AI Workflows · Policy document workflow · Updated June 2026

Your Law Firm's One-Page AI Policy

Your associates and paralegals are already using AI. The only open question is whether your firm has written down how. A one-page policy partners can adopt at a Monday meeting closes the gap, satisfies the supervision rules, and gives you something to point to when a bar complaint or a sanctions motion comes asking who was minding the tool.

The short version: A law firm AI policy does not need to be a forty page treatise. It needs to be one page that does five things: name what AI may and may not be used for, hard-wire the confidentiality carve-out so privileged and client material never touches an unapproved model, make verification of any AI output a non-negotiable step, set the client-disclosure trigger, and assign supervision so a named partner owns it. Those five moves map directly onto the duties you already owe under the ABA Model Rules: competence (1.1), confidentiality (1.6), candor (3.3), and the supervision of lawyers and nonlawyers (5.1 and 5.3). Below is the rule-by-rule breakdown and a fill-in-the-blanks one-pager your partners can adopt this week. This is not legal advice; confirm against your own jurisdiction's rules and your firm's policies.

Key takeaways

  • One page beats no page. The supervisory duties in Rules 5.1 and 5.3 do not wait for a perfect policy. A clear one-pager that names approved uses, the confidentiality line, and a responsible partner is worth more than a polished document that never gets adopted.
  • Confidentiality is the carve-out, not a footnote. Rule 1.6 means client confidential and privileged material may only go into an approved enterprise deployment that does not train on your inputs, or it does not go in at all. The policy must make this a bright line, not a suggestion.
  • Verification is the rule that survives bar review. Every AI output that informs advice, a filing, or a document gets checked against the source by a lawyer before it leaves the firm. The California Bar's 2026 proposed rule and recent court sanctions both point to the same thing: unverified AI output is the firm's exposure.
  • Supervision must be named. A policy with no owner is not a policy. Assign one partner to approve tools, field questions, and review compliance, which is exactly what 5.1 and 5.3 ask of the firm.

The professional's real problem

The use is already happening. Walk through any firm in mid 2026 and you will find associates drafting first-pass research memos with AI, paralegals using it to summarize deposition transcripts, and partners quietly asking it to tighten a brief at eleven at night. None of that is wrong on its face. The problem is that almost none of it is governed. There is no written line on what may go into a model, no required verification step, no one whose job it is to say yes or no to a new tool, and no record that the firm ever thought about any of it. When something goes sideways, and it will, the firm has nothing to point to except a shrug.

That is a supervision problem, and the Rules of Professional Conduct treat it as one. Rule 5.1 makes partners and managing lawyers responsible for ensuring the firm has measures giving reasonable assurance that all lawyers conform to the rules. Rule 5.3 extends the same duty to nonlawyer assistance, which now plainly includes AI tools used by paralegals and staff. You do not get to be surprised that your paralegal pasted a privileged settlement agreement into a consumer chatbot if you never told anyone not to. The policy is how you discharge the duty before the incident, not how you explain it after.

The good news is that the document does not have to be heavy to be effective. A law firm AI policy that fits on one page, that a partner can read aloud at a Monday meeting and the firm can adopt by a show of hands, does more real work than a thirty page governance manual sitting unread on the intranet. The aim is not comprehensiveness. The aim is a clear, defensible standard everyone actually knows.

A one-page AI policy is not about restricting your lawyers. It is about being able to show, on the day someone asks, that the firm decided how the tool would be used before anyone used it.

The generic one-pager versus the law-firm version

If you have read our profession-agnostic guide to putting an AI policy on one page, you have the right frame: short, plain, adoptable. This piece is the law-firm-specific companion to that one. The boundary matters. A general business AI policy worries about brand voice, data leakage, and accuracy. A law firm policy carries all of that and then a second layer the generic version does not touch: the Rules of Professional Conduct. Privilege is not just sensitive data, it is a duty. Verification is not just quality control, it is candor to the tribunal. Disclosure to a client is not optional courtesy, it can be a competence and communication obligation. So start from the generic frame, then add the rule layer below. That layer is what makes this a law firm policy rather than a company memo with a gavel on it.

What a law-firm AI policy must cover

Five sections do the load-bearing work. Each one exists to satisfy a specific professional duty, which is what separates this from a generic acceptable-use memo. Read the table as the spine of the one-pager that follows.

