All posts
COLP9 min read

COLP Responsibilities for AI: What the SRA Expects in 2026

Your firm started using AI without asking you. The SRA still holds you — the COLP — responsible for governing it. Here's exactly what the regulator expects, where the enforcement is already landing, and how to prove your controls actually work.

By Daman Kaur

You didn't approve it. Somewhere in your firm, a paralegal is drafting with ChatGPT, an associate is running research through a legal AI tool, and a partner is pasting a client's confidential term sheet into a chatbot to "get a quick summary." None of it came through you. All of it is now your responsibility.

That's the position most COLPs are in as of 2026, and it isn't hyperbole. 61% of UK lawyers now use generative AI in their day-to-day work, up from 46% at the start of 2025 — while, on the same survey, two-thirds describe their firm's AI culture as slow or non-existent. Adoption raced ahead of governance. The gap between the two is where the COLP is exposed.

The reassuring myth is that AI rules are coming later, in some consultation, and you can wait. The reality is that your obligations are already live under the rules you're regulated by today, and the SRA has already said, in writing, that you own them. This is what "owning them" actually requires.

The SRA has already made this your job

There is no separate AI rulebook, and firms keep misreading that as "so nothing applies yet." It means the opposite: AI use falls under the existing Codes, so the obligations are already in force.

The SRA has been explicit about where accountability sits. In its compliance guidance on AI and technology, it states that it expects, as a minimum, the COLP to be responsible for regulatory compliance when new technology is introduced — with board-level oversight of what's purchased and how it's used on an ongoing basis. New technology includes AI. The named person already exists. It's you.

That guidance ties directly back to the Code of Conduct for Firms: paragraph 2.1's requirement for "effective governance structures, arrangements, systems and controls," and paragraph 6.3's duty to keep client information confidential. AI use engages both, immediately, without a single new rule being written.

Field note: The firms most exposed aren't the ones that banned AI or the ones that rolled it out deliberately. They're the ones where AI arrived informally, tool by tool, and the COLP found out it was in use at the same moment they realised they were accountable for it.

What "responsible" means: evidence, not a policy

Here's the distinction that decides whether a COLP is actually protected. The SRA's framework doesn't ask whether you have an AI policy. It asks whether your systems and controls operated — and whether you can produce records that demonstrate it (Code for Firms 2.2 is, in effect, the audit-trail rule).

A two-page policy saying "fee-earners must check AI output" proves nothing about whether they did. When a regulator, an insurer, or a court asks what happened on a specific matter, "we have a policy" is not an answer. The record of what was checked, by whom, and when — that is the answer.

So the practical test of your responsibility isn't documentary. It's evidential. For any AI-assisted output that left your firm, can you produce:

  1. What the AI processed — the prompt, the documents, the client data that went in.
  2. What it checked or relied on — for research and drafting, were the cited authorities real and actually retrieved, or generated?
  3. What a human reviewed before it left the firm — a named person, this specific output, not "policy says they should."
  4. When it happened and who signed off — timestamped and attributable.

If you can produce those four on demand, you're defensible. If you can't, that gap is your exposure. We go deeper on the regulator's specific questions in what the SRA can actually ask about AI.

A governed AI run: a legal question passes through intake, pre-run policy checks, governed source retrieval, drafting, citation verification, and human sign-off — each gate leaving a record.

The three failure modes you're actually accountable for

AI risk in a law firm isn't abstract "algorithmic bias." It's three concrete failure modes, each of which the COLP has to have a control for.

Fabricated authorities reaching a client or court

This is the one already producing sanctions. In Ayinde v London Borough of Haringey and Al-Haroun v Qatar National Bank (Divisional Court, 6 June 2025), AI tools generated fake case citations — five in one matter, eighteen in the other — that were filed without being checked against source. The court made wasted-costs orders, referred the individuals to the SRA and the Bar Standards Board, and stated plainly that consumer AI tools "are not capable of conducting reliable legal research."

It's not a one-off. A public database of AI-hallucinated content reaching courts already runs to well over a thousand decisions, hundreds involving practising lawyers — and a fresh 2026 UK referral to the SRA, where the judge held that admonishment alone was insufficient. The uncomfortable data underneath this: Stanford researchers benchmarking purpose-built legal AI tools found they still produced incorrect information on more than one in six queries, with one major research tool wrong more than a third of the time. Retrieval reduces hallucination. It does not eliminate it.

Client confidentiality leaking into public tools

When a fee-earner pastes client data into a free, public AI tool, Code paragraph 6.3 is engaged directly. The Law Society's guidance is blunt: do not put confidential data into free public generative AI tools where you have no operational relationship with the vendor. Every free-tool user in your firm is a potential confidentiality breach the COLP is accountable for.

