The operational problem
The General Counsel is asked at every Board meeting: what AI does the function operate? The institutional answer should be a one-page list — capability by capability, classified by Lifecycle stage, with named accountable owner and current performance status. In most functions today the answer is reconstructed from procurement records, vendor contracts, and the founder’s memory.
A function that cannot answer that question at any cadence — quarterly to the Audit Committee, annually to the Board, on demand to the regulator — does not have a portfolio view of its AI capability. It has a vendor inventory dressed as governance.
The Capability Portfolio Architecture is the master register that produces the institutional answer. It distinguishes capabilities (what the function operates) from tools (what the function bought). It records the Lifecycle stage per capability (Concept / Build / Deploy / Operate / Sunset) so that the GC can see at a glance whether the portfolio is balanced or over-extended. Without it, AI investment fragments into tool-by-tool decisions and the function cannot articulate its operational stack to anyone outside the practice group that operates each tool.
Legal AI OS Relevance
The Capability Portfolio Architecture sits at the intersection of Pillar P8 (Sustaining, Optimization & Lifecycle) and the Governance Layer (Layer G). It produces evidence for two Defensibility Elements:
- DE-2 Methodology transparency — the portfolio’s structure and population discipline evidence a documented capability-management methodology
- DE-4 Governance posture — the capability list classified by Lifecycle stage is a required element of the Defensibility Posture Statement at the institutional level
Anchoring to Bands 2, 3, 4, and 5 (Operational → Integrated → Optimised → Defensible), the Module is the situational-awareness instrument at Band 2 (capability count visible), the strategic posture at Band 3 (capability classified by stage), the optimised portfolio at Band 4 (stage-balance review at quarterly cadence), and the institutional portfolio at Band 5 (integrated with Evidence Register, Delegation-Authority Register, and Materiality Calibration). Methodology v2026.1.
Pillar Alignment
Pillar 8 (Sustaining, Optimization & Lifecycle) is the institutional capability that holds AI accountable through its full Lifecycle, not only through procurement and deployment. The Capability Portfolio is the Pillar-8 instrument that makes Lifecycle visible at the institutional level.
The Pillar 8 posture this Module advances: from tool inventory at the practice-group level to capability portfolio classified by Lifecycle stage, refreshed quarterly, signed by GC.
Operating Layer Impact
The Governance Layer (Layer G) is the institutional substrate; the Capability Portfolio is the substrate’s institutional inventory. The Strategy Layer (S) writes Concept-stage capabilities into the portfolio; the Execution Layer (E) advances them through Build to Deploy to Operate; the Optimisation Layer (O) drives Sunset decisions; the Measurement Layer (M) reports performance per capability against the portfolio’s stage classification.
Without the Capability Portfolio, every other Layer operates against a fragmented capability view.
Maturity Band Relevance
The Module strengthens the Sophistication and Defensibility lenses of the Maturity Stack.
From Band
To Band
Sophistication-lens shift
Defensibility-lens shift
2 — Operational
3 — Integrated
Capability count visible → capability classified by Lifecycle stage
Capability list visible → list feeds DPS Element 4
3 — Integrated
4 — Optimised
Stage classification → quarterly stage-balance review with over-extension flags
List feeds DPS → portfolio operated at quarterly cadence with audit-readiness scoring
4 — Optimised
5 — Defensible
Stage-balance review → integrated with Evidence Register and Delegation-Authority Register
Portfolio cadence → portfolio audit-attested annually
5 — Defensible
(sustaining)
Portfolio durable across capability churn; succession-of-ownership documented
Portfolio is the institutional inventory of record
Functions at Band 2 typically operate a flat capability register. Band 3+ functions operate the stage-classified register at quarterly cadence. Band 5 functions integrate the portfolio with GOV-13, GOV-14, GOV-16, and the AI Lifecycle (LIF-01 through LIF-05) Modules.
Operational Outcomes
Operating the Architecture produces five institutional artefacts:
Artefact
Purpose
DPS evidence stream
Capability Portfolio register — current stage per capability
The institutional inventory of operational AI capability
DE-2 + DE-4 (primary)
Stage-balance review summary — over-extension / stagnation flags
The strategic posture indicator
DE-4
DPS capability list by stage
Required element of the Statement at the institutional level
DE-4 (primary)
Trigger list for GOV-14 (Tier 3+ capabilities requiring Delegation-Authority entries)
The accountability gate at the portfolio level
DE-1
Sunset candidate list for Governance Cadence agenda
The Optimisation Layer input
DE-5
Records retain for the regulatory limitation period plus the lifecycle of every capability referenced.
Defensibility and Governance Considerations
The Module produces evidence for DE-2 (Methodology transparency) and DE-4 (Governance posture). The DE-4 production is canonical — the capability list classified by Lifecycle stage is a required element of the Defensibility Posture Statement at the institutional level.