The five sections every law-firm AI policy needs
Section What it says Which rule it satisfies
Approved uses and tools Names which AI tools are approved, for which tasks, and which uses are prohibited. Lists the firm's approved enterprise deployment by name. Competence (1.1) and supervision (5.1, 5.3): the firm has decided, in advance, what good use looks like.
Confidentiality carve-out States the bright line: no client confidential or privileged material in any tool except the approved deployment that does not train on inputs. Redact or abstain otherwise. Confidentiality (1.6): protects information relating to the representation.
Verification of record Requires a lawyer to verify every AI output against the source before it informs advice, a filing, or a client document. No citation, fact, or clause goes out unchecked. Competence (1.1) and candor (3.3): the duty to be right and not to mislead a tribunal stays with the lawyer.
Client disclosure trigger Defines when and how the firm tells a client AI was used, and respects any client or matter that requires consent or prohibits it. Communication and competence (1.1, 1.4): the client's informed expectations about how their matter is handled.
Supervision and ownership Names the partner responsible for the policy, tool approval, training, and review, and the channel for questions. Supervision (5.1, 5.3): a named human owns reasonable assurance of compliance.

Notice that none of these is exotic. Each one is a duty your firm already owes; the policy simply writes down how AI changes the way you meet it. That is why a one-pager is enough. You are not inventing new obligations, you are extending old ones to a new tool.

The rule layer, in plain language

Before the template, it is worth seeing exactly how the Model Rules attach, because that is what a reviewing bar will look at if it ever comes to it.

Supervision: Rules 5.1 and 5.3

These are the rules that make the policy mandatory rather than nice to have. Rule 5.1 puts the duty on partners and lawyers with managerial authority to put measures in place giving reasonable assurance that everyone conforms to the rules. Rule 5.3 carries the identical duty over to nonlawyer assistance, and an AI tool a paralegal uses is squarely nonlawyer assistance. A written policy with a named owner is the cleanest way to show you took that duty seriously.

Confidentiality: Rule 1.6

Rule 1.6 protects information relating to the representation, and the comments have long required reasonable efforts to prevent unauthorized disclosure. Pasting a client's confidential or privileged material into a tool whose terms let the vendor use your inputs to train models is exactly the unauthorized disclosure the rule is built to prevent. The carve-out in the policy is how you keep the firm on the right side of it. For the full set of deployment questions to settle before any matter touches a model, our confidentiality guide for attorneys is the deep dive.

Competence and candor: Rules 1.1 and 3.3

Rule 1.1 and its technology comment require competence with the tools you use, and the duty to be right does not bend because a model sounded confident. Rule 3.3 forbids making false statements to a tribunal, which is the rule that fabricated AI citations violate. The verification step in the policy is the operational answer to both. For the individual lawyer's side of competence, our AI competence duty checklist for lawyers turns the duty into a personal habit that sits underneath the firm policy.

The context: the CA Bar verify rule and recent sanctions

None of this is abstract. The California State Bar moved through 2026, with its Committee on Professional Responsibility and Conduct (COPRAC) advancing proposed guidance and rule amendments that center on verifying AI output before it reaches a client or a court. In parallel, federal courts have continued to sanction lawyers who filed briefs with fabricated, AI-generated citations they never checked, including candor sanctions at the appellate level. Both currents point at the same control: verification of record, owned by a human. The firms writing it into a policy now are the ones who will not be explaining themselves later. We track the regulatory side as it moves on our AI regulation news hub.

The fill-in-the-blanks one-page AI policy

Copy this onto firm letterhead, fill the bracketed fields, and adopt it at your next partners' meeting. Eight short sections, one page. Edit to your jurisdiction and practice; this is a starting skeleton, not legal advice.

1. Purpose

This policy governs the use of artificial intelligence tools at [Firm Name] so that our use of AI is consistent with our duties of competence, confidentiality, candor, and supervision under the [State] Rules of Professional Conduct.

2. Approved tools and uses

The only AI tool approved for client or matter related work is [approved enterprise deployment]. Approved uses include [e.g. first-draft research memos, document summarization, clause comparison, plain-language explanations]. AI may not be used to [e.g. make final legal judgments, generate citations relied on without verification, communicate directly with clients or courts].

3. Confidentiality carve-out

No client confidential or privileged information may be entered into any AI tool other than [approved deployment], which contractually does not train on our inputs. For any other tool, staff must redact all client identifying and sensitive information, or not use AI at all. When in doubt, the material stays out.