Unsupervised use by people who can't judge the output

Code paragraphs 4.3 and 4.4 require competence and effective supervision. An associate who can't yet tell a plausible-but-fake citation from a real one, using a tool that produces both fluently, is a supervision gap. The tool doesn't remove the need for a competent human check — it raises it.

What the SRA expects you to put in place

The SRA's guidance doesn't leave "governance" as a vague aspiration. It enumerates what it expects, as a minimum, around AI use:

  • Leadership and oversight — someone accountable (you), with board visibility of what's bought and how it's used.
  • Risk and impact assessments — before deployment, not after an incident.
  • Policies and procedures — necessary, but the floor, not the ceiling.
  • Training — so people using AI can actually judge its output.
  • Monitoring and evaluation — ongoing, with a record that it happened.

Read that list again and notice what four of the five have in common: they only count if you can show they happened. Monitoring you can't evidence is monitoring the SRA will treat as absent.

Practical rule: Treat every AI control as something you'll one day have to prove operated on a specific matter. If a control leaves no record, it isn't a control — it's a hope with a policy attached.

The obligation you might not know is already live

If your firm serves EU clients or its AI output is used in the EU, there's a second regime in play — and one piece of it is already binding. Under the EU AI Act, the AI-literacy obligation (Article 4) has applied since February 2025, requiring that staff using AI systems have sufficient understanding to use them responsibly.

The headline "2 August 2026" deadline everyone's bracing for is more nuanced than the panic suggests — the high-risk obligations were deferred to December 2027 under the EU's Digital Omnibus package. But the literacy duty isn't deferred. It's in force now, and it maps almost exactly onto the SRA's training expectation. One training programme, built properly, discharges both.

What a defensible COLP setup looks like

The right approach depends on your firm, but the destination is the same: move from "we have a policy" to "we can prove our controls operated."

  • If you're a small-firm COLP with no AI budget and informal adoption: start by finding out what's actually in use — a five-minute survey usually surprises people — then get one non-negotiable rule enforced (no client data in free public tools) and one habit recorded (a human sign-off log for AI-assisted output that leaves the firm). Coverage beats sophistication.
  • If you're a mid-size firm COLP with tools rolled out across departments: your problem is visibility across work you can't personally see. You need systems that capture the four evidence points automatically, because relying on busy fee-earners to log their own AI use by hand will fail exactly when you need the record most.
  • If you're a COLP under an insurer or client asking for AI assurances: you need an evidence pack you can hand over — matter-level records of what was processed, checked, and reviewed — not a policy PDF. The COLP AI governance checklist is the concrete version of this.

The direction of travel is unambiguous: the SRA is shifting from asking whether firms have policies to asking whether they can evidence that controls worked. Its December 2025 review already found that only one compliance officer in thirty-six could fully describe their obligations — before AI made those obligations harder. The firms that struggle will be the ones that confused a document with a control.

How LegalAI Space closes the gap

This is the problem we built LegalAI Space to solve, and it maps directly onto the four evidence points above. Every AI workflow runs against a written, approved plan before it executes — a plan → approve → run gate, not a free-running chatbot. Every citation is re-fetched and verified against source, including UK legal databases, so a fabricated authority is caught before it reaches a draft. And every step is recorded in a signed, tamper-evident audit trail: what was processed, what was checked, what a human reviewed, and when. The output is a COLP-ready evidence pack — for the SRA, your PI insurer, or a client — instead of an apology.

You don't have to choose between letting your firm use AI and being able to prove you governed it. That's the entire point.

FAQ

Is the COLP responsible for the firm's AI use? Yes. The SRA expects, as a minimum, that the COLP is responsible for regulatory compliance when new technology including AI is introduced. There's no separate AI regime — it falls under the existing Codes, which the COLP already owns.

Does the SRA require an AI policy? The SRA expects governance, systems and controls — policies are part of that, but not sufficient on their own. What it ultimately asks for is evidence that your controls operated, which a policy alone can't provide.

What AI records should a firm keep? At minimum, for AI-assisted work that leaves the firm: what the AI processed, which sources it relied on, what a human reviewed before output left the firm, and when and by whom it was signed off.

Can fee-earners use ChatGPT for legal work? Not with client confidential data in free public tools — that risks breaching confidentiality (Code 6.3). And any AI-assisted output must be checked against source, because relying on unverified output can breach competence and the duty not to mislead the court, as the Ayinde case showed.

Is the EU AI Act relevant to a UK firm? It can be, if the firm serves EU clients or its AI output is used in the EU. The AI-literacy obligation has applied since February 2025; the high-risk obligations were deferred to December 2027. We cover the detail in our EU AI Act guide for UK firms.


If you're a COLP who needs to prove — not just assert — that your firm's AI use is governed, that's exactly what LegalAI Space produces: a signed, matter-level audit trail the SRA can inspect. Book a 30-minute call with Daman and bring one real workflow.

Related reading