AI agent governance for legal departments: privilege, ethics and the rules that already apply

A litigation team at an Am Law 100 firm used an AI research agent to prepare a motion for summary judgment. The agent cited 11 cases supporting the firm’s position. Three of those cases did not exist. The opposing counsel flagged the fabrications and the court sanctioned the firm, ordered a show-cause hearing and required disclosure to the client.

This scenario has moved from cautionary tale to statistical regularity. More than 600 AI hallucination cases are now on record, involving 128 lawyers across firms of every size. Law firm insurers have paid claims exceeding $50 million in the past two years for AI-related malpractice.

The legal profession is not new to technology governance. Lawyers have managed e-discovery technology, document management systems and client communication platforms under professional conduct rules for decades. But AI agents introduce a category of risk those rules were not designed for: autonomous systems that generate legal work product, access privileged information and make decisions about case strategy without a lawyer reviewing each step.

The governance requirements are not hypothetical. They are being enforced by courts, bar associations and regulators right now.

The regulatory overlay#

Legal AI agents operate under the most layered regulatory environment of any profession. Five distinct sources of authority apply simultaneously, and each imposes obligations that generic AI governance frameworks do not cover.

ABA formal opinion 512#

The American Bar Association’s Standing Committee on Ethics and Professional Responsibility released Formal Opinion 512 in July 2024, the first comprehensive ethics guidance on lawyers’ use of generative AI. The opinion maps four Model Rules directly to AI tool use:

• Rule 1.1 (Competence): lawyers must maintain “a reasonable understanding of how AI technology works,” which does not require technical expertise but does require understanding the technology’s capabilities, limitations and failure modes; for AI agents, competence means understanding what the agent can do autonomously and where it requires human oversight
• Rule 1.6 (Confidentiality): client information entered into AI systems must be protected; consumer-grade AI tools that use submitted data for model training violate this obligation unless the client provides informed consent; for AI agents with access to client databases, confidentiality governance must cover every data source the agent can reach
• Rule 1.4 (Communication): lawyers must communicate with clients about the use of AI in their matters, including which tasks are AI-assisted, what technology is being used and how client data is protected
• Rule 1.5 (Fees): fees must reflect the actual work performed, so if an AI agent completes a research task in minutes that would have taken a paralegal hours, the fee must reflect the reduced effort

The privilege question#

Attorney-client privilege is the legal profession’s most consequential governance issue for AI agents. In United States v. Heppner, the Southern District of New York ruled that documents generated using a consumer-grade AI platform are not protected by attorney-client privilege or the work product doctrine.

The reasoning: submitting privileged information to a third-party AI service destroys the confidentiality required for privilege protection. The platform’s terms of service allowed data use for model training. No clawback mechanism existed. The court found no reasonable expectation of confidentiality.

For AI agents, the privilege implications are acute:

• Contract review agents that send client contracts to third-party AI APIs may waive privilege over those documents
• Legal research agents that include case facts in prompts may expose privileged work product
• Client-facing agents that interact with clients may generate communications that fall outside privilege protection if not properly supervised
• E-discovery agents that classify documents may misroute privileged materials into production sets

The governance requirement: every AI agent that touches privileged information must operate within infrastructure that preserves confidentiality. Enterprise-grade tools with contractual no-training commitments, data residency controls and documented legal purpose for each task.

State bar guidance#

Beyond the ABA’s national guidance, state bar associations are issuing their own AI ethics opinions. By early 2026, the majority of US states have published or are developing AI-specific guidance for lawyers. The requirements vary by jurisdiction but converge on several themes:

• Mandatory disclosure of AI use in court filings (adopted or proposed in 30+ jurisdictions)
• Verification obligations for AI-generated legal citations
• Supervision requirements for AI-assisted work product
• Continuing legal education requirements for AI competence

EU AI Act#

The EU AI Act classifies AI systems used in the “administration of justice and democratic processes” as high-risk under Annex III. This captures AI tools used in legal analysis, case assessment and judicial support. High-risk obligations apply from August 2026:

• Risk management systems covering the full AI lifecycle
• Data governance ensuring training data quality and representativeness
• Technical documentation sufficient for regulatory review
• Transparency mechanisms that inform users when they interact with AI
• Human oversight proportional to the system’s risk profile
• Accuracy, robustness and cybersecurity standards

For international law firms serving EU clients, these obligations apply regardless of where the firm is headquartered.

