Below is a complete AI use policy for a small or medium-sized Canadian law firm, drafted against law society guidance in Ontario, Alberta, and BC. Copy it, work through the bracketed choices, and adapt it to your firm.
Why you need a written policy
Your staff are already using these tools. The assistant triaging your inbox and the clerk summarizing discovery transcripts adopted AI faster than the lawyers did, and without a written policy each of them is making confidentiality decisions for your firm by vibes.
Your regulator effectively expects one. The LSO's guidance puts the duties of competence, confidentiality, and supervision on you personally (I've summarized what the LSO requires separately), and Alberta's law society recommends firm AI policies outright. A written policy is how a firm shows it took the duties seriously, and it's the first document anyone asks for if an AI mistake becomes a complaint.
And clients are starting to ask. Institutional clients send AI questionnaires now, and referral sources factor the answer into where they send work. "We have a written policy, here it is" is a better answer than a pause.
One framing note before the template. The duty with AI vendors is the one you already apply to every technology vendor that holds client data — your practice management system, your document storage, your email host: take reasonable steps, know the terms, control the settings. The policy below treats AI tools the same way. The gate is whether the tool and account are vetted and controlled, not the category of data.
The template
Everything in [brackets] is a choice. This is a starting point, not legal advice, and your practice area, clients, and law society may call for adjustments.
[Firm Name] Artificial Intelligence Use Policy
Effective date: [date]
Application: This policy applies to everyone at the firm who uses an AI tool for firm work, including lawyers, staff, and contractors.
Policy owner: [name], who keeps the approved-tool list current and reviews this policy every [six months].
Read this policy before you use an AI tool for firm work. It sets out the rules for using AI in your work. Where this policy and your own judgment disagree, ask [name] before you act.
1. Principle. Treat an AI tool as you would treat assistance from a non-lawyer. You may use it in your work, but you must review what it produces, and you remain responsible for that work product. The lawyer responsible for a matter remains responsible for all work product on that matter, including work product an AI tool helped produce.
2. Approved tools. Use only the tools on the firm's approved list, and only the versions or accounts the list names. [Name] keeps the list at [location]. Before [name] adds a tool to the list, [name] confirms:
- whether the vendor uses your inputs to train its systems, and whether the firm can turn that off
- how long the vendor keeps your inputs, and whether the firm can control that
- where the vendor stores and processes the data
- whether the firm controls the account and its settings
Do not use a personal account for firm work[, and do not use the free version of an approved tool unless the list permits it].
3. Information you put into a tool. Before you enter any information into an AI tool, confirm that you may put it there. Entering information into a tool discloses it to the vendor, so treat the decision as you would treat sending the same information to any outside service. You are responsible for that judgment on every piece of information you enter.
- Put client, matter, or firm information only into an approved tool on a firm-controlled account, with the firm's required settings in place.
- Do not put client, matter, or firm information into a tool that is not on the approved list, or into a personal or free account.
- Where a client has given instructions about AI use on their matter, follow those instructions.
Where you are in doubt about whether information may go into a tool, ask the responsible lawyer first.
4. Verification. Do not rely on, send, or file any AI output you have not checked. Check every citation against the original source. Confirm every fact, figure, quotation, and calculation against the file. The person who verifies the work and the responsible lawyer are responsible for what the firm sends or files. For any document you file in court, keep a record of how you used AI and how you verified the output, sufficient to answer questions from the court, and follow the practice directions of every court before which you appear.
5. Client communication and billing. Answer client questions about the firm's use of AI accurately. Where your use of AI may affect the client's interests, the cost of the matter, or its outcome, raise it with the client and record the discussion on the file. The firm's engagement letter describes, in plain language, how the firm uses technology, including AI. Do not bill hourly time you did not spend. Where you pass the cost of an AI tool on to a client, bill it at actual cost.
6. Training. Every lawyer and staff member completes AI training within [90 days] of joining the firm, and at least [once a year] after that. You may raise a question about appropriate AI use at any time, and no one will hold it against you. Using a tool that is not on the approved list, or breaching section 3, is a serious matter, and the firm addresses it through its usual processes.
7. Review. [Name] reviews the approved-tool list and this policy every [six months], and conducts an earlier review whenever a vendor materially changes its terms.
8. Incident reporting. Report the following to [name] on the day you discover it:
- client or firm information that went into a tool or account the firm has not approved
- an AI error that reached a client or a court
- a tool behaving unexpectedly with firm data
When you report, the firm contains the incident. That may include deleting the conversation, revoking access to the tool, and using the vendor's data-deletion process. The firm then assesses what the incident exposed and what duties follow, including any duty to inform the client or the firm's insurer, and amends this policy to close the gap. Prompt reporting will never count against you.
Adapting it: four decisions
What's your risk tolerance? This is where your firm picks its stance. Decide where you want your data to reside and whether you're comfortable putting client information into an approved tool. Write the answers into the policy so everyone works from the same line.
What's your consent posture? The law societies differ at the margins here. BC's guidance expects fully informed and voluntary client consent where confidential information goes into generative AI. The LSO ties consent to situations where anonymizing can't adequately protect confidentiality or privilege. Alberta recommends addressing AI in the retainer letter. Decide where your firm lands, write it into sections 3 and 5, and put matching language in your engagement letter.
What's your tool stack? The policy is only real if section 2's list is real. Pick the two or three tools you'll support, on tiers whose terms you've read. Fewer tools, better understood, beats a long list nobody vetted. And mind the free-tier trap: the same product is often a different deal at different prices, with the free version training on your inputs while the paid one doesn't. (If Claude is on your list, I've written up what its data terms say.)
Who owns it? In a small firm, name a person, not a committee. The policy fails the day it becomes nobody's job.
The policy needs training behind it
You can adopt this template today and be no safer tomorrow, because the duties underneath it (verification, competence, knowing what these tools do with confidential data) live in people, not documents. The staff member who's never seen a hallucination won't catch one because a policy told her to.
A policy on its own changes nothing. The people who use these tools need to see them work and fail on real files, not just read a rule that says verify. That's what turns section 6 from a line in a document into something your firm can do.