All posts
SRA5 min read

What the SRA Can Actually Ask Your Firm About AI (and How to Answer)

The SRA has no separate AI rulebook — AI use falls under the existing Codes of Conduct, so your obligations are already live and your COLP is already accountable. Here is exactly what the SRA can request about your firm's AI use, mapped to the rules, with the evidence you need to produce.

By Daman Kaur

The SRA has no separate AI rulebook. That is the single most important thing for a COLP to understand — because it means your firm's AI obligations are not coming in some future consultation. They are already live, under the Codes of Conduct you are regulated by today, and your compliance officer is already personally accountable for them.

The question is no longer whether the SRA can ask how your firm governs its AI use. It is what they can ask, and whether you could answer with evidence rather than good intentions.

This post sets out exactly that.

The myth of the "AI policy"

Most firms, when asked about AI governance, point to a policy document. A policy is necessary. It is also nowhere near sufficient. The SRA's own framework is not satisfied by a statement of intent — it asks for effective systems and controls, and for records that demonstrate those controls actually operated. (We pull this distinction apart in why an AI policy is not AI governance.)

A two-page policy that says "fee-earners must check AI output" proves nothing about whether they did. When a regulator, a client, an insurer or a court asks what happened on a specific matter, "we have a policy" is not an answer. The record of what was checked, by whom, and when — that is the answer.

The rules that already apply (the right ones)

There are two SRA Codes, and AI engages both. Cite them correctly — getting the numbers wrong undermines the whole conversation.

SRA Code of Conduct for Firms (this is the COLP's domain):

  • Paragraph 2.1 — you must have "effective governance structures, arrangements, systems and controls" that ensure compliance with the SRA's regulatory arrangements. AI use without a control system engages this directly.
  • Paragraph 2.2 — you must "keep and maintain records to demonstrate compliance". This is the audit-trail rule. If you cannot produce the record, you cannot demonstrate compliance.
  • Paragraph 2.3 — you "remain accountable for compliance… where your work is carried out through others". An AI system is, functionally, "others." Delegating to a model does not delegate the accountability.
  • Paragraph 4.3 — you must ensure managers and employees are "competent to carry out their role, and keep their professional knowledge and skills… up to date."
  • Paragraph 4.4 — you must have "an effective system for supervising clients' matters."

SRA Code of Conduct for Solicitors (this is each fee-earner's domain):

  • Paragraph 1.4 — you must not "mislead… the court or others." A fabricated AI citation breaches this whether a human or a model produced it.
  • Paragraphs 3.2–3.3 — competent service, and maintaining your competence and up-to-date knowledge.
  • Paragraph 3.5 — accountability for, and effective supervision of, work done through others.
  • Paragraph 6.3 — confidentiality. If a tool sends client data to a third-party model, this is engaged.

None of these is new. None of them pauses because the tool is new.

What the SRA can actually request — the four pieces of evidence

When the SRA examines AI use — whether in a thematic review, a routine inspection, or in response to a complaint — the practical questions reduce to four. For any AI-assisted output that left your firm, can you produce:

  1. A record of what the AI processed. What prompt, what documents, what client data went in?
  2. A record of which sources it checked or relied on. For research and drafting, were the cited authorities real, current, and actually retrieved — or generated?
  3. A record of what a human reviewed before it left the firm. Not "policy says they should" — evidence that a named person reviewed this specific output.
  4. A record of when that happened and who signed off. Timestamped, attributable, tamper-evident.

If you can produce those four for any matter on demand, you are in a defensible position. If you cannot, that gap is your exposure — and it is exactly the gap the SRA's December 2025 Compliance Officers thematic review exposed, where just one in thirty-six compliance officers could fully describe their obligations.

Why this is urgent now, not later

In Ayinde v London Borough of Haringey and Al-Haroun v Qatar National Bank (Divisional Court, 6 June 2025), AI tools produced fabricated case citations — five in one matter, eighteen in the other — that were filed without being checked against source. The court made wasted-costs orders, referred the individuals to the SRA and the Bar Standards Board, and warned that consumer AI tools "are not capable of conducting reliable legal research." (These are not isolated; the pattern is now over 1,200 documented hallucination cases and counting.)

That was not a rogue junior ignoring the rules. It was the predictable result of using AI without a verification layer or a governance process. The enforcement climate is moving in one direction, and "we didn't have a system" is the worst possible thing to say to a regulator after the fact.

How LegalAI Space closes the gap

This is the problem we built LegalAI Space to solve. Every AI workflow runs against a written, approved plan before it executes (a plan → approve → run gate, not a free-running chatbot). Every citation is re-fetched and verified against source — including UK legal databases — so a fabricated authority is caught before it reaches a draft, let alone a court. And every step is recorded in a signed, tamper-evident audit record: what was processed, what was checked, what a human reviewed, and when. The output of all of this is a COLP-ready evidence pack you can hand to the SRA, your PI insurer, or a client — not an apology.

You do not have to choose between adopting AI and being able to prove you governed it. That is the entire point.

FAQ

Does the SRA have a specific AI regulation? No. AI use falls under the existing SRA Code of Conduct for Firms and Code of Conduct for Solicitors. There is also a Risk Outlook on the use of AI in the legal market, but the binding obligations are the existing Code rules.

Who is accountable for AI use in a law firm? The firm, through its governance obligations (Code for Firms 2.1–2.3), and the COLP personally for compliance systems. Individual fee-earners remain accountable for their own work and supervision under the Code for Solicitors.

What evidence should we keep for AI-assisted work? At minimum: what the AI processed, which sources it relied on, what a human reviewed before the output left the firm, and when and by whom it was signed off.

Is using ChatGPT for legal research a breach? Not inherently — but relying on it without verifying the output can breach competence (3.2–3.3), the duty not to mislead the court (1.4), and confidentiality (6.3) if client data is exposed. The Ayinde case shows the consequences.

LegalAI Space gives UK firms a provable, SRA-ready audit trail for every AI output. Book a 30-minute pilot call with Daman — bring one real matter, no pitch.