Response Playbook).

When to use this Module

Use this Module when:

  • Deploying AI tools for the first time in a legal department
  • Responding to a regulatory inquiry or client audit of AI practices
  • Onboarding new legal personnel who will use AI tools
  • Conducting the annual AI governance review required by GOV-01
  • Addressing a Shadow AI incident identified through GOV-05

Owner: General Counsel + AI Governance Lead

Duration: Initial deployment 2–4 weeks; annual review 1 day

Operating cadence: Per engagement (initial); annual review thereafter

Scope

This policy applies to all legal department personnel — attorneys, paralegals, legal operations staff, and contract staff — using any AI tool or service in connection with legal work. It covers:

  • Generative AI tools (document drafting, summarisation, research)
  • Predictive AI tools (contract analytics, litigation prediction)
  • Agentic AI systems (autonomous multi-step task execution)
  • Third-party AI-enabled platforms used for legal workflows

This policy does not cover IT infrastructure AI (security monitoring, spam filtering) unless that infrastructure processes client or matter data.

Section 1 — Policy authority and governance structure

The AI Use Policy operates within a three-tier governance structure:

| Tier | Body | Responsibility |

|—|—|—|

| Tier 1 — Strategic | AI Steering Committee (General Counsel, COO, CISO) | Approves policy; sets risk appetite; reviews annually |

| Tier 2 — Operational | AI Task Force (Legal Operations Lead, practice group leads) | Implements policy; manages approved tool registry; escalates incidents |

| Tier 3 — Practitioner | All legal personnel | Complies with policy; completes training; reports incidents |

The AI Task Force maintains the AI Bill of Materials (AI BoM) — the authorised inventory of all AI systems approved for legal use. No AI tool may be used for legal work unless it appears in the AI BoM.

Section 2 — Permitted AI use

The following AI use categories are permitted subject to the controls in this policy:

Category 1 — Legal research assistance: AI-assisted case law research, statutory analysis, and regulatory monitoring. All outputs require attorney review before reliance.

Category 2 — Document drafting support: AI-assisted drafting of contracts, briefs, correspondence, and legal memoranda. All drafts require attorney review and sign-off before filing, serving, or sending to clients.

Category 3 — Contract review and analytics: AI-assisted contract review, clause extraction, and risk flagging. Attorney review required before any redline or position is communicated to a counterparty.

Category 4 — Administrative automation: AI-assisted scheduling, billing narrative drafting, matter management, and document organisation where no privileged client content is processed.

Category 5 — Approved AI BoM tools only: Any AI tool not listed in the AI BoM is prohibited. Personnel seeking to add a tool must submit a vendor evaluation request to the AI Task Force.

Section 3 — Prohibited AI use and Shadow AI controls

Prohibited activities

The following are prohibited without exception:

  • Uploading privileged client communications, unpublished transaction documents, or work product to any AI tool not in the AI BoM
  • Using AI tools to generate legal advice communicated directly to clients without attorney review
  • Using personal AI accounts (consumer ChatGPT, consumer Claude, etc.) for any matter-related work
  • Disabling, circumventing, or bypassing AI oversight controls required by this policy
  • Using AI tools to process data subject to export controls, HIPAA, or other regulated data classifications without a compliant data processing agreement

Shadow AI controls

Shadow AI — the use of unapproved AI tools or the approved AI tools in unapproved ways — is a Class 6 risk under the Risk Taxonomy 2026. The following controls apply:

  • The IT function monitors network traffic for connections to AI endpoints not listed in the AI BoM
  • All legal personnel must annually attest that they have not used unapproved AI tools for matter work
  • Any Shadow AI incident must be reported to the AI Task Force within 24 hours of discovery under GOV-05
  • Shadow AI incidents involving client data are treated as potential privilege or confidentiality breaches under Class 2 risk protocols

Agentic AI tier controls

Agentic AI — autonomous AI agents that execute multi-step tasks without step-by-step human instruction — requires enhanced controls beyond standard AI tool use:

  • Agentic AI systems may only be deployed after completing the full vendor evaluation in GOV-01 Appendix B
  • Every agentic deployment must define a human checkpoint at which attorney review occurs before the agent’s output affects any external party
  • Agentic systems may not send communications to clients, courts, or counterparties without explicit attorney approval of each communication
  • Agentic AI logs must be retained for 36 months and are subject to matter file protocols
  • Any agentic system failure or unexpected action must be reported as a Tier 1 incident under GOV-05 within 4 hours

Section 4 — Professional responsibility compliance

This policy implements the following ABA Model Rules as applied to AI use:

ABA Model Rule 1.1 — Competence: Attorneys must maintain competence in the benefits and risks of relevant AI technology. This requires completing the training requirements in Section 8 of this policy and staying current with AI development relevant to their practice area.

