Law Firm AI Policy Template: A Free Framework Aligned With ABA Opinion 512 (2026)

Yes — any firm using AI tools should have a written AI policy, and below is a free template mapped to ABA Formal Opinion 512. If your firm has lawyers or staff using ChatGPT, Claude, CoCounsel, Lexis+ AI, or any other generative tool — even informally — you have an obligation under the Model Rules of Professional Conduct to manage that use, and a written policy is the cleanest way to discharge it.

This is not a hypothetical concern. According to the ABA's 2024 Legal Technology Survey and AI TechReport, overall AI adoption among lawyers reached 30% in 2024, up from 11% in 2023. The same data shows that roughly three-quarters of respondents cite hallucinations — confidently wrong, fabricated outputs — as a barrier to adoption. In other words, most of the profession is now using a technology that the profession itself knows can invent fake case citations. That gap between use and control is exactly what a written AI policy closes.

This guide does two things. First, it walks through what ABA Formal Opinion 512 actually requires, rule by rule. Then it gives you a complete, copy-and-adapt law firm AI policy template you can put in front of your partners this week. One caveat to set the record straight up front: there is no official "ABA Model AI Policy" template. The ABA tells lawyers what duties apply; it does not publish a fill-in-the-blanks policy. The template here is ours — derived directly from the duties in Opinion 512 — and you should treat it as a drafting head start, not as ABA-endorsed boilerplate.

What ABA Formal Opinion 512 Actually Says

ABA Formal Opinion 512, titled "Generative Artificial Intelligence Tools," was issued on July 29, 2024, by the ABA Standing Committee on Ethics and Professional Responsibility. It is the first formal ethics opinion the ABA has published on lawyers' use of generative AI. The single most important thing to understand about it is what it is not: it is not a new rulebook. Opinion 512 creates no new obligations. It takes the Model Rules of Professional Conduct that already govern your practice and explains how they apply when a lawyer uses a generative AI tool.

That framing matters because it means you cannot treat AI as an unregulated frontier. The duties of competence, confidentiality, communication, honest billing, supervision, and candor to the tribunal apply to AI-assisted work exactly as they apply to everything else. Here is how the opinion breaks down, duty by duty.

Competence (Model Rule 1.1)

A lawyer must have "a reasonable understanding of the capabilities and limitations" of the AI tools they use. You do not have to become a machine-learning expert. But you do have to understand enough to use the tool responsibly — and you cannot place uncritical reliance on its output. The opinion's language here is unusually blunt: uncritical reliance on a generative AI output is "almost certainly malpractice." Independent verification and review of AI output is required, and a lawyer cannot abdicate professional judgment to a machine. How much verification is required is fact-specific and depends on the task, but the duty to verify never disappears.

Confidentiality (Model Rule 1.6)

Before entering any client information into a generative AI tool, a lawyer must evaluate the risk that the information will be disclosed to or accessed by others. For "self-learning" tools — tools that train on the data users feed them — the opinion goes further: the lawyer must obtain the client's informed consent before inputting confidential information. And this is the point too many firms get wrong: a boilerplate consent buried in the engagement letter is not sufficient. To give informed consent, the client must receive the lawyer's best judgment about why the AI tool is being used, the extent of and specific risks involved, and the kinds of client information that will be disclosed. For more on how confidentiality duties interact with AI in litigation, see our analysis of AI and attorney-client privilege after the Heppner ruling.

Communication (Model Rule 1.4)

There is no universal duty to always tell clients you used AI. But there are specific situations where disclosure is required: when the client asks; when you input the client's information into the tool; when the use affects the reasonableness of the fee charged; or when the AI's output "will influence a significant decision in the representation." Those four triggers are the practical test. If any of them is present, the client needs to know.

Fees (Model Rule 1.5)

A lawyer who bills hourly may bill only for time actually spent. AI-driven efficiency gains do not justify billing more — if a task that took three hours now takes one, you bill one. You may not bill the client for the time you spend learning to use the AI tool. Integrated AI tools the firm pays a flat subscription for are overhead and are not separately billable. Third-party AI services charged on a per-use basis may be billed to the client as an expense, but only at actual cost, without surcharge. For a fuller look at what these tools cost, see our AI legal tools pricing comparison.

