30 Days Gen AI Risk Trial -Start Now
Book a demo
Free Template · AU Edition

Law Firm AI PolicyTemplate (Australia)

An adoptable AI policy for Australian law firms. Eight sections covering approved tools, client data and privilege rules, prompt confidentiality, supervision, court disclosure and breach response, each mapped to the professional duty it protects.

Last updated 3 July 2026 · Facts verified July 2026

This is the template companion to our guide on AI governance for law firms. The guide explains why AI use in a legal practice engages privilege, confidentiality and conduct obligations. This page gives you the what: policy text a firm can adopt, with square-bracket placeholders for your firm's details and a note under each section explaining which professional duty it protects and which regulator or court said so.

Every regulatory claim is sourced from the joint December 2024 statement by the Law Society of NSW, the Legal Practice Board of Western Australia and the Victorian Legal Services Board and Commissioner, the Law Society of NSW's solicitor's guide to AI (updated January 2026), and the current AI practice notes of the NSW and Victorian Supreme Courts. The full source list is at the end of this page.

This template is general information, not legal advice. Adapt it to your firm and confirm your obligations against the conduct rules of your own jurisdiction, your law society's guidance and the courts you appear before.

6 Dec 2024
joint regulators' AI statement
3 Feb 2025
NSW SC Gen 23 commenced
14 May 2026
Vic SC GEN 25 commenced
8
adoptable policy sections

The policy template

Eight sections a firm can adopt. The bracketed placeholders are yours to fill; the note under each section maps it to the duty it protects.

SECTION 01Joint regulators' statement · ASCR Rule 37

Purpose and scope

  • This policy governs the use of artificial intelligence tools, including generative AI chatbots, copilots, AI legal research assistants and document automation tools, by all partners, employed solicitors, paralegals, clerks and support staff of [firm name], and by contractors with access to firm or client information.
  • The policy applies to AI use on firm devices, on personal devices used for firm work, and through any account, firm or personal, used in connection with a client matter.
  • AI use that complies with this policy is encouraged where it improves the quality or efficiency of legal services. AI use outside this policy is prohibited.

Why this section exists: The joint regulators' statement of 6 December 2024 expects law practices to implement clear, risk-based policies on which staff can use AI tools and for what purposes. Scope must extend beyond solicitors because ASCR Rule 37 requires reasonable supervision over solicitors and all other employees engaged in providing legal services for a matter.

SECTION 02ASCR Rule 9 · Joint regulators' statement

Approved AI tools and the approval process

  • The firm maintains a register of approved AI tools. Each entry records the tool and deployment tier, the approved use cases, the data categories permitted, the contractual protections in place and a responsible partner. Tools not on the register must not be used for any matter-related work.
  • Only enterprise deployments with contractual commitments that firm data is not used to train shared models, is kept confidential and can be deleted on request may be approved for use with client information. Consumer and free-tier AI tools must not be approved for client work.
  • Before a tool is approved, [responsible partner or practice manager] must review its terms covering data use, model training, retention, storage location and security, and record that assessment in the register.
  • Any staff member may propose a tool for approval through [channel]. No trial or evaluation with real client data is permitted before approval.

Why this section exists: The joint regulators' statement says lawyers who use commercial AI tools with any client information need to carefully review contractual terms to ensure the information will be kept secure. The Law Society of NSW's solicitor's guide to AI (updated January 2026) likewise recommends firms assess risk management frameworks and apply least-privilege principles before adopting AI. A written register is how a firm evidences both, and it operationalises the Rule 9 duty of confidentiality.

SECTION 03LPP · ASCR Rule 9 · Privacy Act APPs 8 and 11

Client data and privilege rules

  • Confidential, sensitive or privileged client information must never be entered into public or consumer AI chatbots or copilots.
  • No privileged communication, client instruction, advice, case strategy or settlement position may be entered into any AI tool other than an approved enterprise tool expressly cleared for privileged material, recorded as a privilege carve-out in the register.
  • Where an approved tool is cleared for client data generally but not for privileged material, the register must say so, and privileged material must be excluded or de-identified before that tool is used.
  • Personal information from client files may only be processed by AI tools that meet the security requirements of APP 11, and any overseas processing must satisfy APP 8 or be covered by informed client consent.

