Corporate AI Use Policy

Effective Date: [Date]
Applies To: All employees, contractors, and vendors of [Firm Name]
Policy Owner: [Name/Title, e.g., Head of Operations or Managing Partner]

AI is not optional. It is a competitive requirement at [Firm Name]. We expect every team member to use AI to eliminate administrative drag, accelerate client deliverables, and reduce billable hour waste on low-value tasks.

But speed without control is liability. Client confidentiality, data security, and regulatory compliance are non-negotiable. This policy exists to draw bright lines: what you can do, what you cannot do, and how to escalate when you are unsure.

You may only use the following AI systems for firm business. Any tool not on this list is prohibited from accessing firm systems, client data, or internal documents.

Tier 1: Safe for Client Data (Zero-Retention Enterprise Systems)

• ChatGPT Enterprise (SSO authenticated via [Okta/Azure AD])
• Claude for Enterprise (SSO authenticated via [Okta/Azure AD])
• Microsoft Copilot

  Copilot

  Click to read the full definition in our AI & Automation Glossary.

  for Microsoft 365 (E3/E5 license holders only)
• Internal n8n workflows (connected to OpenAI API

  API

  Click to read the full definition in our AI & Automation Glossary.

  with zero-day retention DPA)
• [Add firm-specific tools here]

What this means: These tools have signed Data Processing Agreements (DPAs) with us. They do not train models on your inputs. They delete data after processing. You may use these for client work after applying the data classification rules below.

Tier 2: Internal and Public Data Only (No Client Information)

• Free ChatGPT (chatgpt.com)
• Free Claude (claude.ai)
• Free Gemini (gemini.google.com)
• Perplexity (perplexity.ai)

What this means: These tools train on your inputs. OpenAI, Anthropic, and Google explicitly state they use free-tier conversations to improve their models. You may use these for brainstorming, drafting internal memos, and summarizing public information. You may not paste client names, case details, financial data, or anything covered under attorney-client privilege, CPA confidentiality rules, or HIPAA.

Prohibited Tools (Immediate Termination Risk)

• Browser extensions that claim to "enhance" ChatGPT or Gmail (e.g., AIPRM, WebChatGPT, random Chrome plugins)
• Unvetted SaaS platforms that request access to your email, CRM

  CRM

  Click to read the full definition in our AI & Automation Glossary.

  , or file storage
• Any AI tool that does not provide a public Data Processing Agreement

If you are unsure whether a tool is approved, do not connect it to firm systems. Email [Policy Owner Email] first.

Before you paste anything into an AI tool, classify it. If you cannot classify it in under 10 seconds, default to Red and do not use AI.

✅ Green Data (Public/Operational) - Approved for All Tools

Examples:

• Marketing copy for the firm website
• Public blog posts or LinkedIn articles
• Generic process documentation (e.g., "How to onboard a new client")
• Industry research from public sources

Rule: You may use Green Data in free, public AI tools. No redaction required.

⚠️ Yellow Data (Internal Firm Data) - Tier 1 Tools Only

Examples:

• Internal meeting notes (no client names)
• Financial projections for the firm
• Proprietary frameworks, templates, or methodologies
• Employee performance reviews (redacted of PII)

Rule: You may use Yellow Data in Tier 1 tools only. Redact all Personally Identifiable Information (PII) before input. This includes employee names, email addresses, phone numbers, and home addresses.

How to redact: Replace specific identifiers with placeholders. Example: "John Smith earned $150K in 2024" becomes "[Employee A] earned [Salary] in 2024."

🛑 Red Data (Client/Sensitive Data) - Tier 1 Tools Only, With Restrictions

Examples:

• Client names, Social Security Numbers, Tax ID Numbers
• Unredacted legal documents, contracts, or discovery materials
• Financial account numbers, credit card numbers, bank statements
• HIPAA-protected health information
• Attorney-client privileged communications
• CPA work papers containing client financial data

Rule: Red Data may only be processed through Tier 1 tools that have been explicitly approved for client data. Even then, you must:

1. Confirm the tool is configured for zero-retention (check with IT if unsure)
2. Redact all direct identifiers where possible
3. Document the business justification for using AI on this data

Absolute prohibition: Red Data may never touch free, public AI tools. Violation of this rule is grounds for immediate termination and may expose the firm to regulatory penalties.

AI hallucinates. It fabricates case citations, invents statistics, and generates confident-sounding nonsense.

You are 100% accountable for any AI output you send to a client, file with a court, or submit to a regulatory body.

Required Verification Steps

1. Legal citations: Manually verify every case name, statute, and regulation in Westlaw, LexisNexis, or the official source. AI-generated citations are wrong approximately 15-30% of the time.
2. Financial calculations: Re-run every formula in Excel or your accounting software. Do not trust AI math.
3. Client-specific facts: Cross-check every client name, date, and transaction detail against your case management system or CRM

   CRM

   Click to read the full definition in our AI & Automation Glossary.

   .
4. Tone and voice: Read the output aloud. If it sounds like a robot wrote it, rewrite it.

Prohibited Uses (No Human Review Can Fix These)

• Submitting AI-generated legal briefs without line-by-line attorney review
• Sending AI-drafted tax returns to clients without CPA verification
• Using AI to generate expert witness testimony or affidavits
• Automating client communication without a human approving each message

You found a new AI tool that could save the team 10 hours per week. Great. Do not connect it to our systems yet.

Step 1: Submit for Review

Email [Policy Owner Email] with:

• Tool name and website
• What problem it solves
• What data it needs to access (email, CRM

  CRM

  Click to read the full definition in our AI & Automation Glossary.

  , file storage, etc.)
• Link to its Data Processing Agreement (DPA) or Terms of Service

Step 2: Security Review (Completed Within [5] Business Days)

We will evaluate:

• Does the vendor train models on customer data?
• Where is data stored? (US, EU, or other jurisdiction)
• What is the data retention policy? (Zero-day deletion vs. indefinite storage)
• Does the vendor have SOC 2 Type II certification?
• Can we sign a Business Associate Agreement (BAA) if HIPAA applies?

Step 3: Approval or Denial

If approved, the tool will be added to the Tier 1 or Tier 2 list above. If denied, we will explain why and suggest an alternative.

Emergency Escalation

If you accidentally paste Red Data into a free AI tool, immediately:

1. Close the browser tab (do not save the conversation)
2. Email [Policy Owner Email] and [IT Security Email] with the subject line "AI Data Incident"
3. Document what data was exposed and which tool was used

We will assess whether client notification or regulatory disclosure is required.

I have read and agree to adhere to the [Firm Name] AI Use Policy. I understand that:

• I may only use approved AI tools for firm business
• I am responsible for classifying data before using AI
• I am accountable for verifying all AI-generated output
• Violation of this policy may result in disciplinary action up to and including termination

Employee Name (Printed)

Signature

Date