All posts
AI Policy6 min read

Law Firm AI Policy Template: What to Include in 2026

A good AI policy for a UK law firm is short, specific, and mapped to the rules you're actually judged against. Here's the section-by-section template — what each part must say, and the one thing a policy can never do on its own.

By Daman Kaur

You've been asked to "sort out an AI policy" for the firm. So you searched, found a generic template written for a US tech company, swapped in your firm's name, and now there's a four-page document nobody will read that maps to none of the rules you're actually regulated under. That's the usual outcome, and it's worse than useless — because it creates the appearance of governance without any of the substance.

A law firm's AI policy is a specific thing. It has a defined audience (your fee-earners and staff), a defined purpose (safe, compliant AI use), and a defined reader who might one day ask to see it (the SRA, a PI insurer, a client). This is the template that accounts for all three — section by section, with what each part needs to say.

One caveat up front, because it's the whole game: a policy is necessary and nowhere near sufficient. Hold that thought; it's the last section.

What a law-firm AI policy is actually for

Most AI policies fail because they're written to look responsible rather than to be used. The test of a good one is simple: could a fee-earner read it in five minutes and know exactly what they can and can't do, and could you hand it to the SRA as evidence you'd set clear expectations?

That framing rules a lot in and out. In: concrete rules about tools, data, and verification. Out: paragraphs about "harnessing the transformative potential of artificial intelligence." The SRA's guidance on AI and technology doesn't ask for aspiration — it expects governance, systems and controls, and it puts responsibility for them on the COLP.

Practical rule: Write the policy for the fee-earner who's in a hurry at 5pm, not for the shelf. If it doesn't change what someone does before they paste a document into a chatbot, it isn't a control — it's decoration.

The template, section by section

Here's the structure. Each section below is a heading in the policy itself, with a note on what it must contain. Keep the whole thing to two or three pages.

1. Scope and purpose

State who it applies to (everyone — partners included, since seniority is where enforcement quietly fails) and what it covers (all generative-AI and AI-assisted tools used for firm or client work, whether firm-provided or personal). One short paragraph.

2. Approved tools (and the ban on everything else)

The single most important section. List the specific AI tools the firm has approved, and state clearly that no other tool may be used for client or confidential work. This is what converts "be careful" into an enforceable line. Name the owner who maintains the list.

3. Confidential and personal data

The hard rule: no confidential client data or personal data goes into any tool that isn't on the approved list. This maps to SRA Code of Conduct paragraph 6.3 (confidentiality) and to UK GDPR, which the ICO's AI guidance frames around security and data minimisation. Spell out what "confidential" includes so nobody has to guess.

4. Verification of AI output

State that AI-generated legal content — especially citations and factual claims — must be checked against primary sources before it's relied on or leaves the firm. This isn't optional caution: a Divisional Court has held lawyers have a professional duty to verify AI research against authoritative sources. Name the standard ("every cited authority confirmed in a real database").

5. Human oversight and supervision

Require a named, competent human to review AI-assisted output before use, and tie AI use to existing supervision and competence duties (SRA Code paragraphs 4.3–4.4). Make clear that using AI never transfers responsibility for the work away from the fee-earner.

6. Disclosure and record-keeping

State when AI use should be recorded or disclosed, and what record is kept (what tool, what was checked, who signed off). This is the section that makes the policy provable rather than merely stated — and it's where most templates are silent.

7. Roles and accountability

Name the COLP as accountable for the policy and for AI compliance overall, name tool owners, and state the reporting line for concerns or incidents. One short paragraph.

8. Training and review

Commit to training staff to use approved tools competently (this also helps satisfy the EU AI Act's Article 4 literacy duty if the firm has EU exposure), and set a review date. A policy with no review date is a policy that's already going stale.

Policy sectionMaps toThe failure it prevents
Approved toolsThe SRA's governance, systems and controls expectationShadow AI use nobody can see
Confidential dataSRA paragraph 6.3 and UK GDPRClient data leaking into public tools
VerificationThe duty not to mislead the courtFabricated citations reaching a filing
OversightSRA paragraphs 4.3–4.4Unchecked output from junior staff
Record-keepingThe SRA record-keeping dutyNo evidence that controls operated

Where a policy stops — and governance begins

Now the caveat from the top. Everything above is worth doing, and a firm with this policy is in far better shape than one with a generic download or nothing at all. But a policy states what should happen. It does not make it happen, and it does not prove it happened.

The SRA's December 2025 thematic review found only one compliance officer in thirty-six could fully describe their obligations — and Thomson Reuters found only 22% of organisations have a visible AI strategy. The gap between firms isn't who has a policy document. It's who can show, on a specific matter, that the policy's controls actually operated.

That's the difference between a policy and governance, and it's big enough that we gave it its own article. A policy is the promise; the governance framework is the machine that keeps it and records the keeping.

Working advice: Adopt the policy this week — it's the fastest thing on the list. Then treat it as step one of a governance framework, not the finish line. The policy sets the rules; your controls and records are what you'll actually be asked for.

FAQ

Does a UK law firm need an AI policy? Effectively yes. The SRA expects firms to have governance, systems and controls around AI use, and a written policy is the baseline component. It won't satisfy the SRA on its own, but its absence is hard to defend.

What should a law firm AI policy include? Scope, an approved-tools list with a ban on others for client work, a hard rule on confidential and personal data, mandatory verification of AI output, human oversight, record-keeping, named accountability, and training with a review date.

Is a free AI policy template enough? A generic template gives you structure but rarely maps to the SRA Code or UK GDPR, and it can create false confidence. Adapt one to your firm and your actual tools — and pair it with controls that produce evidence.

Who is responsible for the AI policy in a law firm? Typically the COLP, since the SRA places responsibility for new-technology compliance there. Individual tool owners and fee-earners have roles under it too.

Does an AI policy satisfy the EU AI Act? No single document does. But a policy that includes staff training supports the EU AI Act's Article 4 AI-literacy duty, which is already in force for firms with EU exposure — see our EU AI Act guide.


Want the editable template plus the controls that make it provable? LegalAI Space pairs a firm AI policy with a governance layer that verifies AI output and records every step. Book a 30-minute call with Daman to get the template and see the rest.

Related reading