The importance of implementing an AI policy and a checklist of considerations
Miller Insurance Services shares key controls that SME law firms can implement to ensure safe, responsible AI usage
AI remains the buzzword of the moment. Yet, despite the plethora of commentaries citing the opportunities and threats from the ‘AI revolution’, there is much less advice available on the practicalities of AI implementation.
One such practicality is how you are regulating AI use in your business. The risk is that, whether or not you have authorised its use, it’s a fair bet that someone in your business is using AI for work purposes. All firms should therefore have some form of AI policy —even if just to say it is not approved for business use.
Policies: what good looks like
Bespoke
As no two firms are the same, it is unlikely that their policies should be exactly alike. While it’s tempting simply to adopt a pre-made template it is less likely to serve you well in the long-term. A precedent does however provide a great spring-board for you to create your own tailored policy.
Short and practical
A policy is a framework document, not a textbook covering every eventuality. It should be clear, concise, and directed at the people who need to apply it.
Top tip: consider using highlight panels to draw out key practical policy points.
Directly relevant to your business
Your policy should directly apply to your business and reference your wider policies and procedures. Check that your policies are appropriate to your sector, your strategy, and your risk appetite.
Easily accessed
A policy should be a resource that informs and provides the context to your procedures.
Top tip: Consider including quick links to relevant policy provisions in your processes and forms. Check how easy it is to find relevant policies on your intranet. And don’t forget regular refresher training.
Up to date
As your business changes or the regulatory landscape changes, so should your policies. Schedule annual reviews of all policies as a matter of course.
Considerations for an AI policy: a checklist approach
Scope
Your policy should state clearly, up-front, who it applies to. A policy addressing AI use within the firm will likely apply to all fee-earners (including consultants, trainees, and temporary staff) and support staff. It is important that all staff understand what the firm’s policy is, and what they need to do, and not to do, to remain compliant.
Objective
Including a short paragraph outlining why your policy exists and what it is intended to achieve at the start of the policy helps to engage your reader. You will probably need to include a brief definition of what you mean by AI. It will most probably focus on Generative AI, though increasingly, your policy may also have to take Agentic AI into consideration. Other definitions can be included in a schedule to ensure that the key policy messages come to the fore.
Likely policy objectives would include ensuring that the appropriate AI tools are used for approved use-cases only; the preservation of the data privacy of clients, employees, and the firm; preserving and enhancing the quality of legal advice and service provided to clients.
Principles of AI use
The firms use or non-use of AI will be guided by core principles, informed by the SRA Codes of Conduct, professional ethics, and your firm’s strategy and values.
It will not be possible to consider, let alone document, every possible approved or unapproved use of AI, and therefore it is important to have clearly defined principles that can be applied to new scenarios as they arise.
You will also want to have a process for assessing new use cases and clearly sign-post this in your policy. For the policy to be effective the associated processes must be clear, straightforward, and efficient.
Top tip: Using an ‘urgent’ flag to expedite priority requests reduces the risk of people bypassing the policy and taking matters into their own hands.
AI risks & rewards
It is helpful if your policy outlines both the potential risks and the potential benefits of AI use. Some staff will be eager to embrace AI use, others may be wary, or even suspicious. A clearly expressed factual exposition of both benefits and risks will hopefully engender appropriate caution in the most eager adopters and reassure those with concerns. The training you provide alongside the introduction of your policy, procedures and, where appropriate, AI tools, is an essential reinforcer of these messages.
Benefits include:
- Productivity
- Greater client focus
- Releasing time for higher-value fee earning
- Extending your service offering
Risks you should be considering include:
- Confidentiality and data protection
- Accuracy of outputs (hallucinations, data sets used, how up to date)
- Poor AI prompts by users
- Bias
- Client misuse of AI
Guardrails
Your AI policy should highlight the key compliance guardrails that, if followed, ensure your policy objectives will be met. This should include a complete prohibition on off-work-system AI use for any client matter related work, and a requirement to check AI outputs. You should also consider your approach to client consent or prohibition of AI use for client-matter related tasks and how that will work in practice.
Schedules and associated documents
Alongside a summary of permitted and prohibited use cases, a schedule of approved tools and their respective approved use cases is advised.
Top tip: Your schedule of approved tools is likely to be subject to regular updates, so consider embedding a link to a separate document rather than including it within your actual policy.
Maintaining a separate schedule of personnel who have received appropriate training on your policy, and any particular tools for which they are to be approved as users, can evidence that your firm implements meaningful controls, and helps identify non-approved uses.
Further information
For more information, or to discuss your own implementation of AI or AI policies, contact:
Calum MacLean
Vanessa Cathie
The information provided in this document is for general informational purposes only. It is provided in good faith and does not constitute legal, tax, investment or any other advice. No representation or warranty of any kind, express or implied, as to the content, accuracy, adequacy, validity, reliability or completeness of any information, is provided and to the fullest extent permissible by applicable law, all such representations or warranties and all liability in respect of actions taken or not taken based on any or all of the information provided, are disclaimed. The content is not intended and should not be used as a substitute for taking appropriate advice.