Supervision (Model Rules 5.1 and 5.3)

This is the rule that drives the entire case for a written policy. Managerial lawyers must establish clear policies governing the firm's use of generative AI. Lawyers and staff need training — on how to use the tools, on the ethical issues involved, and on confidentiality and data security. Supervisory lawyers must ensure that the lawyers and nonlawyers they oversee comply. And the firm must conduct due diligence on AI vendors, evaluating their reliability, security, confidentiality protections, and breach-notification practices before adopting them.

Candor Toward the Tribunal (Model Rule 3.3)

When using AI in litigation, a lawyer must carefully review the output so as not to submit any "hallucination" — a fabricated citation, a misstatement of the law, or a misstatement of the facts — to a court. The lawyer must cite controlling authority and must not advance misleading arguments. This is the duty most directly tied to the sanctions stories that keep making headlines. For the practical mechanics of avoiding them, see our guide on avoiding AI hallucinations and court sanctions.

Why Your Firm Needs a Written AI Policy

The case for a written policy runs straight through Model Rule 5.1. Opinion 512 tells managerial lawyers they must establish clear policies governing the firm's use of generative AI. You can argue about whether that obligation technically demands a formal written document — and to be precise, Opinion 512 does not say the ABA "requires" a written AI policy in a particular format. But practically, how else do you establish a clear policy across a firm, communicate it to every lawyer and staff member, train people against it, and demonstrate to a disciplinary authority or malpractice carrier that you did? A written policy is the natural instrument for satisfying a supervisory duty. Anything less is an unwritten understanding, and unwritten understandings are exactly what fail under scrutiny.

The malpractice exposure makes this concrete. Recall the opinion's competence language: uncritical reliance on AI output is "almost certainly malpractice." Now imagine that exposure spread across a firm where every lawyer makes their own private judgment about when to verify, which tools are acceptable, and what client data is safe to paste. A written policy replaces a dozen inconsistent personal habits with one firm standard. It tells everyone that outputs must be verified, that certain tools are off-limits, and that client identifiers do not go into a public chatbot — before someone learns those lessons the hard way in front of a judge.

Confidentiality sharpens the point further. Under Rule 1.6, the risk of inputting client information into an AI tool has to be evaluated before it happens — and for self-learning tools, informed client consent has to be obtained first. A real-world ruling has already shown what happens when AI use outruns confidentiality discipline: see our breakdown of the Heppner privilege ruling, where materials a defendant generated on a consumer AI tool were held not privileged. A written policy is where you set the rule — which tools are approved for confidential matters, what consent is required, and what data never gets entered — so that judgment is not left to a stressed associate at 11 p.m.

A written AI policy is not bureaucracy for its own sake. It is how a firm converts the duty to "establish clear policies" under Rule 5.1 into something every lawyer can actually follow — and something the firm can actually prove it followed.

The 10 Components Every Law Firm AI Policy Needs

A workable policy does not need to be long. It needs to be clear, and it needs to cover the ground that the Model Rules and Opinion 512 actually touch. These ten components map to those duties. Where a component flows directly from a rule, the rule is noted; where it is a sensible operational practice rather than a rule mandate, it is marked as best practice.

1. Purpose & Scope

State why the policy exists, who it applies to (every lawyer, paralegal, and staff member), and what counts as a "generative AI tool" for its purposes. A clear scope statement is what makes the rest enforceable and prevents the "I didn't think that counted" defense. Best practice, grounded in the supervisory duty under Rule 5.1.

2. Approved & Prohibited Tools

List the AI tools the firm has vetted and approved, and make clear that anything not on the list requires sign-off before use on firm work. This is where vendor due diligence under Rule 5.3 becomes operational — only tools whose security and confidentiality terms the firm has reviewed make the approved list. For help evaluating the landscape, see our guide to the best AI tools for lawyers.

3. Client Confidentiality & Data Handling

Spell out the confidentiality rule plainly: assess disclosure risk before entering any client information, and never enter confidential client data into a self-learning tool without the required informed consent. Direct lawyers to anonymize and strip identifiers wherever possible. This implements Rule 1.6 directly.

