Unalike Marketing

Legal Marketing

Do You Need a Law Firm AI Policy? Sample Language You Can Actually Use

By Kyle Senger

15+ years in local marketing; Google Ads certified; Shopify Partner.

You've been pitched. You've watched an associate quietly paste a privileged memo into ChatGPT. You've seen the Mata v. Avianca headlines, and the Canadian follow-ups, and the Zhang v. Chen ruling in BC where the court ordered counsel to pay costs personally for citing AI-hallucinated cases. And somewhere between all that and your next partners' meeting, somebody's going to ask: do we need a law firm AI policy, and if so, what does it actually say?

Short answer: yes. Longer answer is what this article is for.

I'm going to give you sample language you can steal, adapt, and hand to your managing partner or your IT person on Monday. I'm not going to lecture you on why AI matters, because you already know. What most firms don't have is a one-page document everyone in the office has actually read and agreed to. That's the gap we're filling.

One note before we dig in. I run a marketing agency, not a law firm. I write policy language the way a marketer writes it, which means plain English and operational. If you want the narrower compliance-and-advertising angle, see our breakdown of how Law Society rules apply to AI-generated legal content across Ontario, BC, Alberta, and Quebec. If you want the buyer-side view of the tools themselves, the Canadian legal AI tools guide is a better starting point. For the broader question of how AI shapes your firm's overall search visibility and marketing strategy, our SEO for Canadian law firms pillar walks through it end-to-end. This piece is specifically about the internal policy document.

Why a Written AI Policy Matters Now (And Not Next Year)

Here's the thing. Most firms I talk to are already using AI. They just haven't admitted it to each other.

The associate drafts a demand letter in ChatGPT. The paralegal summarizes discovery in Claude. The clerk runs intake notes through Copilot because it's bundled with Microsoft 365. The senior partner uses Lexis+ AI and assumes that counts as compliant because a big vendor built it. Nobody's lying. Nobody's cheating. But nobody has written down what's okay and what isn't.

That's where the risk lives.

The Federation of Law Societies of Canada updated its Model Code commentary in 2024-2025 to address AI use, and provincial societies have been adopting versions of that guidance through 2026. The Law Society of Ontario put out practice guidance on generative AI that doesn't prohibit it, but makes it clear that the duty of technological competence under Rule 3.1-2 now includes understanding the tools you use. BC, Alberta, and Quebec have issued similar guidance. I'm not going to quote every provincial rule here because the sibling article on Law Society AI rules does that work.

The practical point: if a complaint comes in, "we didn't have a policy" is a worse answer than "we had a policy and someone violated it." One shows negligence. The other shows governance.

What an AI Policy Actually Needs to Cover

Most sample policies I see floating around LinkedIn are 14 pages long and nobody reads them. A usable law firm AI policy fits on two pages. It answers six questions.

  1. Which tools are approved and which are banned
  2. What types of data can and cannot go into approved tools
  3. Who's responsible for verifying AI output before it leaves the firm
  4. How AI-assisted work gets disclosed (to clients, to courts, internally)
  5. What training is required and how often
  6. What happens when someone breaks the policy

That's it. Everything else is commentary.

Now let me give you actual language.

Sample Policy Language You Can Adapt

I'm putting this in quote blocks so you can copy it cleanly. Treat every section as a starting point, not gospel. Your managing partner should review it. Your provincial Law Society may have specific requirements I'm not addressing. And if you're a Quebec firm, you need French and English parity under Barreau rules, so factor translation into your rollout.

Section 1: Scope and purpose

This policy governs the use of generative artificial intelligence tools (referred to as "AI tools") by all lawyers, articling students, paralegals, law clerks, administrative staff, and contractors of [Firm Name]. It applies to any AI tool used for firm work, whether the tool is paid for by the firm, by the individual, or available free of charge. The purpose of this policy is to allow the firm to benefit from AI while protecting client confidentiality, meeting our obligations under the [Provincial] Rules of Professional Conduct, and avoiding errors that could harm clients or the firm.

Section 2: Approved and prohibited tools

The following AI tools are approved for firm use, subject to the data restrictions in Section 3:

  • [Tool name, e.g., Lexis+ AI under firm licence]
  • [Tool name, e.g., Microsoft Copilot under firm enterprise licence]
  • [Tool name, e.g., a specific firm-sanctioned research tool]

The following categories of tools are prohibited for any firm work:

  • Free consumer versions of ChatGPT, Claude, Gemini, or similar tools where inputs may be used for model training
  • Any AI tool that stores data outside of Canada without explicit firm approval under Section 3
  • Any AI tool installed as a browser extension without IT review

Before using any tool not on the approved list, you must obtain written approval from [named partner or IT lead]. "I saw a demo at a CLE" is not approval.