UK SRA guidance#

The Solicitors Regulation Authority (SRA) in the UK has published guidance on AI use that extends existing principles of competence, client service and confidentiality to AI tools. Key requirements include maintaining adequate supervision of AI outputs, protecting client confidentiality in all AI interactions and ensuring that AI use does not compromise the quality of legal services.

Governing legal AI agents by type#

Different agent types create different governance requirements. A contract review agent handling routine NDAs has a fundamentally different risk profile than a research agent preparing arguments for federal litigation.

Contract review agents#

Contract review is the highest-volume AI agent use case in legal departments. These agents extract key terms, flag risk provisions, compare against playbook standards and generate redline suggestions.

Governance requirements:

• Privilege preservation: all contract data must remain within privilege-preserving infrastructure, so no client contracts go to consumer AI services and enterprise tools with contractual confidentiality commitments are required
• Accuracy validation: extracted terms and risk flags must be validated against source documents, with accuracy rates tracked per contract type and reported monthly (industry benchmarks show well-governed contract review agents achieve 92-96% accuracy on term extraction)
• Bias testing: review outcomes should be tested across contract types, counterparty profiles and jurisdictions to identify systematic biases in risk scoring
• Audit trails: every agent-reviewed contract must have a complete audit trail, covering who initiated the review, what the agent found, what a human reviewer confirmed or corrected and what the final output was
• Access controls: the agent should access only the contracts assigned to it, not the full document management system, using least-privilege access enforced at the infrastructure level

Legal research agents#

Legal research agents query case databases, statutes and secondary sources to produce research memoranda. They are also the agent type most likely to hallucinate: fabricating cases, misquoting holdings or conflating jurisdictions.

Governance requirements:

• Citation verification: every case, statute and regulation cited by the agent must be independently verified; this is not optional, because courts have sanctioned lawyers for relying on AI-generated citations without verification
• Jurisdiction controls: the agent must be configured to research within the correct jurisdiction, because a research agent trained on federal cases that returns state court holdings creates malpractice risk
• Source documentation: the agent must identify the specific sources it consulted and the search strategies it used, and this documentation supports both quality review and potential malpractice defense
• Hallucination monitoring: track hallucination rates over time, because a research agent that fabricates 1 citation per 100 outputs requires different oversight than one that fabricates 1 per 10

Client-facing agents#

Client-facing agents handle intake questionnaires, status updates, document requests and routine client communications. They are the most visible agents and the ones most likely to create unauthorized attorney-client relationships.

Governance requirements:

• Unauthorized practice prevention: client-facing agents must not provide legal advice, make legal conclusions or create the impression that they are lawyers, with clear disclosures at every interaction point
• Scope limitations: define precisely what the agent can and cannot communicate, so a status update agent reports case milestones without interpreting their legal significance
• Escalation protocols: any client question that touches substantive legal issues must route to a human lawyer within a defined timeframe
• Communication logging: all agent-client interactions must be logged and reviewable, because these communications may be discoverable in future litigation

Regulatory filing agents#

Filing agents prepare and submit regulatory documents: SEC filings, court documents, compliance reports and administrative submissions. Errors in filing agents have direct legal consequences.

Governance requirements:

• Pre-submission review. No regulatory filing should be submitted without human lawyer review. The agent prepares; the lawyer files.
• Deadline management. Filing agents must track deadlines accurately and alert supervising lawyers to upcoming obligations with sufficient lead time.
• Format compliance. Regulatory bodies have specific formatting requirements. Filing agents must be tested against current requirements for each jurisdiction and filing type.
• Version control. Complete version history of every document from first draft through final submission.

E-discovery agents#

E-discovery agents collect, process, review and produce documents in litigation. They handle the largest volumes of privileged material and present the most complex governance challenges.

Governance requirements:

• Privilege classification accuracy. E-discovery agents that classify documents as privileged or non-privileged must achieve accuracy rates that satisfy both the supervising lawyer and the court. Misclassifying a privileged document as producible can waive privilege over the entire subject matter.
• Chain of custody. Every document the agent touches must have an unbroken chain of custody record: who collected it, when it was processed, what classifications were applied and who reviewed those classifications.
• Defensibility. The agent’s review methodology must be defensible in court. If opposing counsel challenges the review, the supervising lawyer must be able to explain how the agent worked, what quality controls applied and what error rates were observed.
• Proportionality. E-discovery agents must be configured to collect and review documents proportional to the case needs, consistent with Federal Rule of Civil Procedure 26(b)(1).