4. Mandatory Human Verification of Outputs

Require that a competent lawyer independently verify every AI output before it is relied on or filed — citations checked against the actual authority, facts confirmed, law confirmed. State explicitly that uncritical reliance is prohibited. This is Rule 1.1 (competence) and Rule 3.3 (candor) working together, and it is the single most important line in the policy.

5. Client Disclosure & Informed Consent

Codify the four disclosure triggers: when the client asks, when client data is input, when AI use affects the fee, and when output will influence a significant decision. For self-learning tools, require specific informed consent — the firm's best judgment on why the tool is used, the risks, and the data involved — not boilerplate language buried in an engagement letter. This implements Rules 1.4 and 1.6.

6. Billing & Fees

Make the fee rules explicit: bill only time actually spent, never bill clients for time spent learning the tools, treat integrated AI subscriptions as overhead, and pass through per-use AI costs only at actual cost without markup. This implements Rule 1.5 and protects the firm from a fee dispute later.

7. Training & Competence

Commit the firm to training everyone who uses AI — on the tools themselves, on the ethical issues, and on confidentiality and data security. Competence is a continuing duty, so the policy should make training recurring, not one-time. This flows from Rules 1.1 and 5.1.

8. Supervision & Accountability

Name a responsible person — typically a managing partner or designated AI lead — and state that supervisory lawyers are accountable for the compliance of those they oversee, lawyers and nonlawyers alike. Accountability that belongs to no one in particular belongs to no one. This implements Rules 5.1 and 5.3.

9. Prohibited Uses

Draw the bright lines: no filing AI output without verification, no entering confidential client data into unapproved or self-learning tools without consent, no presenting AI output to a tribunal without checking every citation. Clear prohibitions are easier to follow than vague cautions. Grounded in Rules 1.6, 3.3, and 1.1.

10. Incident Response

Define what happens when something goes wrong — a confidentiality exposure, a hallucinated citation that slipped through, a data breach at a vendor. Who is notified, what gets documented, and what corrective steps follow. Vendor breach-notification expectations connect to the due-diligence duty under Rule 5.3; the rest is sound best practice.

The Law Firm AI Policy Template (Copy & Adapt)

Below is a complete, copy-and-adapt template. Replace every placeholder in brackets, delete anything that does not fit your practice, and — this matters — have a licensed attorney or your compliance officer review the finished policy before you adopt it. This template is a drafting starting point derived from the duties in ABA Formal Opinion 512. It is not legal advice, and it is not an official ABA model. Click the copy button on the block, paste it into your document, and make it yours.

[FIRM NAME] — GENERATIVE AI USE POLICY

Effective Date: [EFFECTIVE DATE]
Policy Owner: [MANAGING PARTNER / DESIGNATED AI LEAD]
Last Reviewed: [REVIEW DATE]

This policy governs the use of generative artificial intelligence ("AI")
tools at [FIRM NAME]. It is grounded in the firm's professional
responsibility obligations, including the duties of competence,
confidentiality, communication, reasonable fees, supervision, and candor
toward the tribunal. This policy is intended to help every member of the
firm use AI tools responsibly and consistently. It does not override
applicable rules of professional conduct or any client engagement terms.

----------------------------------------------------------------------
1. PURPOSE & SCOPE
----------------------------------------------------------------------
This policy applies to every attorney, paralegal, and staff member of
[FIRM NAME] (collectively, "personnel"). It applies whenever personnel
use any generative AI tool — including general-purpose chatbots, legal
research assistants, drafting tools, and any other system that generates
text, summaries, or analysis — in connection with firm work, whether or
not the firm pays for the tool. The purpose of this policy is to ensure
that AI is used in a manner consistent with the firm's ethical
obligations and the interests of its clients.

