An adoptable AI policy for Australian law firms. Eight sections covering approved tools, client data and privilege rules, prompt confidentiality, supervision, court disclosure and breach response, each mapped to the professional duty it protects.
Last updated 3 July 2026 · Facts verified July 2026
This is the template companion to our guide on AI governance for law firms. The guide explains why AI use in a legal practice engages privilege, confidentiality and conduct obligations. This page gives you the what: policy text a firm can adopt, with square-bracket placeholders for your firm's details and a note under each section explaining which professional duty it protects and which regulator or court said so.
Every regulatory claim is sourced from the joint December 2024 statement by the Law Society of NSW, the Legal Practice Board of Western Australia and the Victorian Legal Services Board and Commissioner, the Law Society of NSW's solicitor's guide to AI (updated January 2026), and the current AI practice notes of the NSW and Victorian Supreme Courts. The full source list is at the end of this page.
This template is general information, not legal advice. Adapt it to your firm and confirm your obligations against the conduct rules of your own jurisdiction, your law society's guidance and the courts you appear before.
Eight sections a firm can adopt. The bracketed placeholders are yours to fill; the note under each section maps it to the duty it protects.
Why this section exists: The joint regulators' statement of 6 December 2024 expects law practices to implement clear, risk-based policies on which staff can use AI tools and for what purposes. Scope must extend beyond solicitors because ASCR Rule 37 requires reasonable supervision over solicitors and all other employees engaged in providing legal services for a matter.
Why this section exists: The joint regulators' statement says lawyers who use commercial AI tools with any client information need to carefully review contractual terms to ensure the information will be kept secure. The Law Society of NSW's solicitor's guide to AI (updated January 2026) likewise recommends firms assess risk management frameworks and apply least-privilege principles before adopting AI. A written register is how a firm evidences both, and it operationalises the Rule 9 duty of confidentiality.
Why this section exists: Legal professional privilege depends on confidentiality being maintained, so disclosure to a third-party service that stores or trains on prompts creates waiver risk. The joint regulators' statement is explicit that lawyers cannot safely enter confidential, sensitive or privileged client information into public AI chatbots or copilots such as ChatGPT. ASCR Rule 9 protects all information gained during the retainer, not only privileged material, and law firm files are saturated with personal information regulated by the Privacy Act 1988 (Cth).
Why this section exists: The Rule 9 duty of confidentiality applies to the information itself, however it is transmitted, and a prompt containing matter facts is a transmission. The Victorian Supreme Court's Practice Note SC GEN 25 warns that information entered into a public AI tool could become publicly available. Prompt-level rules are where a policy succeeds or fails in daily practice.
Why this section exists: The joint regulators' statement requires lawyers to personally verify AI-assisted work and expects continuous and active supervision of AI use within practices. Under the ASCR, competence and diligence (Rule 4.1.3), the prohibition on misleading the court (Rule 19) and supervision (Rule 37) all continue to apply unchanged when AI is involved. Fabricated citations reaching a court are the most publicised AI failure in legal practice, and verification is the control that prevents them.
Why this section exists: Court rules are the sharpest edge of legal AI governance because non-compliance is visible to the bench. SC Gen 23 and SC GEN 25 are the two most developed Australian examples, and SC GEN 25 replaced the Victorian court's May 2024 guidelines, which shows how quickly these rules move. The transparency expectation also comes from the joint regulators' statement, which asks lawyers to record and disclose when and how they have used AI in a matter.
Why this section exists: Confidentiality incidents involving AI tools engage the same duties as any other disclosure: Rule 9, the retainer and, where personal information is involved, the Notifiable Data Breaches scheme under the Privacy Act. A written, blame-tolerant reporting path matters because AI incidents typically happen under deadline pressure and go unreported when staff fear the consequences more than the breach.
Why this section exists: The source material for this template moved three times in eighteen months: the joint regulators' statement in December 2024, the Law Society of NSW's updated solicitor's guide in January 2026 and the Victorian Supreme Court's SC GEN 25 in May 2026. A policy reviewed annually would have been out of date for most of that period. Keeping pace with the tools and rules of practice is part of the Rule 4.1.3 duty of competence and diligence.
Use this mapping to show a managing partner, insurer or regulator that the policy is built on the duties, not around them.
Five steps between reading this page and having an enforceable policy.
The eight sections above are the full template. There is no separate document to download for this AU edition yet: copy the sections straight into your firm's precedent system and fill the placeholders. If you want offline copies of Aona's governance templates, the bundle below includes all 29 .docx templates, including the generic AI Acceptable Use Policy this edition builds on.
Get all 29 templates in one ZIP. Policies, registers, checklists and rollout plans.
A policy fails silently when it depends on memory under deadline pressure. Aona provides the technical layer that makes sections 2, 4 and 7 operational.
Continuous shadow AI discovery shows which AI tools partners, associates and support staff actually use, so your approved tools register reflects reality rather than hope.
Shadow AI Discovery →Guardrails and AI-aware data loss prevention stop confidential and privileged material reaching unapproved tools at the moment of the prompt, not in next quarter's audit.
AI Data Loss Prevention →Audit trails of AI usage and policy enforcement give you an answer when a client, a court or a regulator asks how a matter's information was handled.
AI Governance for Legal →To be clear about scope: no software makes a firm compliant with its professional obligations, and Aona does not claim to. Supervision, verification and judgment remain the lawyer's job. What Aona provides is the workforce layer: visibility of AI use across the firm, technical enforcement of your approved tools register and data rules, and the audit evidence behind them.
See which AI tools your firm actually uses, enforce your approved tools register at the point of the prompt, and keep the audit trail that answers clients, courts and regulators.