Contact Us
Close
CBIZ
Contact Us

Insights. Applied. Integrated solutions that turn strategy into action.

Explore Resources
  • Article
April 03, 2026

From AI Risk to Readiness: Establishing Guardrails to Promote Growth for Law Firms

By John Verry, Managing Director Linkedin
From AI Risk to Readiness: Establishing Guardrails to Promote Growth for Law Firms
Table of Contents
    Get in Touch

    AI is already used by your firm. In many practices, attorneys and staff are using AI every day, sometimes without a formal decision to adopt it. That’s not a reason to panic, it’s a chance to lead with clear guardrails that protect privilege and reputation while enabling real efficiency.

    Where AI is Showing Up Now

    AI is showing up across four layers. First, explicit tools: Westlaw AI, Lexis+ AI, CoCounsel from Thomson Reuters, Harvey, and contract review tools such as Luminance or Ironclad. Second, adjacent workflows: eDiscovery platforms like Relativity and Nuix have long used analytics and technology assisted review, and teams are testing AI assisted deposition summaries. Third, ambient assistants: Grammarly, Otter or Teams transcription, Microsoft Copilot inside Word and Outlook, and AI features in iManage or NetDocuments. Fourth, the LLM layer: ad hoc use of ChatGPT or Claude for summarization, drafting and matter prep, sometimes on personal accounts.

    The practical first step is visibility. Inventory what is in use, by whom, and on which matters.

    Hallucination and Professional Responsibility

    The Mata v. Avianca case in 2023 made the issue vivid when a lawyer submitted fabricated citations and was sanctioned. The takeaway is not that AI is forbidden. It is that competence and candor to the tribunal cannot be delegated. The core failure is unverified reliance. Good governance makes verification standard practice: require human review for any client or court facing work, run citation and source checks, log prompts and outputs with model versions, and disclose when a court or client requires it. If it is not verified, it does not go out.

    Confidentiality at the Intake Stage

    Pasting a client memo into a consumer chatbot can amount to sharing confidential or privileged material with a third party. Enterprise offerings and private deployments often have stronger data protections than consumer tools, but the risk remains. Keep the DMS as the system of record, control what leaves it, and classify before you paste. Use firm-approved private environments for any client related prompts and redact or anonymize by default. Address privilege and waiver risk in policy and training. Align your engagement letters and outside counsel guidelines with your AI policy, because some clients are now asking for disclosure or consent.

    Shadow AI and the Partner Dynamic

    Equity and senior partners often drive the highest impact use cases and can be skeptical of new controls. Governance gains credibility when partners co-author the policy, when insurers ask about AI controls, and when clients signal expectations. Choose pragmatic approvals at the practice group level over blanket bans, and offer a safe harbor to bring shadow use into the light. Make the compliant path the fastest path.

    Lessons from eDiscovery

    Legal already knows how to build defensible AI processes. Technology assisted review earned court acceptance because teams documented validation protocols, measured performance, and kept audit trails. Apply the same playbook to generative AI. Define test sets and acceptance criteria, pilot and iterate, log prompts and outputs with model versions, and document the process so it can be explained to courts and clients. As vendors add generative AI into eDiscovery, extend these controls across the workflow.

    Risks Firms Underweight

    Firms often underweight three quiet risks: bias, intellectual property, and vendor terms. Models trained on historical outcomes can reproduce disparities, so flag high‑impact use cases and keep experienced lawyers in the loop. Purely AI‑generated content is generally not copyrightable, and hybrid human-plus-AI work raises ownership questions, so spell out rights in engagement terms and tighten vendor contracts for licensing and indemnity. Many AI features are embedded in tools you already use, which means the vendor’s AI terms control data handling. Review retention, training on customer data, sub‑processors, logging, and audit rights, and align them with client outside counsel guidelines.

    ISO 42001 as Structured Assurance

    Much like ISO 27001 for security and 27701 for privacy, ISO 42001 provides a similar management system to help organizations use AI responsibly. It requires policies, roles, objectives, risk assessments, controls, and audits tailored to AI. Many firms can layer 42001 on top of existing programs to signal governed AI use to clients and to create a repeatable improvement cycle. Verify current certification options and timelines before you commit.

    The Road Ahead

    Tools are moving from assistive to more action-oriented systems, which raises the bar for oversight. Regulatory activity and insurer scrutiny are increasing. The single most important step now is visibility and a verification culture. If you can answer what AI is used in your firm, by whom, and on which matters, you can set guardrails that enable growth with confidence.

    Practical Next Steps

    • Inventory your current AI use and understand the risk of each use case.
    • Publish an acceptable‑use checklist and train teams on it.
    • Update your Third-Party Risk Management Program to address AI Risk.
    • Consider formalizing your AI Risk Management program around ISO 42001.

    At CBIZ, we help law firms assess their AI landscape, prioritize risks, and design a governance plan tailored to their firm’s priorities.

    Ready to turn AI from shadow use into strategic advantage? Connect with a CBIZ professional to get started.

    © Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

    “CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.

    Insights that Impact

    View All Insights
    View All Insights
    Software ARM Implementation
    Software ARM Implementation

    Discover how CBIZ combined technical depth with practical guidance, designing tailored NetSuite solutions that addressed operational challenges and positioned the client for scale

    Read More
    Case Study
    2025 Professional Services Firms Predictions: Transformation + Innovation = Growth
    2025 Professional Services Firms Predictions: Transformation + Innovation = Growth

    The need for the specialized expertise provided by professional services firms is increasingly essential and driven by five key trends for digital transformation.

    Read More
    Article
    Five Key Reasons & Five Selection Tips for Accounting Firms Seeking Managed IT Services
    Five Key Reasons & Five Selection Tips for Accounting Firms Seeking Managed IT Services

    Engaging a Managed IT Services Provider can provide accounting firms with enhanced data security and more reliable IT infrastructure.

    Read More
    Article
    The Asset Approach to Valuation
    The Asset Approach to Valuation

    One of three general types of approaches to business valuation, the asset approach is a valuation technique whereby equity value is determined based on a market value balance sheet.

    Read More
    Article

    Let’s Connect

    Our team is here to help. Whether you’re looking for business solutions, financial strategies, or industry insights, we’re ready to collaborate. Fill out the form, and we’ll be in touch soon.

    This field is for validation purposes and should be left unchanged.
    Sign up for additional emails