----------------------------------------------------------------------
2. APPROVED & PROHIBITED TOOLS
----------------------------------------------------------------------
Only AI tools that the firm has reviewed and approved may be used for
firm work. The current list of approved tools is: [APPROVED TOOLS].
Each approved tool has been evaluated for reliability, security,
confidentiality protections, and breach-notification practices.
Personnel may not use any tool not on the approved list for firm work
without prior written approval from [POLICY OWNER]. Use of personal or
free-tier accounts for confidential client matters is prohibited unless
specifically approved.

----------------------------------------------------------------------
3. CLIENT CONFIDENTIALITY & DATA HANDLING
----------------------------------------------------------------------
Before entering any client information into an AI tool, personnel must
evaluate the risk that the information could be disclosed to or accessed
by others. Personnel must NOT enter confidential client information into
any self-learning AI tool (a tool that trains on user inputs) without
first obtaining the client's informed consent as described in Section 5.
Wherever possible, personnel must anonymize inputs — removing names,
account numbers, dates, addresses, and other identifiers — before
prompting any AI tool. When in doubt, do not enter the information.

----------------------------------------------------------------------
4. MANDATORY HUMAN VERIFICATION OF OUTPUTS
----------------------------------------------------------------------
AI output is a draft, never a finished product. A competent attorney
must independently verify every AI output before it is relied upon,
delivered to a client, or filed with any tribunal. Verification includes
confirming that every legal citation exists and stands for what the
output claims, and that all statements of law and fact are accurate.
Uncritical reliance on AI output is prohibited. No member of the firm
may abdicate professional judgment to an AI tool.

----------------------------------------------------------------------
5. CLIENT DISCLOSURE & INFORMED CONSENT
----------------------------------------------------------------------
Personnel must disclose the firm's use of AI to a client when: (a) the
client asks; (b) the client's information will be input into the tool;
(c) AI use affects the reasonableness of the fee; or (d) the output will
influence a significant decision in the representation.

Where confidential client information will be entered into a
self-learning tool, the firm must obtain the client's informed consent
in advance. Informed consent requires giving the client the firm's best
judgment on why the AI tool is being used, the extent of and specific
risks involved, and the kinds of client information that will be
disclosed. A general, boilerplate statement in an engagement letter is
NOT sufficient for this purpose.

----------------------------------------------------------------------
6. BILLING & FEES
----------------------------------------------------------------------
For hourly matters, personnel may bill only for time actually spent.
Efficiency gained through AI does not justify billing more time than was
worked. Personnel may not bill any client for time spent learning to use
AI tools. AI tools the firm licenses on a flat or subscription basis are
treated as firm overhead and are not separately billable to clients.
Third-party AI services charged on a per-use basis may be billed to the
client as an expense only at the firm's actual cost, with no surcharge.

----------------------------------------------------------------------
7. TRAINING & COMPETENCE
----------------------------------------------------------------------
The firm will provide training to all personnel who use AI tools,
covering how to use approved tools, the ethical issues involved,
client confidentiality, and data security. Personnel are responsible for
maintaining a reasonable understanding of the capabilities and
limitations of the tools they use. Training will be provided at onboarding
and refreshed periodically as tools and obligations evolve.

----------------------------------------------------------------------
8. SUPERVISION & ACCOUNTABILITY
----------------------------------------------------------------------
[POLICY OWNER] is responsible for administering this policy, maintaining
the approved-tools list, and overseeing AI use across the firm.
Supervising attorneys are responsible for ensuring that the attorneys and
nonlawyer staff they oversee comply with this policy. Questions about
whether a particular use is permitted should be directed to [POLICY OWNER]
before proceeding.

----------------------------------------------------------------------
9. PROHIBITED USES
----------------------------------------------------------------------
The following are prohibited:
  - Filing or submitting AI output to any tribunal without independent
    verification of every citation and factual and legal assertion.
  - Entering confidential client information into any unapproved tool, or
    into a self-learning tool without the client's informed consent.
  - Using AI output as a substitute for the attorney's own professional
    judgment.
  - Representing AI-generated work as the product of human review when it
    has not been reviewed.

----------------------------------------------------------------------
10. INCIDENT RESPONSE
----------------------------------------------------------------------
Any suspected confidentiality exposure, data breach involving an AI
vendor, or instance of unverified AI output reaching a client or tribunal
must be reported to [POLICY OWNER] promptly. The firm will document the
incident, assess client-notification obligations, take corrective action,
and review whether changes to this policy or the approved-tools list are
warranted.