Building the governance framework#

Step 1: inventory and classify#

Document every AI agent in the legal department. For each agent, record:

• Agent type and purpose
• Data sources accessed (especially privileged or confidential data)
• Decision scope (what can the agent do without human approval)
• Tool access permissions
• Risk classification based on the 8 pillars of AI agent governance
• Applicable regulations (ABA rules, state bar guidance, EU AI Act, SRA)

Organizations using a centralized agent registry can maintain this inventory as a living document rather than a point-in-time snapshot.

Step 2: map professional obligations#

For each agent, map the applicable professional conduct obligations:

Agent type	Competence (1.1)	Confidentiality (1.6)	Communication (1.4)	Fees (1.5)	Supervision (5.1/5.3)
Contract review	Medium	High	Medium	High	High
Legal research	High	Medium	Low	High	High
Client-facing	High	High	High	Medium	High
Regulatory filing	High	Medium	Low	Medium	High
E-discovery	High	High	Low	High	High

Step 3: implement privilege-preserving infrastructure#

This is the non-negotiable foundation. Every AI agent that touches client data must operate within infrastructure that:

• Does not send data to consumer AI services
• Has contractual no-training commitments from AI vendors
• Maintains data residency controls appropriate to the jurisdiction
• Provides data deletion capabilities on demand
• Generates audit logs sufficient for privilege challenges

Step 4: establish verification workflows#

For every agent type, define the verification workflow:

• What gets verified. All legal citations, client communications, filing content and privilege classifications.
• Who verifies. A qualified lawyer, not a paralegal or legal operations staff, for substantive legal outputs.
• When verification occurs. Before any output is sent to a client, filed with a court or produced to opposing counsel.
• How verification is documented. Timestamped records of reviewer identity, review date and outcome.

Step 5: deploy continuous monitoring#

Static governance policies are insufficient for AI agents. Behavior changes between policy reviews. Deploy continuous monitoring through an observability platform that tracks:

• Decision distributions (are research outputs changing in character over time?)
• Accuracy metrics (citation accuracy, term extraction accuracy, classification accuracy)
• Hallucination rates (trending up or down?)
• Privilege handling (any anomalies in how the agent treats privileged data?)
• Cost and efficiency metrics (are fees reflecting actual AI-assisted work time?)

Step 6: train and communicate#

ABA Formal Opinion 512 requires that supervisory lawyers establish firm-wide AI policies and that all lawyers using AI tools understand their obligations. The training program should cover:

• Which AI tools are approved and which are prohibited
• How to use approved tools without compromising privilege
• Verification requirements for each agent type
• Disclosure obligations to clients and courts
• Fee implications of AI-assisted work
• Reporting procedures for AI errors or unexpected behavior

The cost of ungoverned legal AI#

The financial exposure from ungoverned legal AI agents is concentrated in three areas:

Malpractice liability. AI hallucination cases have already generated $50 million+ in insurer claims. As agent autonomy increases, so does the scope of potential malpractice. An agent that autonomously files an incorrect regulatory document creates liability that a simple autocomplete tool never could.

Privilege waiver. A single privilege waiver can change the outcome of litigation worth millions. The Heppner decision demonstrates that courts will not protect privilege when AI tools compromise confidentiality. Every ungoverned agent with access to privileged data is a potential privilege waiver.

Sanctions and reputational damage. Courts have ordered show-cause hearings, imposed monetary sanctions and required public disclosure of AI use failures. For law firms, reputational damage from a sanctions order can affect client retention and lateral recruiting for years.

What comes next#

The regulatory environment for legal AI is tightening, not loosening. EU AI Act high-risk obligations take effect in August 2026. State bar associations continue issuing new guidance. Courts are developing case law on AI privilege and verification obligations in real time.

The firms and legal departments that build governance frameworks now will be positioned to adopt AI agents with confidence. Those that delay will face a choice: stop using AI agents or accept escalating liability from ungoverned deployments.

The professional conduct rules that govern legal AI agents are not new. The duty of competence, the duty of confidentiality, the duty of supervision and these obligations have existed for decades. AI agents just make them harder to satisfy. The governance framework that satisfies those obligations is what separates responsible AI adoption from malpractice exposure.