Your team is already using AI.
Your firm probably hasn’t agreed how.
A practical starting point for law firms thinking seriously about AI adoption.
Why this matters more for law firms
For a law firm, the foundations underneath AI matter more than they do for most businesses. Client files, matter data and privileged communications sit at the centre of what an AI tool would draw on.
If matter folders are scattered and permissions haven’t been reviewed in years, AI doesn’t fix that. It surfaces material faster to anyone with access, including people who shouldn’t have had it.
What needs to happen first
Your data
AI works from what it can see. Most firms have matter files spread across SharePoint, OneDrive and a case management system, full of duplicates and old templates. Copilot can’t tell which version is current.
Permissions
Most firms haven’t reviewed access in years. Staff who change teams often keep their old folder permissions. Copilot surfaces what people technically have access to, which is how privileged matter notes turn up in the wrong place.
What your team is already using
A trainee summarises a client call in ChatGPT. A conveyancer pastes client ID into an AI writing tool. Most firms have no rule. Law Society guidance (August 2024) is clear: confidential information shouldn’t go into public AI tools.
The order of operations
Data, then permissions, then policy, then tools. Most firms reverse the order. The SRA is clear that AI doesn’t reduce a firm’s obligations on confidentiality, competence or supervision.
An AI policy template for uk law firms
Most firms know they should have an AI policy. Most don’t. The work usually stalls because there’s no draft to react to and no time to write one from scratch.
We’ve drafted one for UK law firms of 10 to 50 users. It covers:
– What staff can and can’t put into public AI tools (ChatGPT, free Copilot, Fireflies, Otter)
– How to handle client and matter data when AI is involved
– When to tell a client you’ve used AI on their matter
– Supervision and sign-off in line with the SRA Codes
– An acceptable and not-acceptable use list a fee earner can read in five minutes
– A documented control your cyber insurer will recognise at renewal
"Andy was so helpful, worked tirelessly to try and resolve the situation and made a very stressful situation bearable.
Most importantly he returned called when he said he would and even calls back to check the situation had been resolved”
Darran Ford | Owner, Handi Hire
What you can do this week
Whether you take the template or not, three things you can do this week that cost nothing.
Ask your team what they're already using
ChatGPT, Copilot, Grammarly, Fireflies, Otter, probably something you haven’t come across. The useful question is whether any of it has touched client data.
Spend half an hour in your document store
Open SharePoint or whichever platform sits underneath your case management system. Look at the top level. Is it organised by matter and access-controlled, or has it become a place people drop things.
Run a permissions audit in Microsoft 365
The M365 admin centre will show you who has access to what. Pay particular attention to client ID, finance, HR, and anything privileged. Look for staff who’ve moved teams and still have access to their old areas.
Rather have a conversation?
Cloud Geeni has been the IT partner for UK law firms for over 20 years. A 30-minute call covers where your firm sits on AI readiness and how the policy template fits in.