All nine Risk Taxonomy 2026 classes appear at the portfolio level; the portfolio is the institutional view from which class exposure is aggregated across capabilities.
For Tier 3+ capability the portfolio entry requires:
- The Tier classification (Tier 3 Workflow operator or Tier 4 Autonomous agent)
- The linkage to the Delegation-Authority Register (GOV-14) entry
- The linkage to the Materiality Calibration (GOV-16) register
- The Evidence Register (GOV-13) cross-reference for each Risk Class row
- The Agentic Governance Charter (GOV-08) where applicable
For Sunset-stage capability:
- The decommission record with date and rationale
- The post-mortem linked from the Capability Portfolio entry
- The Evidence Register archive entry per GOV-13
- The Delegation-Authority Register archive per GOV-14
The editorial-independence attestation applies — the Module makes no vendor-specific recommendations.
Institutional Use Cases
Use case 1 — A 14-partner firm at Band 2 standing up Portfolio. The firm has 4 AI capabilities (3 vendor tools + 1 in-house workflow). Portfolio v1.0 records 4 entries: 2 in Operate (contract review, research augmentation); 1 in Deploy (eDiscovery); 1 in Concept (transcription). Stage-balance review: appropriate for the firm’s scale; no over-extension; one Concept-stage entry approaching Build gate. The portfolio is the first institutional view of the firm’s AI capability the GC has held.
Use case 2 — A 200-lawyer in-house function at Band 3 operating Portfolio. The function has 9 capabilities. Stage-balance: 6 in Operate, 1 in Deploy, 1 in Build, 1 in Sunset. The Sunset entry triggers a post-mortem at the next Governance Cadence (GOV-15) Sunset session; the post-mortem record is linked from the portfolio entry; the Evidence Register and Delegation-Authority Register archive entries are completed. The portfolio’s quarterly refresh delta is reported to the Audit Committee.
Use case 3 — A global energy GC office at Band 5 operating Portfolio across 18 capabilities. Portfolio entries integrated with GOV-13 (Evidence Register), GOV-14 (Delegation-Authority), GOV-16 (Materiality Calibration), and GOV-08 (Agentic Governance Charter for the 3 Tier-4 capabilities). Annual external attestation samples 3 portfolio entries and verifies each against the integrated artefacts. The Audit Committee reviews the portfolio refresh delta quarterly; the Board sees the portfolio annually.
Recommended Stakeholders
RACI role
Stakeholders
Owner
General Counsel
Approvers
General Counsel · AI Task Force Chair
Contributors
Legal Operations · Finance Partner
Informed
Board · CIO / CISO · Risk and Compliance
The GC signs the quarterly portfolio refresh. The AI Task Force Chair (per STR-07) operates the quarterly stage-balance review at the standing cadence. Finance Partner contributes to the resource-intensity column for each capability.
Implementation Complexity
Dimension
Specification
First run
2 hours
Quarterly refresh
30 minutes
Cross-team dependencies
IT (system list reconciliation) · Procurement (vendor list reconciliation) · Practice Groups (capability ownership)
Self-serve viability
Yes — template-driven
Advisory recommendation
Strategic Retainer for functions operating ≥5 capabilities with Tier 3+ mix
The Module is methodology-versioned (v2026.1); each entry’s last refresh date is the operating telemetry.
Inputs
Input
Source
AI system inventory (current)
IT + Procurement
Lifecycle stage per capability
Last Governance Cadence (GOV-15) review
Agentic Tier classification per capability
STR-07 + GOV-08 where applicable
Accountable owner per capability
RACI
Evidence Register status
GOV-13
Gate evidence from Build approvals and Deploy authorisations
GOV-15 stage-gate sessions
Framework — the Portfolio
Entry structure
The canonical structure is one entry per capability. Each entry holds:
Column
Content
Source
Capability name
Canonical name (not vendor product name)
Standardised
Vendor (or in-house)
The supplier or development source
IT
Tier classification
Tier 1 / 2 / 3 / 4
STR-07
Current stage
Concept / Build / Deploy / Operate / Sunset
Governance Cadence record
Next gate evidence
What is required at the next stage gate
Stage-gate template
Accountable owner
Named individual + role
RACI
Primary Risk Class
The class with highest exposure for this capability
GOV-03 + risk assessment
Last refresh
Date of the most recent portfolio entry review
Operating
Next review
Quarterly cadence date
Operating
GOV-14 cross-reference
Delegation-Authority entry ID (Tier 3+ only)
GOV-14
GOV-13 cross-reference
Evidence Register rows
GOV-13
GOV-16 cross-reference
Materiality Calibration rows
GOV-16
GOV-08 cross-reference
Agentic Governance Charter (Tier 4 only)
GOV-08
Stage taxonomy
Stage
Definition
Typical duration
Concept
Capability proposed; Concept-stage gate decision pending
2–8 weeks
Build
Capability authorised for build; Build-stage gate pending
4–16 weeks
Deploy
Capability authorised for deployment; Deploy-stage gate pending
2–8 weeks
Operate
Capability in operational use; quarterly review cadence
18 months – 5 years typical
Sunset
Capability flagged for decommission; Sunset closure pending
1–6 months
Stage-balance review
The quarterly portfolio review flags two patterns:
Pattern
Definition
Action
Over-extension
More capabilities in Build + Deploy than the function’s operational capacity to bring through to Operate
Pause Concept-stage gate decisions until backlog clears
Stagnation
Capabilities in Concept or Build > 6 months without gate decision
Force a Concept / Build gate decision at next Cadence
Excessive Operate-stage age
Capability in Operate > 5 years without Sunset review
Trigger Sunset review at next Cadence
Tier-mix imbalance
Tier 4 capability count > Tier 3 count without proportionate Agentic Governance
Trigger AI Task Force review of Agentic posture
Quarterly refresh discipline
Activity
Output
Per-entry stage validation
Stage advanced since last quarter? Stage gate decision recorded?
