A one-page AI usage policy framework for disputes practices. Five questions, one afternoon. Covers ABA, CCBE, and SRA requirements for AI for law firms.

Building Your AI Usage Policy: A One-Page Framework for AI for Law Firms

Part 4 of The Practitioner's Guide to AI in Disputes (10-post series).

Most disputes practices fall into one of two categories. They have no AI policy at all. Or they have a 40-page document that compliance drafted and nobody reads. Neither works. A usable AI policy for AI for law firms fits on one page. It answers five questions: who can use it, on what matters, with what tools, under what review process, and who owns the policy. This post provides that framework. You can draft it this afternoon and circulate it by Friday.

Three takeaways before the detail. First, the regulators have already spoken. ABA Formal Opinion 512, the CCBE guide, and the SRA toolkit all say your existing professional duties apply to AI. No new law is required. Second, the biggest risk is not AI itself. It is the absence of agreed rules. That creates inconsistent exposure across your practice. Third, a policy that nobody follows is worse than no policy. Brevity is a design choice, not a compromise.

Why Most AI Policies at Law Firms Fail Before They Start

Three failure modes appear repeatedly.

The committee problem. A managing partner asks for an AI policy. A working group forms. It includes IT, compliance, risk, a partner from each practice group, and someone from HR. The group meets monthly. Scope expands. Six months later, no policy exists. The tools keep getting used without one.

The compliance-first trap. Compliance produces a 40-page document covering every conceivable risk. It reads like a regulatory filing. The document sits in a shared drive. Lawyers do not consult it before using legal AI tools. It does not answer the practical question at 11 pm on a Sunday: can I upload this document bundle to summarize it, or not?

The no-policy risk. Individual lawyers use whatever tools they find useful. One associate pastes privileged correspondence into a consumer AI chatbot. Another uses a firm-approved tool correctly. A third avoids AI entirely out of caution. The practice has three different risk profiles on the same corridor. Nearly half of legal professionals report lacking confidence in their firm's AI governance (Actionstep / PRNewsWire, 2025).

The common thread: these failures treat the policy as a compliance artifact. It is not. A policy is an operating agreement. It sits between the partners who use AI and the partners who are accountable for client work.

What the Regulators Actually Require from AI for Law Firms

The good news: regulators are broadly aligned. The obligations are not new. They are existing professional duties applied to a new category of tools.

ABA Formal Opinion 512 (July 2024) maps six Model Rules to generative AI use. Competence requires lawyers to understand the capabilities and limitations of the tools they use. Confidentiality requires evaluating whether client information is disclosed to third parties. Communication requires discussing AI use with clients when it affects their matter. Candor to the tribunal requires independent verification of AI-generated citations and facts. Supervision requires that managerial lawyers establish clear policies. Fees must remain reasonable, accounting for AI efficiencies (Debevoise Data Blog; UNC Law Library, 2025).

CCBE Guide on Generative AI for Lawyers (October 2025) echoes the same principles from a European perspective. Lawyers must understand the tools. Client data must not enter unsecured models. Human oversight must remain central. Professional independence from technology providers must be maintained. The guide specifically warns against unverified reliance on AI outputs, highlighting the fabrication risk (CCBE Guide).

SRA (UK) has not created AI-specific regulations. The SRA's position is that the existing Code of Conduct applies. Solicitors must maintain competence in the technology they use. Client confidentiality applies regardless of the tool. Quality control of AI output is the solicitor's responsibility. Firms should conduct due diligence on AI vendors and review their professional indemnity insurance (SRA LawTech Insight; Legal Futures).

The Law Society (England and Wales) has published guidance on AI risks in legal practice. It emphasizes careful fact-checking. It warns of serious consequences for submitting AI-fabricated content to courts (Global Legal Insights).

The pattern across all four bodies: existing duties of competence, confidentiality, supervision, and candor apply. Your policy does not need to invent obligations. It needs to make existing obligations actionable for legal AI tools.

The Five Questions Your AI Usage Policy Must Answer

Structure your policy around these five questions. Each one gets a section. Keep each section to two or three sentences. If a section runs longer than a paragraph, you are putting something into the policy that belongs elsewhere.

1. Who is authorized to use legal AI tools?

Options range from "all lawyers" to "only named individuals under supervision." The right answer depends on your firm's risk tolerance and the maturity of your team's AI literacy. A common starting point for disputes practices: all qualified lawyers may use approved tools. Trainees and paralegals may use approved tools under a qualified lawyer's supervision.

State the rule. Name the exceptions. Do not leave ambiguity. If your policy does not answer "can I use this tool right now?" it will not be consulted.

2. On what matters?

This question has two layers. First: are there matter types where AI use is restricted? Some firms restrict AI on matters with heightened confidentiality or where engagement letters prohibit third-party processing. Second: does client consent apply? ABA Opinion 512 indicates that lawyers may need to discuss AI use with clients. This applies particularly where it affects how information is processed. The CCBE and SRA take similar positions.

A practical default: AI may be used on all matters unless the engagement letter or client instructions restrict it. Where a tool processes client data through a third-party system, the supervising lawyer must confirm that client consent covers that processing.

3. With what tools?

Maintain a short, approved list. Distinguish between firm-approved legal AI software (evaluated for security, data handling, and professional compliance) and personal accounts on consumer AI platforms. The policy should be explicit: consumer-grade tools that have not been evaluated by the firm are not approved for client work.

Who approves new tools? Name the role or committee. Set a timeline for evaluation. Without a clear approval path, lawyers will use unapproved tools rather than wait.