4. Verification of record

A licensed lawyer must verify every AI output against the underlying source before it is used in advice, a filing, or a client document. No citation, quotation, fact, or contract clause produced by AI may be relied upon unverified. The verifying lawyer owns the result.

5. Client disclosure

The firm will disclose its use of AI to a client when [trigger, e.g. the engagement letter requires it, the client requests it, or the use is material to the representation]. Where a client or matter prohibits or conditions AI use, that instruction controls.

6. Supervision and responsible partner

The partner responsible for this policy is [Name]. They approve tools, answer questions, oversee training, and review compliance, satisfying the firm's duties under Rules 5.1 and 5.3. Questions go to [channel].

7. Training and acknowledgment

All lawyers and staff must complete [training] before using AI on client work and acknowledge this policy annually.

8. Review and effective date

This policy is effective [date] and will be reviewed at least [every 6 / 12 months] as tools and rules evolve. Adopted by [Firm Name] on [date].

How to adopt it, step by step

The document is the easy part. Getting it adopted and lived is the work. Here is the short path from blank page to a policy your firm actually follows.

  1. Pick the responsible partner first. Before you write a word, decide who owns this. A policy without a named owner fails the supervision test on day one. This person does not need to be the most technical partner, just the one who will actually field the questions.
  2. Choose and name the approved deployment. Settle which enterprise AI tool the firm sanctions, confirm in writing that it does not train on your inputs and meets your security requirements, then name it in the policy. Everything in section 2 and section 3 depends on this being decided, not assumed.
  3. Fill the bracketed fields with the partner. Walk the eight sections, fill each blank to your practice and jurisdiction, and resolve the disclosure trigger deliberately rather than leaving it vague. This is the half hour that turns a template into your policy.
  4. Adopt it at a partners' meeting. Read it aloud, take questions, adopt it by vote, and record the date. The record that the firm decided this, together, on a date, is itself part of the supervision defense.
  5. Train and collect acknowledgments. Brief everyone who touches client work, give a short demonstration of the approved tool and the verification step, and collect signed or recorded acknowledgments. Now the policy is a practice, not a PDF.
  6. Calendar the review. Set a recurring date to revisit the tool list and the rule landscape. Tools and bar guidance both move fast in 2026, and a policy that names a tool that no longer exists undermines the whole exercise.

Surviving the bar complaint: confidentiality and supervision

This is the part of the policy that earns its place the day something goes wrong, and the part a thin acceptable-use memo skips.

The confidentiality breach is the one that ends careers

The fastest route from helpful AI tool to bar complaint is a privileged document pasted into a consumer model whose terms let the vendor train on it. That is an unauthorized disclosure of information relating to the representation, full stop. The carve-out in section 3 exists so that on the day a client asks where their settlement terms went, the firm can show a written bright line that everyone was trained on. An approved enterprise deployment that contractually commits not to train on your inputs is the safe lane; everything else gets redacted or stays out.

Supervision is what a regulator looks for

When a bar examines an AI incident, the question is rarely whether a tool made a mistake. It is whether the firm had reasonable measures in place and a responsible person overseeing them. A one-page policy with a named partner, an approved tool, a verification rule, and a record of adoption is precisely the reasonable assurance that Rules 5.1 and 5.3 ask for. The firms that get hurt are the ones who had nothing written and no one in charge.

Verify, or the candor problem finds you

The fabricated-citation sanctions making headlines all share one root cause: an AI output that went to a court without a human checking it against the source. Section 4 is the firewall. It is also the single line of the policy most likely to be tested, so make it unambiguous and make a named lawyer own each verification.

How we built this policy

This one-pager and the rule mapping reflect hands-on use of leading general purpose AI tools in real legal workflows and a plain reading of the ABA Model Rules of Professional Conduct as they stood in June 2026, cross-referenced with the California State Bar's COPRAC activity on AI guidance and the line of court decisions sanctioning unverified AI citations. The Leveraged Years does not publish invented statistics, survey data we did not run, or client results we do not have. The template is a practitioner starting point, not a product and not a compliance certification. The Model Rules are a model; your jurisdiction's adopted rules and your firm's policies control. AI tools and bar guidance both change quickly, so we date this guide and refresh it. None of this is legal advice, and none of it changes your professional duties. Confirm any approach against your jurisdiction's rules and your firm's counsel before adopting it on live matters.

