All posts
AI Governance5 min read

AI Policy vs AI Governance: Why Your Two-Page Policy Won't Survive an SRA Inspection

A policy is a promise; governance is the evidence — and the SRA asks for evidence. Here's the difference, the six things a policy can't prove, where the major legal-AI tools actually sit on the trust spectrum, and the ten questions to ask any vendor before you buy.

By Daman Kaur

A policy is a promise. Governance is the evidence. The SRA asks for evidence.

That one distinction is why so many firms that feel "covered" on AI are not. They have written a policy, circulated it, and ticked a box. But when a regulator, an insurer, or a court asks what actually happened on a specific matter, a policy cannot answer. Only a record can. (If you want the long-form version of this argument, start with why an AI policy is not AI governance.)

The six things a policy can't prove

Your AI policy says the right things. It also cannot, on its own, demonstrate any of the following — each of which is exactly what an inspection or a claim turns on:

  1. That a human actually reviewed a given output before it left the firm (not that they were supposed to).
  2. That the citations in a research memo were real and verified against source.
  3. What client or personal data was sent to a model, and where that model is hosted.
  4. Who approved the work, and when — attributably and tamper-evidently.
  5. That supervision actually happened on the matters where it mattered most.
  6. A consistent, retrievable record across the whole firm, not a folder one partner happens to keep.

Under the SRA Code of Conduct for Firms, paragraph 2.1 requires effective systems and controls, and paragraph 2.2 requires records to demonstrate compliance. A policy is neither a system nor a record. It is a statement of intent about both.

The three tiers of trust

Not all "trust" claims in legal AI mean the same thing. It helps to separate them into three tiers:

  • Security-grade — the data is encrypted, access-controlled, and held securely. Necessary, table-stakes, and where most enterprise tools compete.
  • Content-grade — the output is accurate, and citations are checked to exist. Increasingly common; some research tools now verify that a cited authority is real and retrievable.
  • Governance-grade — the process itself is provable: a documented plan, a record of what was checked, evidence of human oversight, and a signed audit trail an SRA inspector or PI insurer can read.

Security-grade protects the data. Content-grade improves the output. Only governance-grade lets your COLP prove the work was done properly. Most of the market sells the first two. Governance-grade is the gap.

Where the major tools sit (fairly)

The leading legal-AI platforms are excellent at what they do — and what they do is mostly tiers one and two. Tools like Harvey and Legora compete on capability, speed and enterprise security; Legora has gone furthest on formal AI-management certification. Research platforms such as CoCounsel and Lexis+ AI have added citation verification — a genuine content-grade advance that checks whether a cited authority exists. These are real improvements.

But citation verification inside a research tool is a feature, not a compliance system. It does not, by itself, produce the COLP-facing evidence pack — the plan, the human-review record, the signed audit trail across every workflow — that a governance obligation requires. That is a different job, and it is the one a firm's compliance function actually has to discharge.

The buyer's checklist: ten questions for any legal-AI vendor

Before you adopt any AI tool, ask the vendor these. The answers separate governance-grade from the rest:

  1. Can you produce, for any output, a record of what the AI processed?
  2. Are citations re-fetched and verified against source — and what happens when one fails?
  3. Is there a human-approval step before a workflow runs, and is it recorded?
  4. Is the audit trail tamper-evident and exportable as evidence?
  5. Can I generate a COLP-/insurer-ready report for a specific matter on demand?
  6. Where is client and personal data hosted — and is EU-hosting or self-hosting available?
  7. Which SRA Code obligations does the audit record actually map to?
  8. Does the system record who signed off and when?
  9. Can I see where AI is used across the firm (an inventory), not just per-user?
  10. If the SRA asked tomorrow, what could I hand them — generated by the tool, not assembled by hand?

If a vendor cannot answer 1, 4, 5, and 10 cleanly, you are buying capability, not compliance. (Question 6 matters more than it looks: for firms that cannot send client data off-premises at all, a self-hosted deployment is the only clean answer.) And the same evidence pack is increasingly what your PI insurer wants to see at renewal.

How LegalAI Space is built

LegalAI Space is designed from the ground up at the governance tier. Every workflow runs against a written, approved plan before it executes. Citations are re-fetched and verified against source, including UK legal databases, so fabricated authorities are caught before they reach a draft. Every step is captured in a signed, tamper-evident audit record, and that record exports as a COLP-ready evidence pack mapped to your SRA obligations. The platform is designed for EU-hosted and self-hosted deployment so the data question has a clean answer. The point is not to make your lawyers a little faster. It is to let your compliance function prove the work was governed.

FAQ

Is an AI policy enough for SRA compliance? No. The Code for Firms requires effective systems and controls (2.1) and records that demonstrate compliance (2.2). A policy states intent; it does not evidence that controls operated.

What's the difference between AI policy and AI governance? A policy is the documented intention. Governance is the operating system plus the evidence — plans, human-oversight records, citation verification, and an audit trail you can produce on demand.

Do tools like CoCounsel or Lexis cover governance? They offer content-grade features such as citation verification, which is valuable, but not a COLP-facing governance and audit system across all workflows. That is a separate requirement.

What should I ask a legal-AI vendor before buying? Use the ten-question checklist above — focus on whether the tool can produce a matter-specific, exportable, tamper-evident record mapped to SRA obligations.

See what a governance-grade audit trail looks like on your own work. Book a 30-minute pilot call with Daman — bring one real matter, no pitch.