Building AI Governance from the Ground Up in Small Law Firms

Competence once meant mastering precedent. Now it means managing prediction. As generative AI transforms legal work, small law firms face a difficult choice: innovate or fall behind, regulate or drown in compliance costs. While global firms appoint AI governance leads and draft ISO-aligned playbooks, smaller practices improvise with limited resources and practical sense. Their challenge is scale, not ignorance. Lacking privacy teams or risk committees, they are developing adaptive systems of oversight that operate below the radar yet remain essential to their survival.

The Compliance Divide

Large law firms and in-house departments are increasingly adopting structured governance frameworks for artificial intelligence such as the NIST AI Risk Management Framework or ISO/IEC 42001. These systems feature inventories of AI tools, risk registers, model documentation, third-party vendor oversight, and periodic audits. By contrast, a five-lawyer firm may have no formal documentation beyond a shared drive and a few internal emails. That scale gap creates a compliance divide: smaller practices cannot replicate enterprise-class structures without draining billable time or incurring significant expense.

The gap matters because ethics guidance from the American Bar Association applies to all lawyers regardless of firm size. Recognizing this divide reframes governance as a right-sized challenge rather than a sign of deficiency.

Shadow Governance: How Small Firms Comply Without Knowing It

Many small firms already practice informal governance without calling it that. Some track AI tools in spreadsheets or note which matters used generative systems. Others keep checklists before uploading client data to outside platforms. These systems mirror shadow IT, unapproved but often essential for getting work done.

The ABA’s Formal Opinion 512 emphasizes that lawyers must maintain reasonable understanding of AI capabilities and limitations. Small firms meet that bar through creative adaptation: labeling drafts as AI-assisted, versioning documents, or requiring second-level review before filing. What they lack in structure, they replace with vigilance. These acts form a living system of governance born from necessity.

State-Level Guidance Adds Specificity

Beyond the ABA, several states have issued their own AI ethics opinions. Florida Bar Ethics Opinion 24-1, adopted in January 2024, permits the use of generative AI but requires informed consent before disclosing client information to such tools. Texas Professional Ethics Opinion 705, issued in February 2025, provides similar guidance on competence and confidentiality obligations. North Carolina Formal Ethics Opinion 2024-1 analogizes AI to both software tools and nonlawyer staff, requiring lawyers to both understand the technology and supervise its output. These state opinions complement the ABA framework by addressing jurisdiction-specific rules.

Adaptive Governance in Practice

Turning ethics into control means translating principles into daily routines. Successful small firms rely on three levers: visibility, tagging, and human review. Each balances risk with practicality.

• Visibility: Designate an AI point person who tracks tools in use, monitors vendor updates, and circulates quick guidance when new platforms appear.
• Tagging: Add AI-assisted markers to documents created with machine help, preserving traceability without bureaucracy.
• Human review: Require attorney sign-off for any AI-derived output before client use or court submission.

According to Embroker’s 2025 Risk Index, insurers are beginning to ask about AI risk controls when underwriting malpractice and cyber policies, with nearly half of law firms planning to upgrade their insurance coverage. These informal measures may soon become the minimum standard for coverage. The firms that document small acts of governance today will be better prepared for the audits tomorrow.

Transparency as Competitive Advantage

Smaller firms often avoid discussing AI use, worried that disclosure could appear careless or unprofessional. Yet transparency is emerging as a new competency. Engagement letters increasingly include AI use statements, outlining how and when generative tools may assist in drafting. The ABA’s guidance supports this clarity, noting that disclosure may be required when AI materially affects client interests.

According to best practices developed by legal technology experts, engagement letters serve as the logical place to explain planned AI use and to note that client confidential information will be protected. This proactive approach prevents clients from being surprised when they discover AI was used and reinforces that human lawyers remain firmly in control.

Transparency turns risk into credibility. When clients understand that human lawyers remain firmly in control, trust grows rather than erodes. Fear of perception should not block good governance; silence is more dangerous than honesty.

Right-Sized Governance in Five Steps

Right-sized governance begins with simplicity. Small firms can build practical frameworks without expensive software or consultants by focusing on essentials.

• Inventory tools: List every AI platform in use, including browser plug-ins and document assistants.
• Define risk tiers: Separate client-data applications from general productivity tools and apply stronger controls where privacy is at stake.
• Assign accountability: Even a part-time reviewer creates a chain of oversight.
• Document lightly: One concise memo describing how AI is used and reviewed can demonstrate compliance if questions arise.
• Train quarterly: Brief sessions help staff stay current on evolving ethics and vendor changes.

Cost-effective tools can make these steps easier. Most practice management systems already offer tagging, audit logs, and versioning that function as simple AI registers. Secure cloud platforms such as Clio, MyCase, or NetDocuments let firms track which matters involve AI assistance without adding new software or cost. Using existing tools turns compliance into a workflow habit rather than a separate project.

These steps convert good intentions into evidence of diligence. Governance does not require bureaucracy; it requires proof of thoughtfulness.

Market Forces Already Regulating AI Governance

Formal legislation will take time, but market forces are already setting standards. Corporate clients now ask about AI policies in outside-counsel questionnaires, and insurers tie coverage rates to documented oversight. According to the ABA Journal, some lawyers may be surprised to learn that coverage for AI-related claims is not explicitly covered by standard malpractice policies, and that use of AI tools may not satisfy the definition of professional service under existing policies. These non-regulatory levers effectively regulate faster than government can.

Small firms that act early by building transparent practices and documenting human review will gain both credibility and protection. The future of governance will depend on control, not size. AI compliance is becoming a measure of professional maturity, and firms that adapt now will not only survive but set the standard for others to follow.

Sources

• ABA Journal: “Does Your Professional Liability Insurance Cover AI Mistakes? Don’t Be So Sure” (Feb. 2025)
• American Bar Association: “ABA Issues First Ethics Guidance on AI Tools” (July 2024)
• American Bar Association: Formal Opinion 512 on Generative Artificial Intelligence Tools (July 29, 2024)
• Clio: Practice Management Software
• Cyber Insurance News: “Legal Industry Faces AI Boom and New Cybersecurity Challenges in 2025” (July 23, 2025)
• Eve Legal: “Disclosing AI Usage to Your Clients: Best Practices for Legal Teams” (2024)
• Florida Bar: Ethics Opinion 24-1 on Lawyers’ Use of Generative AI (Jan. 2024)
• International Organization for Standardization: ISO/IEC 42001 AI Management System Standard (Dec. 2023)
• Jenkins Law Library: “Ethics for Attorneys on GenAI Use: ABA Formal Opinion 512” (Aug. 8, 2024)
• MyCase: Legal Practice Management Software
• National Institute of Standards and Technology: AI Risk Management Framework (Jan. 2023)
• NetDocuments: Document Management System
• North Carolina State Bar: Formal Ethics Opinion 2024-1 on Use of Artificial Intelligence in Law Practice (2024)
• Reuters: “Balancing Innovation and Caution: How Lawyers Should Integrate AI into Legal Practice” (Apr. 23, 2025)
• Texas Center for Legal Ethics: Opinion 705 on Generative Artificial Intelligence (Feb. 2025)

This article was prepared for educational and informational purposes only. It does not constitute legal advice and should not be relied upon as such. All statutes, opinions, and frameworks cited are publicly available through official publications and reputable outlets. Readers should consult professional counsel for specific compliance or governance questions related to AI use.

See also: Can Machines Be Taught to Obey Laws They Can’t Understand?