ABA Model Rule 1.6 — Confidentiality: Attorneys must make reasonable efforts to prevent inadvertent disclosure of client information. For AI tools this means: (a) using only AI BoM-listed tools with appropriate data processing agreements; (b) not uploading identifiable client data to AI tools without client consent where required; © understanding the data retention and training practices of each approved AI tool.

ABA Model Rule 5.3 — Supervision of non-attorney assistance: The use of AI tools constitutes use of non-attorney assistance. Supervising attorneys are responsible for the accuracy and appropriateness of AI-generated work product incorporated into legal advice or filings.

ABA Formal Opinion 512 (2024): Attorneys using generative AI tools must: (a) understand the tool’s limitations; (b) verify AI-generated legal content; © ensure fee arrangements reflect actual time and work; (d) comply with confidentiality obligations when using third-party AI tools.

Section 5 — Human oversight standards

All AI-assisted legal work requires human oversight. The following standards apply by content type:

| Content type | Minimum reviewer | Standard |

|—|—|—|

| Court filings (briefs, motions, complaints) | Supervising attorney | Full review; attorney certifies accuracy |

| Client advice (memos, opinions, recommendations) | Responsible attorney | Full review; attorney takes professional responsibility |

| Transactional documents (contracts, agreements) | Matter attorney | Substantive review of all AI-suggested provisions |

| Research memoranda | Reviewing attorney | Verify citations; confirm legal conclusions |

| Internal correspondence | Author | Review before sending |

| Administrative documents | Author | Spot-check for accuracy |

No AI output may be submitted to a court, delivered to a client, or filed with a regulator without completing the applicable review standard above.

Section 6 — Client disclosure and consent

Disclosure obligation

The firm will disclose AI use to clients in accordance with applicable professional responsibility rules and client expectations. Disclosure is required when:

  • AI tools process client-identified confidential information
  • AI-generated content is incorporated into advice or documents delivered to the client
  • The client has specifically requested disclosure of AI use

Opt-out right

Clients may opt out of AI-assisted work on their matters. Personnel must honour opt-out requests and flag opted-out matters in the matter management system.

Sample client disclosure language

“[Firm name] uses AI-assisted tools to support legal research, document review, and drafting efficiency. All AI-assisted work product is reviewed and approved by a qualified attorney before delivery. AI tools we use are subject to data protection agreements that prohibit use of your information to train AI models. If you have questions about our AI practices or wish to request that AI tools not be used on your matter, please contact [designated contact].”

Section 7 — Incident classification and response

AI incidents are classified under the Risk Taxonomy 2026. Personnel must report incidents to the AI Task Force. The AI Task Force escalates under GOV-05.

| Level | Definition | Response time | Escalation |

|—|—|—|—|

| Level 1 — Critical | Client data exposed; privilege breach; court filing error | 4 hours | General Counsel + CISO immediately |

| Level 2 — Significant | AI output error discovered post-delivery; Shadow AI use with client data | 24 hours | AI Task Force; General Counsel within 48 hours |

| Level 3 — Moderate | AI tool behaves unexpectedly; Shadow AI use without client data | 72 hours | AI Task Force |

| Level 4 — Minor | Training gap; policy clarification request; near-miss | 7 days | AI Task Force log |

Section 8 — Training requirements

All legal personnel using AI tools must complete the following training:

| Role | Initial training | Annual refresh | Competency standard |

|—|—|—|—|

| All legal personnel | 2 hours (AI Use Policy orientation) | 1 hour | Pass policy quiz (80%) |

| Attorneys | 4 hours (AI competence + Rule 1.1) | 2 hours | CLE credit where available |

| Legal operations | 4 hours (AI BoM management + oversight) | 2 hours | Operations certification |

| AI Task Force members | 8 hours (full governance curriculum) | 4 hours | Practitioner track certification |

Training records are maintained by Legal Operations and are subject to audit under GOV-01.

Section 9 — Contribution to Defensibility Posture Statement

This policy is a primary evidence artefact for the DPS Governance section. The following policy elements contribute directly to DPS scoring:

| DPS evidence element | Policy section | Evidence type |

|—|—|—|

| AI use policy exists and is current | This document + version date | Governance artefact |

| Shadow AI controls documented | Section 3 | Control documentation |

| Agentic AI tier controls documented | Section 3 | Control documentation |

| Professional responsibility compliance mapped | Section 4 | Regulatory compliance |

| Human oversight standards defined | Section 5 | Oversight evidence |

| Client disclosure procedures documented | Section 6 | Client protection evidence |

| Incident classification and response defined | Section 7 | Operational resilience |

| Training requirements and records | Section 8 | Competence evidence |

When completing the DPS, Legal Operations should attach the most recent version of this policy and confirm the annual review date.