What this means for your Monday meeting

You do not need a committee, a vendor, or a quarter to govern AI at your firm. You need one page that says what AI may be used for, draws the confidentiality line, requires verification, sets the disclosure trigger, and names the partner who owns it. Fill the brackets, read it aloud, adopt it, and train everyone who touches client work. That is the difference between a firm that decided how the tool would be used and one that will be explaining, after the fact, why nobody did. The rule layer is not a burden bolted on; it is the same competence, confidentiality, candor, and supervision you already practice, written down for a new tool. This policy is one room in the larger map of how law firms run on AI.

That is the whole premise of how we train senior lawyers to work with AI: not faster, looser work, but the same standard of practice reached with far less of the toil, with the guardrails built in. The Leveraged Attorney course installs this policy, the verification discipline, and the rest of the system as habits a partner can defend.

Part of TLY's AI Workflows → policy and workflow playbooks for senior professionals.

Frequently asked questions

Does a small law firm really need a written AI policy?

Yes, and the size of the firm does not change the duty. Rules 5.1 and 5.3 put supervisory obligations on partners and managing lawyers regardless of headcount, and those duties now plainly reach AI tools used by lawyers and staff. A solo or small firm needs the policy as much as a large one, arguably more, because there is no compliance department to catch the gap. The advantage of the one-page format is that a small firm can actually adopt it. You do not need a governance program; you need one page, a named owner, and a verification rule everyone follows.

What is the most important section of a law firm AI policy?

Two compete for first place: the confidentiality carve-out and the verification rule. The carve-out, keeping client confidential and privileged material out of any tool except an approved deployment that does not train on inputs, prevents the breach that most directly threatens a license under Rule 1.6. The verification rule, requiring a lawyer to check every AI output against the source, prevents the fabricated-citation candor problem under Rules 1.1 and 3.3. If you only get two sentences right in the whole document, make them those. The supervision and ownership section is what makes the other two enforceable.

Do I have to tell clients my firm uses AI?

It depends on the matter and your jurisdiction, which is why the policy sets a disclosure trigger rather than a blanket rule. Disclosure can be required or advisable when your engagement terms call for it, when the client asks, when a court or matter conditions or prohibits AI use, or when the use is material enough to the representation that a reasonable client would want to know. Many firms address it in the engagement letter so expectations are set up front. The safe posture is to decide the trigger deliberately in the policy and to honor any client instruction that conditions or forbids AI use on their matter.

How does this differ from a generic company AI policy?

A generic business AI policy covers acceptable use, data security, and accuracy, which a law firm needs too. The law-firm version adds a second layer the generic one does not have: the Rules of Professional Conduct. Confidentiality is a duty, not just data hygiene; verification is candor to a tribunal, not just quality control; client disclosure can be a communication and competence obligation. Our generic one-page AI policy guide is the right starting frame, and this page is the law-firm-specific instrument that layers the bar rules and a partner-owned supervision structure on top of it.

What happens if a lawyer at my firm breaks the policy?

The policy itself should say, and most firms tie violations to existing professional conduct and personnel processes rather than inventing a new regime. The more important point is preventive: a policy with a named responsible partner, mandatory training, and annual acknowledgments demonstrates the reasonable supervision that Rules 5.1 and 5.3 require, which protects the firm even if an individual lawyer errs. The goal is not to punish, it is to be able to show a regulator that the firm put real measures in place and a real person in charge before anything went wrong.

Adopt the policy, then build the practice

A one-page policy is the start. Making it lived, with the verification habit, the confidentiality reflex, and the supervision structure actually working, is the skill that protects the firm. We teach the policy, the prompts, the verification discipline, and the guardrails as one repeatable system a senior lawyer can defend to a partner, a client, and a bar.

Start with Leveraged Attorney: the AI policy, verification, and drafting system for lawyers Join The Leverage Club for $49 and get the editable policy template, prompts, and review checklists Not sure where to start? Take the 2-minute course finder

Sources: ABA Model Rules of Professional Conduct on competence (1.1), communication (1.4), confidentiality (1.6), candor toward the tribunal (3.3), and responsibilities of partners, managers, and supervisory lawyers and nonlawyer assistance (5.1, 5.3); California State Bar Committee on Professional Responsibility and Conduct (COPRAC) guidance and proposed rule amendments on AI, 2026; Anthropic Claude enterprise and commercial data usage policies (Anthropic, 2026); TLY hands-on use of leading general purpose AI tools in legal workflows containing no real client confidential information (June 2026). Rules, bar guidance, and vendor policies as published as of June 2026 and subject to change. The Model Rules are a model; your jurisdiction's adopted rules control. This guide is not legal advice.