That last line is half a joke and half not. Firms get into trouble because someone saw a slick demo and started pasting client matters into a tool nobody audited.

Section 3: Data classification

Firm data falls into three categories for AI purposes:

Green , may be used with approved AI tools. Public information, general legal research queries with no client-identifying details, firm marketing content, and anonymized examples.

Yellow , may be used only with approved AI tools under firm enterprise licences with data-retention controls disabled. Internal memos, draft precedents with no client details, and matter-management workflows.

Red , may not be entered into any AI tool. Client names, file numbers, identifying facts, privileged communications, draft pleadings containing party names, settlement figures, and any document subject to a sealing order, undertaking, or implied undertaking. This applies even if the tool claims enterprise-grade encryption.

If you are uncertain whether information is Yellow or Red, treat it as Red and ask.

Section 4: Verification requirement

Any output generated by an AI tool that is used in client-facing work, court filings, correspondence, or legal research must be verified by a qualified person before it leaves the firm. Verification includes:

  • Confirming every cited case, statute, and regulation actually exists and says what the output claims
  • Confirming factual assertions against source documents
  • Applying professional judgment to the legal analysis

AI tools hallucinate. This is not a hypothetical risk. Lawyers in Canada and the United States have been sanctioned and ordered to pay costs personally for filing AI-generated material containing fake citations. You are responsible for everything that goes out under your name or the firm's name, full stop.

For more on this specific risk and how to build a check, we have a deeper piece on AI hallucinations in legal work.

Section 5: Disclosure

To clients. Where AI tools are used substantively in a matter, disclosure must be included in the engagement letter. See the firm's standard engagement letter language on AI use for approved wording, which varies by province.

To courts and tribunals. Follow the practice directions of the relevant court. The Federal Court, Court of King's Bench of Alberta, and several other Canadian courts have issued directions requiring disclosure of AI use in filed materials as of 2024-2025. Verify the current direction before every filing.

Internally. When circulating a draft substantially produced with AI assistance, note "AI-assisted draft , verified by [name]" at the top. This is a trust-and-audit tool, not a shame tool.

Section 6: Marketing, website, and intake

All firm marketing content, website copy, blog posts, social media, and client-facing newsletters created with AI assistance must be reviewed by a lawyer before publication for accuracy, compliance with marketing rules under Rule 4.2 of the Rules of Professional Conduct, and the prohibition on testimonials in Ontario and similar restrictions in other provinces.

AI-powered chatbots on the firm website must not provide legal advice, must clearly disclose they are not human, and must not collect information beyond name and contact details before a human intake takes over. See the firm's standards for AI intake chatbots and unauthorized-practice risk before deploying any chatbot.

Section 7: Training and acknowledgement

All personnel must complete AI training within 30 days of joining the firm and annually thereafter. Every person must sign an acknowledgement that they have read this policy.

Section 8: Violations

Violations will be addressed proportionate to the conduct. A first-time, good-faith mistake is a coaching conversation. A deliberate violation involving client data is a termination matter and may trigger a Law Society report if the facts warrant it. When in doubt, tell [managing partner] immediately. Self-reported mistakes are handled very differently than mistakes we discover later.

That's the policy. Two pages, plain English, actionable.

Provincial Variations You Can't Ignore

A policy written for a Toronto firm won't drop cleanly into a Montreal firm. Here's what shifts.

Ontario. Rule 4.2-1 of the Rules of Professional Conduct requires marketing to be demonstrably true, accurate, and verifiable. Testimonials are effectively prohibited where they're misleading or emotionally manipulative. Your policy's marketing section needs to reflect that AI cannot generate fake client quotes, even "illustrative" ones. The LSO has been clear that fabricated testimonials are a discipline matter.

British Columbia. The BC Code Rule 4.1-1 mirrors the FLSC Model Code. BC has been ahead on AI guidance, and the Zhang v. Chen cost award for citing hallucinated cases is the leading Canadian precedent. Your verification section should be the strongest part of a BC firm's policy.

