AI risk assessment for law firms checklist
AI tools offer significant productivity gains for legal practice, but they also introduce risks around confidentiality, accuracy, and professional conduct. This checklist helps firms evaluate AI tools before adoption and maintain compliance during use.
This is a 12-step checklist for assessing the risks of deploying AI tools within a law firm. It covers professional conduct obligations, client confidentiality, data security, and supervisory duties under the Legal Profession Uniform Law.
The checklist
Identify the AI use case
Define the specific tasks the AI tool will perform (research, drafting, review, summarisation) and the data it will process.
Assess confidentiality risks
Evaluate whether client data will be transmitted to, stored by, or used for training by the AI provider. Map this against confidentiality obligations.
Review the provider terms
Analyse the AI provider's terms of service, privacy policy, and data processing agreement for data handling, sub-processing, and retention.
Check data residency
Confirm where data is processed and stored, and assess whether offshore transfer is consistent with client instructions and the Privacy Act.
Evaluate output accuracy
Test the AI tool for hallucinations, citation accuracy, and jurisdictional relevance before relying on outputs in client matters.
Define supervision protocols
Establish who reviews AI outputs and how, ensuring that a qualified practitioner supervises all work product before it is relied upon or delivered.
Assess ethical disclosure obligations
Determine whether clients should be informed of AI use and whether disclosure is required by conduct rules or retainer terms.
Review insurance implications
Check whether the professional indemnity insurance policy covers AI-assisted work and whether the insurer requires notification.
Implement access controls
Restrict AI tool access to authorised staff and implement logging to track who uses the tool and on which matters.
Establish a prohibited-use policy
Define categories of work where AI must not be used, such as matters with heightened confidentiality or national security implications.
Plan for tool failure
Establish fallback procedures if the AI tool becomes unavailable, produces unreliable outputs, or suffers a data breach.
Schedule periodic re-assessment
Set a review cadence (at least annually) to reassess the tool against evolving regulatory guidance and firm risk appetite.
When this checklist applies
Use before procuring or deploying any AI tool in legal practice, and periodically to reassess existing AI tools.
Common pitfalls
- Assuming the AI provider's terms protect client confidentiality without reading them
- Relying on AI-generated legal research without verifying citations
- Failing to disclose AI use to clients when required by retainer terms
- Not testing the tool on Australian jurisdictional content before deployment
- Treating AI adoption as a technology decision without involving the ethics partner
Run this checklist on a real matter
Quillio is purpose-built for Australian legal practice with on-shore data handling and source-linked research. See /features or start a free trial to evaluate it against this checklist.
General guidance on AI risk assessment for law firms. State and territory law societies may issue specific guidance — consult your jurisdiction's regulatory body and obtain specialist advice.
Use this checklist on your matter.
Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no credit card.
Start your free trial