Your staff are already using AI.The question is whether your firm knows about it.
Shadow AI — staff use of AI tools without firm knowledge or approval — is the most common AI risk in small law firms. It is not malicious. It is staff finding useful tools and using them without realising the professional and regulatory implications. A client matter copied into an AI tool. A precedent drafted with an unsanctioned assistant. A billing narrative generated by a tool whose data processing terms no one has reviewed.
JurisIT's AI Governance Implementation engagement moves your firm from exposure to evidence — a documented, implemented, and maintainable governance framework built on the JARI AI Readiness Index.
Clio Certified Partner · Microsoft Partner · Australia & UK
Most UK law firms have no documented AI governance
Most UK law firms have no documented AI governance. Some have a policy — written quickly, filed somewhere, not communicated to staff, never reviewed. Neither situation is defensible if the SRA asks, an insurer queries, or a client raises a data breach concern.
The SRA has published guidance on AI use in legal practice. The ICO has published guidance on AI and data protection. The Legal Services Board has flagged AI governance as an emerging regulatory priority. None of this is hypothetical. The regulatory expectation is already forming around a gap most firms have not addressed.
The firms that address it now — before a complaint, before an insurer query, before a breach — are in a materially better position than firms that address it after.
The JARI framework
Every AI Governance Implementation engagement starts with a JARI assessment — the JurisIT AI Readiness Index. JARI measures your firm's AI readiness across six domains. The assessment produces a domain-by-domain findings report that identifies exactly where the gaps are before any policy work begins.
| 01 Technology Infrastructure |
02 Data Governance |
03 AI Tool Exposure |
|---|---|---|
| Is your technology platform able to run AI safely? Devices, cloud environment, access controls, and Microsoft 365 configuration. | Is your data classified, retained, and accessible in a way that AI tools can use safely and that UK GDPR and SRA obligations require? | What AI tools are staff actually using — with or without the firm's knowledge? This is typically the most revealing domain. |
| 04 Regulatory & Compliance |
05 People & Culture |
06 Governance & Policy |
| Does AI use in the firm comply with UK GDPR, SRA obligations, and the ICO's published guidance on AI and data protection? | Do staff understand what AI can and cannot do in a legal context? Do they know what they are and are not allowed to use? | Does the firm have documented AI governance that can be evidenced to clients, the SRA, and insurers? Is there a review cycle? |
Shadow AI is almost always larger than management expects.
Domain 3 (AI Tool Exposure) combines two data sources: technical discovery — what AI-capable tools are visible on the firm's network and Microsoft 365 environment — and staff disclosure — what AI tools staff report using. The gap between those two answers is the Shadow AI picture. 'Do you know what AI tools your staff are already using?' Almost every managing partner pauses. The honest answer is no. That pause is the beginning of a governance conversation your firm needs to have.
What the engagement delivers
| Deliverable | What it covers |
|---|---|
| JARI Assessment | Full six-domain assessment. Technical discovery and staff survey. Domain-by-domain findings report. Priority action list. Debrief with Frank Downes, practising solicitor and Clio Certified Partner. |
| AI Governance Policy | A documented AI governance policy written for your firm — not a generic template. Covers acceptable use, prohibited use, confidentiality obligations, data processing requirements, and the specific tools your firm uses. SRA and UK GDPR compliant. Principal-approved. |
| Acceptable Use Documentation | Staff-facing acceptable use documentation written in plain language. What staff can use, what they cannot, and what to do if they're not sure. Designed to be followed, not filed. |
| Staff Training | A training session for all fee earners and support staff covering AI risks in a legal context, the firm's specific obligations, and how to use the tools the firm has approved. Recorded for future onboarding. |
| Microsoft 365 AI Configuration | M365 Copilot and AI features configured within the governance framework. Data loss prevention settings reviewed. AI tool access controls set to match the firm's approved tool list. |
| Ongoing Governance Retainer | Quarterly policy review and update. AI tool inventory maintained. Regulatory monitoring — SRA, ICO, Legal Services Board — summarised and applied to the firm's framework as guidance develops. Annual staff refresher. |
What the SRA and ICO expect
The SRA has published guidance on AI in legal services that places obligations on firms using AI tools. The key expectations are that firms understand what AI tools are in use, that they have assessed the risks those tools create, that staff are trained on their obligations, and that the firm can evidence all of the above.
The ICO's guidance on AI and data protection requires that AI tool use is covered by your privacy notice and data processing agreements, that any AI tool processing personal data has been subject to a data protection impact assessment where required, and that you can demonstrate lawful basis for the processing.
Neither the SRA nor the ICO requires perfection. Both require a demonstrable, documented effort to govern AI use responsibly. JurisIT builds that evidence base as a byproduct of a properly implemented governance framework — not as a separate compliance exercise.
AI governance is increasingly a client-facing expectation.
Larger clients — corporates, commercial landlords, financial institutions — are beginning to ask their law firm suppliers about AI governance as part of supplier due diligence. A firm that can produce its AI governance policy and evidence of implementation is in a materially better commercial position than one that cannot.
Frequently Asked Questions
-
Almost certainly yes — because your staff almost certainly are using AI tools, regardless of whether the firm has sanctioned them. The JARI assessment typically surfaces AI tool use that management was unaware of. The governance framework is needed precisely because the tools are already in use, not because they're being planned.
-
No. A policy document alone is not AI governance — it's a document. JurisIT's engagement delivers a policy that has been communicated to staff, trained to, configured into your Microsoft 365 environment, and reviewed on an ongoing basis. The difference is between a policy that exists and governance that works.
-
The JARI assessment takes two weeks from instruction to findings report. Policy drafting, staff training, and Microsoft 365 configuration typically run over a further four to six weeks. The ongoing retainer begins after implementation is complete.
-
That's what the ongoing retainer covers. The SRA, ICO, and Legal Services Board are all actively developing their AI guidance. As that guidance develops, JurisIT monitors the changes, assesses their impact on your firm's framework, and updates your policy and documentation accordingly. Your firm stays current without having to track the regulatory landscape itself.
-
Yes. Clio Manage AI and Clio Work are assessed as part of the JARI Domain 3 (AI Tool Exposure) review. Their data processing terms, the data they access, and the appropriate governance controls are all included in the findings report and reflected in the acceptable use documentation.
-
Yes. The JARI framework and the governance deliverables apply across all UK jurisdictions. Where there are jurisdiction-specific regulatory nuances — for example, the Law Society of Scotland has published its own AI guidance — we identify those during the JARI assessment and reflect them in the firm's policy.