----------------------------------------------------------------------
ACKNOWLEDGMENT
----------------------------------------------------------------------
I have read and understood the [FIRM NAME] Generative AI Use Policy and
agree to comply with it.

Name: ____________________   Signature: ____________________   Date: ________

[This template is a starting point derived from the duties described in
ABA Formal Opinion 512. It is not legal advice and is not an official ABA
model policy. Have a licensed attorney or compliance officer review and
adapt it before adoption.]

How to Roll It Out in Your Firm

A policy that lives in a shared drive and nowhere else does nothing. Rolling it out is where the supervisory duty under Rules 5.1 and 5.3 is actually satisfied. Here is a practical sequence that works for firms of any size.

1. Adapt the template to your firm. Fill in the placeholders, decide which tools go on your approved list after a real review of their terms, and cut or add sections to match how your practice actually uses AI.
2. Have it reviewed. Put the draft in front of a licensed attorney or your compliance officer — and, if you have one, your malpractice carrier's risk team. This is the step that turns a generic template into a defensible firm policy.
3. Designate an owner. Name the managing partner or a designated AI lead as the person accountable for the policy, the approved-tools list, and the questions that will inevitably come up. Rule 5.1 contemplates exactly this kind of clear ownership.
4. Train everyone who touches AI. Walk lawyers and staff through the policy, the ethical duties behind it, and the confidentiality and verification rules in particular. Training is part of the supervisory obligation under Opinion 512.
5. Collect signed acknowledgments. Have each person sign the acknowledgment so the firm has a record that the policy was communicated and accepted. This is what "establishing clear policies" looks like in practice.
6. Review periodically and document it. AI tools and bar guidance change quickly. Revisit the policy and the approved-tools list on a set cadence, update them, and keep a dated record of each review.

The Broader Ethics Landscape: State Bars Are Aligning

ABA Formal Opinion 512 does not stand alone. Roughly half of U.S. state bars have now issued some form of guidance on lawyers' use of AI. The ABA opinion is influential, but it is not binding on its own — your own jurisdiction's rules and ethics opinions control. The encouraging news for firms trying to build a compliant policy is that the guidance is broadly consistent. Every one of these opinions interprets the existing rules of professional conduct rather than inventing new ones, and they converge on the same core concerns: protecting client confidentiality, maintaining competence, billing honestly, and keeping a human lawyer responsible for catching fabricated citations.

A few concrete examples illustrate the pattern. The Florida Bar issued Ethics Opinion 24-1 on January 24, 2024 — among the first state bar opinions to walk through the four core duties of confidentiality, competence, honest billing, and supervision as applied to generative AI. The State Bar of Texas issued Opinion 705 in February 2025, emphasizing the need for human supervision to guard against fabricated citations. California has published a "Practical Guidance" for lawyers using generative AI, and the New York State Bar Association produced an AI task force report in April 2024. The details differ, but the through-line is the same one running through Opinion 512 and through this template: use the technology, but keep a competent, confidentiality-conscious, honestly-billing human firmly in control. For a deeper survey of how these opinions fit together, see our overview of AI legal ethics and bar association guidance.

Conclusion: Adopt the Policy, Then Build the Habits

Thirty percent of lawyers were already using AI in 2024, and that share is only climbing. The profession's own ethics body has told managerial lawyers, in its first formal opinion on the subject, to establish clear policies governing that use. A written AI policy is how you answer that call — and how you protect your firm from the malpractice exposure that comes with uncritical reliance, the confidentiality exposure that comes with careless inputs, and the candor exposure that comes with unverified citations.

The template above gives you a running start. Adapt it, get it reviewed, designate an owner, train your team, and revisit it as the tools and the bar guidance evolve. A policy sets the standard; daily discipline keeps it. The firms that thrive with AI will be the ones that pair a clear written policy with verifiable, confidentiality-conscious habits at the prompt level — exactly the discipline the Model Rules already demand.