Part of the Advanta Legal AI OS — Module Library, Pillar 4: Governance, Risk & Defensible AI

Operational Signals

gov-02.use-policy-version

Defensibility Posture Statement

Signed AI Use Policy version writes a DE-4 evidence record.

Annual

gov-02.approved-tool-coverage

Console

Proportion of AI BoM tools with completed Use Policy authorisation — Console intelligence substrate.

On change

gov-02.shadow-ai-violations

Annual Legal AI OS Index

Shadow AI (RC-8) violations logged per quarter feeds the Annual Legal AI OS Index.

Quarterly

Recommended Stakeholders

Owner

  • General Counsel

Approvers

  • General Counsel
  • CIO / CISO
  • Risk & Compliance

Contributors

  • Head of Legal Operations
  • Learning & Development

Informed

  • Board
  • All legal practitioners

Inputs · Outputs

Inputs

  • · Existing or proposed AI tools in legal department use
  • · GOV-01 Governance Charter authorising this policy
  • · Regulatory requirements (ABA Rules 1.1, 1.6, 5.3; ABA Op 512; EU AI Act)
  • · Client data handling agreements and confidentiality obligations
  • · Incident history and Shadow AI risk signals

Outputs

  • · Adopted AI Use Policy document (DPS governance evidence)
  • · AI Bill of Materials (AI BoM) — approved tool registry
  • · Client disclosure language for AI use
  • · Incident classification matrix linked to GOV-05
  • · Training requirements by role

Framework Crosswalk

NIST AI Risk Management Framework

NIST

Aligns with governance, risk identification, and control implementation for AI use in legal workflows.

ISO/IEC 42001 Artificial Intelligence Management System

ISO

Supports establishment of AI use policies, roles, controls, and continuous improvement for AI-enabled legal services.

ABA Model Rules of Professional Conduct

ABA

Operationalises Rules 1.1, 1.6, and 5.3 for AI use, including competence, confidentiality, and supervision of non-lawyer assistance.

ABA Formal Opinion 512 (2024)

ABA

Implements guidance on generative AI use, verification of outputs, confidentiality, and billing practices in legal work.

EU AI Act (governance and high-risk obligations)

European Union

Provides governance, oversight, and documentation practices relevant to AI systems used in legal services, especially for high-risk use cases.

Operational Artefacts

  • AI Use Policy template for legal departments (GOV-02)

    docx · v2026.1

    Gated
  • AI Bill of Materials (AI BoM) registry workbook

    xlsx · v2026.1

    Gated
  • Untitled artefact

    checklist · v2026.1

    Gated

Diagnostic Relevance

Publishing the AI Use Policy strengthens the Defensibility lens — expected Band progression: Foundational → Integrated.

Confidence: high

Key Takeaways

  • Define a three-tier AI governance structure with clear roles for strategy, operations, and practitioners.

  • Restrict legal AI use to tools listed in the AI Bill of Materials and prohibit Shadow AI.

  • Specify permitted AI use cases for research, drafting, contract analytics, and administration with mandatory attorney review.

  • Apply enhanced controls for agentic AI, including human checkpoints, logging, and rapid incident reporting.

  • Map AI practices to ABA Model Rules 1.1, 1.6, 5.3 and Formal Opinion 512 to maintain professional responsibility.

  • Set explicit human oversight standards by content type before any AI-assisted work reaches courts, clients, or regulators.

  • Document client disclosure, opt-out rights, incident response, and training as DPS-grade defensibility evidence.

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

GC / CLOLegal OperationsRisk & Compliance

Strengthens

Defensibility lensAdoption lens

Module Details

Format
Module
Difficulty
Foundational
Pillar
P4
Owner
General Counsel
Access
Practitioner Membership
Certification
Practitioner

Maturity Bands

FoundationalOperationalIntegrated

Where this Module lives

AI Use Policy produces the Defensibility Element 4 (Governance posture) behavioural evidence stream that anchors the Defensibility Posture Statement’s use-control section. Approved tool registration, incident classification, and training attestations feed the Annual Legal AI OS Index. Without this Module, GOV-01’s Framework exists on paper but practitioners operate without enforceable rules and Shadow AI proliferates uncontrolled.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.