The most common mistake firms make about SRA compliance and AI is assuming there's a gap to wait out — that the rules are "coming," that some future consultation will tell them what to do. There isn't, and it won't. The SRA has been clear: AI use falls under the existing Codes of Conduct, so your obligations are already in force, and your compliance officer is already accountable for them.
That's the good news and the uncomfortable news in one sentence. Good, because you don't need to learn a new regime. Uncomfortable, because "we were waiting for guidance" is not a defence for something that's already live.
This is the complete picture: which rules apply, who owns them, what the SRA can actually ask, what the enforcement looks like, and how to get to a defensible position. It's the map; the detailed spokes are linked throughout.
There is no separate AI rulebook — and that's the point
The SRA has not created a standalone AI regulation, and it has signalled it doesn't intend to. Its position is that AI is a technology used in legal services, and legal services are already comprehensively regulated. So AI use is governed by the same Codes, Principles, and Accounts Rules as everything else a firm does.
The practical consequence: every obligation below already applies to your firm's AI use today. The novelty of the tool changes nothing about the duty. We set out the regulator's specific questions in what the SRA can actually ask about AI; this guide is the level above that — the whole compliance picture.
Practical rule: "The rules haven't caught up with AI yet" is the single most dangerous sentence in a law firm in 2026. The rules didn't need to catch up. They were always about outcomes — competence, confidentiality, supervision, honesty — and AI engages every one of them.
The rules that actually apply
AI use engages both SRA Codes. Getting the references right matters — citing the wrong paragraph undermines the whole conversation with a regulator.
SRA Code of Conduct for Firms (the COLP's domain):
- Paragraph 2.1 — effective governance, systems and controls. AI used without a control system engages this directly.
- Paragraph 2.2 — keep records to demonstrate compliance. This is the audit-trail rule; if you can't produce the record, you can't demonstrate compliance.
- Paragraph 6.3 — client confidentiality. If a tool sends client data to a third-party model, this is engaged.
- Paragraphs 4.3–4.4 — competence and effective supervision, which extend to how AI-assisted work is checked.
SRA Code of Conduct for Solicitors (each fee-earner's domain):
- Paragraph 1.4 — not misleading the court. A fabricated AI citation breaches this whether a human or a model produced it.
- Paragraphs 3.2–3.3 — competent service and maintaining competence, which now includes understanding AI's limits.
The SRA's own compliance guidance on AI and technology ties these together: it expects, as a minimum, that the COLP is responsible for regulatory compliance when new technology is introduced, with governance, systems and controls around its use.
Who is accountable: the COLP
Accountability for AI compliance isn't diffuse. It sits, by the SRA's own framing, with the COLP — the Compliance Officer for Legal Practice — with board or partnership oversight above. The COLP is responsible for ensuring the firm has effective systems for AI use and that serious breaches are reported.
This is not a comfortable position, because AI often arrives in a firm informally, tool by tool, without the COLP's sign-off — and yet the accountability lands there regardless. We cover the role in depth in COLP responsibilities for AI and the underlying role in what is a COLP.
The SRA's December 2025 thematic review of compliance officers is the backdrop every COLP should know: of thirty-six officers interviewed, only one could describe all the material requirements of their role, and across three years they made just nine reports to the SRA from 1,377 internal reports. The regulator is signalling that compliance officers are under-supported and under-reporting — and AI is arriving on top of that.
What the SRA can ask for: four pieces of evidence
When the SRA examines AI use — in a thematic review, an inspection, or after a complaint — the questions reduce to four. For any AI-assisted output that left your firm, can you produce:
- What the AI processed — the prompt, documents, and client data that went in.
- What it checked or relied on — were cited authorities real and retrieved, or generated?
- What a human reviewed before it left the firm — a named person, this specific output.
- When it happened and who signed off — timestamped and attributable.
Produce those four and you're defensible. Can't, and that gap is your exposure. Notice none of them is satisfied by a policy document — they're satisfied by records. That's the distinction between an AI policy and AI governance.
What enforcement already looks like
This is not hypothetical. In Ayinde v Haringey and Al-Haroun v Qatar National Bank (Divisional Court, 6 June 2025), AI tools produced fabricated citations — five in one matter, eighteen in the other — filed without checking against source. The court made wasted-costs orders and referred the individuals to the SRA and the Bar Standards Board, holding that consumer AI tools "are not capable of conducting reliable legal research." In 2026 the pattern continued, with a further UK referral to the SRA where the judge held that admonishment alone was insufficient — part of a growing record of hallucination cases.
The trajectory is one-directional: regulators are more involved over time, not less, and "we didn't have a system" is the worst thing to say after the fact.
How to get to a defensible position
You don't need to solve everything at once. The route, in order of impact:
- If you're starting from nothing: find out what AI is actually in use (a quick survey usually surprises people), enforce one hard rule (no client data in free public tools), and start a human sign-off record for AI-assisted output that leaves the firm.
- If you have a policy but no evidence: shift the effort from the document to the records. The SRA asks whether controls operated, not whether they're written down — build the audit trail. Our COLP AI governance checklist is the concrete list.
- If you're scaling AI across the firm: formalise it as an AI governance framework with ownership, verification, and monitoring that produces its own evidence — because manual record-keeping fails under caseload exactly when you need it.
The destination is the same regardless of starting point: move from "we have a policy" to "we can prove, on any matter, that our controls operated."
How LegalAI Space fits
We built LegalAI Space so the evidence the SRA can ask for is produced automatically. Every AI workflow runs against an approved plan before it executes; every citation is verified against source, including UK legal databases; and every step is recorded in a signed, tamper-evident audit trail — what was processed, what was checked, what a human reviewed, and when. The output is a COLP-ready evidence pack for the SRA, a PI insurer, or a client. You don't have to choose between adopting AI and being able to prove you governed it.
FAQ
Does the SRA have specific rules for AI? No. There's no standalone AI regulation. AI use falls under the existing SRA Code of Conduct for Firms, Code of Conduct for Solicitors, Principles, and Accounts Rules — which means the obligations are already in force.
Who is responsible for AI compliance in a law firm? The firm, through its governance obligations, and the COLP personally for compliance systems — the SRA expects the COLP to be responsible for regulatory compliance when new technology is introduced. Individual fee-earners remain accountable for their own work.
What can the SRA ask about our AI use? In practice, for any AI-assisted output: what the AI processed, which sources it relied on, what a human reviewed before it left the firm, and when and by whom it was signed off.
Is using AI a breach of SRA rules? Not inherently. Breaches arise from relying on unverified output (competence, not misleading the court) or putting client data into public tools (confidentiality) — not from using AI as such.
What's the first step to SRA compliance for AI? Find out what AI is actually being used in the firm, ban client data in free public tools, and start recording human sign-off on AI-assisted output. Build from there toward a governance framework that produces evidence.
LegalAI Space gives UK firms a provable, SRA-ready audit trail for every AI output — the evidence the regulator can ask for, produced automatically. Book a 30-minute call with Daman and bring one real matter.
Related reading
- What the SRA can actually ask your firm about AI — the regulator's specific questions, mapped to the rules.
- COLP responsibilities for AI — the accountable role, in depth.
- AI governance framework for law firms — the machine that produces the evidence.