Per-entry accountable-owner validation
Owner in role? Transition documented?
New-capability entries added (Concept stage)
New entries with Concept-stage gate scheduled
Stage-advanced entries updated
Stage moved; gate evidence recorded; next gate listed
Sunset entries closed
Decommission record completed; cross-references archived
Stage-balance summary compiled
Over-extension / stagnation / age flags for Cadence agenda
Portfolio published to AI Task Force + Audit Committee
Quarterly summary distribution
Worked Example
A 200-lawyer in-house function at Band 3 stands up the portfolio in the canonical 2-hour first run.
Activity
Output
Step 1 — IT + Procurement reconcile system list against the AI BoM
Reconciled inventory: 9 capabilities
Step 2 — Per-capability entry: name, vendor, Tier, current stage, accountable owner
9 portfolio entries v0.1
Step 3 — Per-capability Risk Class assessment; primary Risk Class column populated
Risk Class per entry
Step 4 — Cross-references populated (GOV-13, GOV-14, GOV-16 for Tier 3+ entries)
Integrated portfolio v1.0
Step 5 — Stage-balance review at first Governance Cadence: 6 Operate, 1 Deploy, 1 Build, 1 Concept, 0 Sunset
Stage-balance summary v1.0
Step 6 — Portfolio signed by GC; distributed to AI Task Force and Audit Committee
Portfolio v1.0 ratified
Quarterly refresh at quarter +1: 7 Operate (Deploy capability moved through Deploy gate); 1 Build (Concept entry passed Concept gate); 1 Sunset (one Operate capability flagged for decommission after 4 years). Stage-balance: appropriate; one Sunset to close at next quarter.
Common Failure Modes
Failure mode
Detection signal
Recovery
Capability deployed without portfolio entry
AI BoM has system n+1; portfolio has n entries
Bind portfolio update to AI BoM cadence
Stage classification stale
Entry shows “Build” but capability has been operational for two quarters
Bind stage advancement to GOV-15 stage-gate session
Accountable owner named but not in role
Role turnover loses owner trace
Bind portfolio updates to HR change-notice cadence
Cross-references absent for Tier 3+ entries
Entry shows Tier 3+ but no GOV-14 / GOV-16 cross-ref
Treat as deployment block until populated
Stage-balance review skipped
Quarterly refresh logged but no balance summary produced
Standing Cadence agenda item; produce or document non-production
Sunset entries lingering
Capability flagged Sunset > 6 months ago; no closure
Bind to next Sunset session per GOV-15
Portfolio not published to Audit Committee
Quarterly refresh complete; no distribution
Standing distribution list; quarterly publication verified
Tier-mix imbalance unaddressed
Tier 4 count grows without Agentic Governance proportionate response
Trigger AI Task Force review at next quarterly
Edge Cases
The Module does not apply when:
- The function operates no AI capability — no portfolio to maintain; the portfolio activates with the first capability
- The function operates under a parent organisation’s enterprise-wide capability portfolio — the Module produces sub-entries that roll up to the parent’s portfolio
- The function is at Band 1 — establish GOV-01 + STR-07 first; the portfolio activates at Band 2
- The function operates a federated structure with sub-portfolios per entity — the Module operates at the entity level with a federated quarterly roll-up
- The function uses a vendor-provided portfolio register that does not honour the five-stage Lifecycle — adapt the vendor register to the canonical structure or maintain the portfolio in parallel until the vendor catches up