Legal information, not legal advice · Every entry verified to its primary source · Independent of any bar association
The Legal AI Compliance Register

legalaicompliance.help · est. 2026 · honest labels, primary sources, public changelog

Solo and Small Firm AI Compliance: The One-Afternoon Starter

Last updated June 10, 2026 · First published June 10, 2026 · By MHSB Solutions (Research desk) · How this site is sourced

A solo or small firm reaches defensible AI compliance with five artifacts, buildable in one afternoon: a one-page approved-tools list with each tool's data terms, a confidentiality rule (what never goes into open models, and your state's consent threshold), a verification rule (every citation independently checked before filing), two billing sentences (actual time only; costs only by advance agreement), and an engagement-letter AI clause. That covers the duties in ABA Formal Opinion 512 and every state instrument at small-firm scale, without enterprise process theater.

Quick answer

  1. Five artifacts, one afternoon, defensible posture.
  2. 1: Approved-tools list with documented data terms.
  3. 2: Confidentiality rule + your state's consent threshold.
  4. 3: Verification rule: every citation checked in a real database.
  5. 4: Billing rules: actual time only; costs by advance agreement.
  6. 5: Engagement-letter AI clause.

Compliance sized for a firm without a compliance department

The AI ethics instruments were mostly written with firms in mind: supervision structures, training programs, acknowledgment files. Solos and small firms face the same underlying duties (competence, confidentiality, verification, honest billing, candor) without the apparatus, and the temptation is to conclude the whole topic is big-firm theater. The opposite is true: small firms adopt AI faster, with less friction and more exposure per matter, and they are likelier to be using consumer tiers. What scales down is the paperwork, not the duties. Here is the paperwork at its honest minimum.

Artifact 1: the approved-tools list

One page. Each AI tool you actually use, its tier (consumer or enterprise or legal-specific), whether that tier trains on inputs, what it retains, and the date you checked. The screening questions come straight from the instruments (Florida, Oregon, New Mexico, ABA 512 all require understanding tools before use); the page is your proof you asked them. Rule one written at the bottom: nothing on a matter touches a tool not on this list, including on personal accounts. Update when you add tools or when a vendor changes terms, which they do.

Artifact 2: the confidentiality rule

Two parts. The line: confidential or client-identifying information never enters a tool whose tier trains on or retains inputs; anonymization counts only if someone with public information could not re-identify the matter (New Mexico’s standard, which is the honest one). The threshold: your state’s consent position from the comparison table, written into the rule, with West Virginia practitioners building written consent into the engagement letter from day one. If you practice in multiple states, write to the strictest.

Artifact 3: the verification rule

One sentence, zero exceptions: every citation, quotation, and statement of law in AI-assisted work gets independently confirmed in a traditional research database before it is filed or sent, and the same AI never verifies itself. This is the rule whose absence produced the sanctions caselaw, and at small-firm scale it is pure self-protection: there is no associate to blame, and the signature on the filing is yours. Pair it with the per-filing habit of checking the assigned judge’s standing orders, which takes two minutes via the court’s site or the free Ropes & Gray tracker linked from the court orders guide.

Artifact 4: the billing rules

Two sentences cover what every instrument requires: bill the time actually spent prompting, reviewing, and verifying, never the time AI saved (North Carolina’s three-hours-for-a-one-hour-task framing is the memorable version); AI costs are charged to a client only when matter-specific, reasonable, and agreed in advance in writing. If AI is making you meaningfully faster, the durable answer is fee design rather than hourly attrition; Virginia’s LEO 1901 blesses flat and value-based arrangements that capture efficiency gains, covered in the billing guide.

Artifact 5: the engagement-letter clause

The clause that turns four internal artifacts into client-facing transparency: the firm uses AI tools under a written policy; client information is protected from training and disclosure; every AI-assisted work product is reviewed by the responsible attorney; the client may discuss or restrict AI use at any time. Where your state requires consent, the letter is where consent mechanics live. This pre-empts the awkward mid-matter conversation and satisfies the communication duty on the terms most authorities frame it, per the client disclosure guide.

The afternoon, scheduled

Hour one: inventory what you actually use (include the tools you forgot you use: the meeting transcriber, the email drafter) and write the tools list. Hour two: set the confidentiality and verification rules, checking your state on the tracker. Hour three: billing sentences and the engagement-letter clause, adapted from sections 5 and 7 of the free template. Then quarterly: fifteen minutes with the changelog to catch what changed. That is the whole system. It is also, reduced to essentials, the same system the instruments expect of a two-hundred-lawyer firm; the difference is you can be done by dinner.

Frequently asked questions

Do solo practitioners really need an AI policy?

Not for supervision of others, but for evidence. After a confidentiality incident or a citation challenge, the question is what measures existed. A solo's one-page policy is that answer, and it doubles as the checklist that prevents the incident. Vermont's report and Missouri's opinion both frame office AI policies as the practical implementation of existing duties at any scale.

Which AI tools are safe for a small firm?

This site does not endorse tools; safety lives in tiers and settings, not product names. The screening test from the instruments: does the tier you are buying train on inputs, what does it retain, who can access it, and will the vendor put that in writing? Enterprise and legal-specific tiers usually pass; free consumer tiers usually fail for confidential information. Document whatever you choose; the documentation is the compliance.

What goes in an engagement-letter AI clause?

Three sentences: the firm uses AI tools under a written policy with client information protected from training and disclosure; all AI-assisted work is reviewed by the responsible attorney; the client may discuss or restrict AI use at any time. Add your state's consent mechanics where required, and in West Virginia, build written consent into the letter itself.

How do I keep up with rule changes without a compliance department?

Subscribe to one tracker and check it quarterly. This site exists for exactly that: every instrument verified against primary sources, a changelog of every update, email alerts, RSS, and a downloadable dataset. Fifteen minutes per quarter is the realistic small-firm cadence.

Primary sources cited

Related guides

About the editor: MHSB Solutions, Research desk. MHSB Solutions is not a law firm. Everything on this site is legal information keyed to primary sources, not legal advice.

For licensed attorneys and firm operators. This site is legal information, not legal advice, and no attorney-client relationship is formed by using it. Rules change; verify against the primary sources linked on every page and consult a licensed attorney in your jurisdiction before acting.