Alberta. Rule 7.2 of the Code of Conduct is more permissive on advertising than Ontario or BC. You still need verification and disclosure, but you have more latitude on comparative claims. Don't assume that means AI use is lightly regulated, though. The competence duty still applies.

Quebec. Code of Professional Conduct of Lawyers Rule 147 plus Charter of the French Language obligations mean your policy itself may need to be available in French, and any AI-generated client-facing content for Quebec audiences needs French and English parity. Factor translation into your AI workflow, not after it.

If your firm is multi-province, write one policy with provincial riders, not four separate policies. One document is auditable. Four become contradictory within a year.

How to Actually Roll This Out (Week by Week)

I've watched firms sign off on policies that nobody follows. The document isn't the work. The rollout is. Here's what the first eight weeks look like when it's done properly.

Week 1. Managing partner and IT lead draft the approved-tools list. This is the hardest part because it means actually looking at what's installed on everyone's machines. Run a quick survey. Ask every lawyer and staff member to list every AI tool they've used for firm work in the past 90 days, no judgement. You'll be surprised. I've seen this exercise surface six tools management didn't know were in use.

Week 2. Draft the policy using the language above as your starting point. Route it to an external reviewer, either a practice-management advisor, a lawyer who focuses on professional regulation, or both. Do not publish a policy that only insiders have read.

Week 3. Hold a 60-minute all-hands meeting. Walk through the policy section by section. Take questions. The point isn't to lecture, it's to hear what people are actually doing so you can adjust the policy before it's final. Record the session for anyone who missed it.

Week 4. Final version goes out with an acknowledgement form. Everyone signs. Keep the signed acknowledgements in HR files.

Weeks 5-6. Run training. Not a PDF. Actual training, ideally 90 minutes, with worked examples of what's Green, Yellow, and Red data. Include a live demo of how a free consumer chatbot retains inputs versus how an enterprise licence handles them. People remember demos. They don't remember bullet points.

Week 7. IT configures tooling. Approved tools get enterprise licences with retention disabled. Prohibited tools get blocked at the browser or DNS level where feasible. Create a clear request process for anyone who wants a new tool added.

Week 8. First monthly review. Managing partner and IT lead meet for 30 minutes to review any incidents, tool requests, or questions that have come up. Repeat monthly for the first six months, then quarterly.

In my experience, firms that skip the training week end up with a policy in a binder and the same AI risk they had before. The training is the policy. The document is just the receipt.

A Worked Example: What It Costs to Get This Done

Let me give you honest numbers so you can budget.

A two-page policy drafted from the sample above, reviewed by a practice-management advisor or outside professional-regulation counsel, will typically run between $1,500 and $4,000 depending on province and firm complexity. Per DataForSEO 2026, the CPC on "legal marketing agency" in Canada is CA$42.84, which tells you nothing about policy cost but a lot about how expensive it is to recruit a new client if you blow up your reputation with an avoidable AI incident. You don't want to find out what a Law Society complaint defence costs in billable hours.

Training for a 5-lawyer firm, done properly with a live session and recorded video: assume $1,000 to $2,500 depending on whether you run it internally or bring in a specialist. Enterprise licences for Microsoft Copilot run roughly $36 CAD per user per month as of 2026, per Microsoft's public pricing. Lexis+ AI pricing is not public but typically bundles with existing Lexis subscriptions at a premium.

Total first-year governance spend for a small firm getting this right: roughly $5,000 to $12,000 in external costs plus whatever licensing you decide on. Compare that to the $15,000 a practice-management colleague told me they spent resolving a single AI-generated testimonial incident that caught a Law Society near-miss. The math on doing this properly is not close.

Related Reading

About the author

Kyle Senger, Founder and Lead Strategist of Unalike Marketing

Kyle Senger

Founder and Lead Strategist, Unalike Marketing

Kyle is the Founder and Lead Strategist of Unalike Marketing, a Saskatchewan-based agency helping small and medium-sized businesses cut through the digital noise with honest, data-driven marketing.

Born and raised in the east-end of Regina, he spent nearly 20 years climbing the marketing corporate ladder: Coordinator, Marketing Manager, Director of Marketing, and Vice-President. That work covered traditional, digital, CRM, AI installations, and customer lifecycle across B2B and B2C. He doesn't work out of an ivory tower; he works alongside growing teams.

Outside work, Kyle is busy with his wife Chelsea, four kids, and a herd of four-legged family members.

Got A Question?

Get in touch. We'll respond soon, so together, we can take a bite out of the competition.

CallEmail