Post 5 of this series covers vendor evaluation criteria in detail. Your policy does not need to duplicate that analysis. It needs to reference it.

4. Under what review process?

This is the question the regulators care most about. The minimum standard across ABA, CCBE, and SRA guidance: no AI output reaches a client, tribunal, or opposing party without human review by a qualified lawyer. State this rule plainly.

For disputes practices, add a specific provision. All AI-generated legal citations and factual assertions must be independently verified before inclusion in any filing, submission, or tribunal document. The duty of candor is absolute. AI hallucinations in court filings have already triggered sanctions proceedings (ACEDS, 2024).

Post 7 of this series expands the review process into a full supervision protocol. Your policy states the principle. Post 7 provides the checklist.

5. Who owns the policy?

Name a person, not a committee. The policy owner is responsible for three things: maintaining the approved tools list, conducting periodic reviews, and fielding questions from practitioners. A named individual creates accountability. A committee creates diffusion.

Set a review cadence. Quarterly is realistic given the pace of change. Every review should ask three questions. Are the approved tools still appropriate? Has any regulatory guidance changed? Are practitioners actually following the policy?

What Stays Out of a One-Page AI Policy

A one-page policy stays one page by excluding what belongs elsewhere. Three categories are deliberately excluded.

Data handling specifics. Where data is stored, whether tools train on client inputs, retention periods, deletion rights, GDPR processor agreements. These questions are critical. They are also vendor-specific and regulation-specific. They deserve their own treatment. Post 10 of this series covers data handling in full. Data residency, training opt-out, retention, and deletion are covered there. Do not duplicate that content here.

Vendor evaluation criteria. How to assess whether legal AI software is accurate enough, secure enough, and supported enough for your practice. This is procurement work, not policy work. Post 5 covers what to demand from a vendor and how to read the answers.

Detailed supervision protocols. The specific review checklist, escalation paths, and training requirements for lawyers reviewing AI output. The policy states the principle: human review is mandatory. The supervision protocol operationalizes it. Post 7 provides the detailed protocol.

Keeping these out is not a shortcut. It is a design decision. Every page you add reduces the probability that anyone reads the policy.

Three Things to Do This Week

1. Draft the one-page policy. Use the five-question framework above. Write one section per question, two or three sentences each. Adapt the language to your firm's conventions. It should take less than an hour.

2. Circulate to two or three partners. Start with the partners whose matters would be affected first. Do not send it firm-wide before you have buy-in from the people who will need to follow it. Their feedback improves the policy. Their involvement improves adoption.

3. Set a 90-day review date. Put it in the calendar. The first version will not be perfect. It does not need to be. It needs to exist, be read, and be revisited. Ninety days gives you enough data to know what works and what needs adjustment.

If You Read Nothing Else

A usable AI policy answers five questions on one page. Who is authorized. On what matters. With what tools. Under what review process. Who owns the policy. The regulators (ABA, CCBE, SRA, Law Society) are aligned: existing duties of competence, confidentiality, supervision, and candor apply to AI tools. No new legal framework is needed. The biggest governance risk is not AI itself but the absence of agreed rules, which creates inconsistent risk exposure across a practice. Keep the policy short enough that people read it. Keep the review cycle short enough that it stays current. Draft it this afternoon. Circulate it by Friday.

Next in the series: Post 5, "What to Demand from a Legal AI Vendor". It covers the five questions that separate serious tools from hype and how to run a structured pilot on your own data.

Previous: Post 3, "Choosing the Right First Use Case"

Building an AI usage policy for your disputes practice? Explore how Kallam AI supports document-intensive legal workflows with built-in confidentiality and human review controls. Or start a conversation about what your policy should cover.

Sources

Actionstep / PRNewsWire (2025), "78% of midsize law firms expect AI to drive demands for lower fees and faster results; nearly half aren't ready to govern it." https://www.prnewswire.com/news-releases/actionstep-report-78-of-midsize-law-firms-expect-ai-to-drive-demands-for-lower-fees-and-faster-results-nearly-half-arent-ready-to-govern-it-302774756.html
Debevoise Data Blog (2024), "Guidelines on the Use of Generative AI Tools by Professionals from the American Bar Association." https://www.debevoisedatablog.com/2024/08/05/guidelines-on-the-use-of-generative-ai-tools-by-professionals-from-the-american-bar-association/
UNC Law Library (2025), "ABA Formal Opinion 512: The Paradigm for Generative AI in Legal Practice." https://library.law.unc.edu/2025/02/aba-formal-opinion-512-the-paradigm-for-generative-ai-in-legal-practice/
CCBE (2025), "CCBE Guide on the Use of Generative AI for Lawyers." https://www.ccbe.eu/fileadmin/speciality_distribution/public/documents/IT_LAW/ITL_Guides_recommendations/EN_ITL_20251002_CCBE-guide-on-the-use-of-the-use-of-generative-AI-for-lawyers.pdf
SRA LawTech Insight (September 2025), Feature Article on AI in legal services. https://publications.sra.org.uk/lawtech-insight-september-2025/feature-article?blaid=7939978
Legal Futures, "AI and the solicitor's duty of competence: time for SRA guidance." https://www.legalfutures.co.uk/blog/ai-and-the-solicitors-duty-of-competence-time-for-sra-guidance
Global Legal Insights, "Law Society issues guidance on legal AI risks." https://www.globallegalinsights.com/news/law-society-issues-guidance-on-legal-ai-risks/
ACEDS (2024), "Generative AI in law: understanding the latest professional guidelines." https://aceds.org/generative-ai-in-law-understanding-the-latest-professional-guidelines-aceds-blog/