Is a law firm AI policy legally required?

Not by name, in any U.S. jurisdiction. What is required is supervision: managerial lawyers must make reasonable efforts to ensure the firm has measures assuring everyone's conduct conforms to the rules, and ABA Formal Opinion 512 applies that duty specifically to generative AI. A written, trained, acknowledged policy is the standard way to evidence those measures; the absence of one is what looks indefensible after an incident.

What must a law firm AI policy include?

Six sections recur across every instrument that addresses the question: an approved-tools register with documented data-handling terms, confidentiality and consent rules, a verification workflow treating every output as a draft with independent citation checking, billing rules that charge only actual time, training with acknowledgment, and named ownership of the policy with review cadence.

Does a solo practitioner need an AI policy?

The supervision rationale is weaker with no one to supervise, but solos still benefit from the same artifact: a written checklist of approved tools, confidentiality rules, and verification steps is how a solo proves diligence after the fact, and engagement-letter AI language matters just as much for solos. Our solo and small firm starter guide covers the minimum viable version.

How often should the policy be reviewed?

Quarterly or semi-annually against current instruments. The landscape moves: New York's court rule took effect June 2026, Virginia's fee opinion arrived November 2025, and California's proposed rule amendments are pending. A policy citing only 2023 guidance is already stale. This site's changelog and alerts exist for exactly that review.

Law Firm AI Policy: What Bars Actually Require (2026)

No U.S. bar association flatly mandates that law firms adopt a written AI policy. But ABA Formal Opinion 512 requires managerial lawyers to establish clear policies on permitted AI use, Arizona's guidance calls for written, acknowledged firm AI policies, Missouri's Informal Opinion 2024-11 walks through building one, and Kentucky, New Mexico, and Vermont all direct firms toward policies and training. A written policy is how a firm evidences the supervision duties it already has. The required content is consistent: approved tools, confidentiality rules, verification workflow, billing rules, training, and accountability.

The trick question in the title

Ask “which bar requires an AI policy” and the literal answer is none. Ask “which instruments make a firm without one indefensible” and the answer is most of them. The mechanism is supervision: Rules 5.1 and 5.3 require managerial lawyers to maintain measures giving reasonable assurance that everyone in the firm, lawyer and nonlawyer, conforms to the rules. Once AI tools enter the building, those measures have to say something about AI, and a measure that is unwritten, untrained, and unacknowledged is hard to call a measure at all.

The instruments make this progressively concrete. ABA Formal Opinion 512 states that managerial lawyers must establish clear policies regarding the firm’s permissible use of generative AI. Arizona’s best-practices guidance specifies the format: written firm AI policies that staff acknowledge. Missouri’s Informal Opinion 2024-11 is literally structured as advice to a lawyer designing a firm AI policy, walking through training, platform vetting, verification, and independence. Kentucky’s E-457 directs firms to adopt AI policies and training. New Mexico requires firm policies and training under its supervision analysis. Vermont’s judiciary report recommends an office AI-use policy as part of supervision duties. And the voluntary Virginia Bar Association published a full model policy template in 2024.

The six sections every instrument converges on

1. An approved-tools register. The competence and confidentiality duties both collapse into tool vetting: who checked this tool’s terms, when, and what did they find about training on inputs, retention, and access. Florida, Oregon, New Mexico, and the ABA all frame tool understanding as a precondition of use. The register is the artifact that proves it happened, and the consumer-versus-enterprise distinction belongs here, because the same product name can carry opposite data terms across tiers.

2. Confidentiality and consent rules. What may never go into which tools; anonymization standards (New Mexico’s warning that fact patterns identify clients even without names is worth quoting in your policy); and your consent posture, which is jurisdiction-specific: from no per se duty in Virginia’s guidance and New Jersey’s guidelines, through Florida’s recommended consent, to West Virginia’s informed consent confirmed in writing. Multi-state firms should write to their strictest jurisdiction.

3. A verification workflow. Every output is a draft; a human with matter knowledge reviews before use; every citation is independently verified in a traditional database before filing; court-specific AI orders are checked per filing. This is the section that prevents the sanctions caselaw from happening to you, and it should be non-negotiable in the policy’s own words.

4. Billing rules. Actual time only; no billing time saved; learning time is overhead absent specific agreement; AI costs pass through only with advance written agreement. North Carolina’s formulation (you cannot bill three hours for a one-hour AI-assisted task) is the one staff remember.

5. Training and acknowledgment. Arizona’s guidance makes acknowledgment explicit, and it is the difference between a policy and a PDF nobody opened: training before first use, refreshed annually, with signed acknowledgment on file. Training is also where the duty extends to nonlawyer staff, who are often the heaviest AI users in a firm.

6. Ownership and review. A named owner, a review cadence (quarterly or semi-annual), and a change log. The landscape this policy depends on moved at least four times in the twelve months before this guide was published; a policy without a review mechanism is a snapshot, not a control.

What does not belong in the policy

Two common impulses to resist. First, a flat ban: prohibition policies fail in practice (usage goes underground onto personal accounts, the worst possible configuration) and forfeit real efficiency; every ethics authority permits governed use, so govern it. Second, interactive document-assembly for clients: a firm policy is internal governance, and this site’s free template is deliberately a static download you adapt with counsel, not software that generates a customized legal document.

Where to start

Download the template, read your jurisdiction’s instruments on the tracker, set your consent posture to your strictest state, name an owner, and schedule the first training. A firm can be defensibly governed in a week; most firms are simply waiting for an incident to force the same work on worse terms.

About the editor: MHSB Solutions, Research desk. MHSB Solutions is not a law firm. Everything on this site is legal information keyed to primary sources, not legal advice.

For licensed attorneys and firm operators. This site is legal information, not legal advice, and no attorney-client relationship is formed by using it. Rules change; verify against the primary sources linked on every page and consult a licensed attorney in your jurisdiction before acting.