Why this section exists: Legal professional privilege depends on confidentiality being maintained, so disclosure to a third-party service that stores or trains on prompts creates waiver risk. The joint regulators' statement is explicit that lawyers cannot safely enter confidential, sensitive or privileged client information into public AI chatbots or copilots such as ChatGPT. ASCR Rule 9 protects all information gained during the retainer, not only privileged material, and law firm files are saturated with personal information regulated by the Privacy Act 1988 (Cth).

SECTION 04ASCR Rule 9 · Vic SC GEN 25

Matter confidentiality in prompts

  • Prompts are disclosures. Staff must treat every prompt, upload and attachment as material sent to a third party, because it is.
  • Do not include client names, matter names or numbers, counterparties, commercial terms or identifying facts in prompts to any tool that is not cleared for that matter's data. De-identify facts such as parties, amounts, dates and locations wherever the task allows.
  • Do not upload matter documents to an AI tool unless the register clears that tool for documents of that classification.
  • Prompt history is a record. Where an approved tool retains conversation history, staff must not leave privileged material in shared or personal workspaces, and must use matter-segregated workspaces where the tool supports them.

Why this section exists: The Rule 9 duty of confidentiality applies to the information itself, however it is transmitted, and a prompt containing matter facts is a transmission. The Victorian Supreme Court's Practice Note SC GEN 25 warns that information entered into a public AI tool could become publicly available. Prompt-level rules are where a policy succeeds or fails in daily practice.

SECTION 05ASCR Rules 4.1.3, 19 and 37

Supervision and verification of AI output

  • A lawyer remains responsible for all work product regardless of AI assistance. AI output is a first draft, never a final answer.
  • Every AI-generated citation, quotation and statement of law or fact must be verified against an authoritative source, such as AustLII, LexisNexis or Westlaw and official legislation databases, before it is relied on, provided to a client or filed with a court.
  • Work produced with AI assistance must be reviewed by the supervising solicitor with the same rigour as work produced without it. Supervising partners must satisfy themselves that staff on their matters use only approved tools.
  • All staff must complete training on this policy at induction and annually. Understanding the capabilities and limits of the firm's approved AI tools is part of delivering legal services competently and diligently.

Why this section exists: The joint regulators' statement requires lawyers to personally verify AI-assisted work and expects continuous and active supervision of AI use within practices. Under the ASCR, competence and diligence (Rule 4.1.3), the prohibition on misleading the court (Rule 19) and supervision (Rule 37) all continue to apply unchanged when AI is involved. Fabricated citations reaching a court are the most publicised AI failure in legal practice, and verification is the control that prevents them.

SECTION 06NSW SC Gen 23 · Vic SC GEN 25 · ASCR Rule 19

Court use and disclosure

  • Before AI is used in any litigation task, staff must check the practice note or guidance of the specific court or tribunal. Requirements differ between jurisdictions and change frequently. [Litigation partner] maintains the firm's summary of current court AI rules.
  • In NSW Supreme Court proceedings: generative AI must not be used to generate the content of affidavits, witness statements, character references or other material intended to reflect a deponent's or witness's evidence; those documents must contain a disclosure that generative AI was not used in generating their content; and generative AI must not be used to draft an expert report without prior leave of the court (Practice Note SC Gen 23, commenced 3 February 2025).
  • In Victorian Supreme Court proceedings: staff must be able to identify the specific portions of any court document produced using AI and explain how the output was verified (Practice Note SC GEN 25, issued and commencing 14 May 2026).
  • Where the firm's use of AI in a matter is material, it must be disclosed to the client, and to the court and other practitioners where required or appropriate.

Why this section exists: Court rules are the sharpest edge of legal AI governance because non-compliance is visible to the bench. SC Gen 23 and SC GEN 25 are the two most developed Australian examples, and SC GEN 25 replaced the Victorian court's May 2024 guidelines, which shows how quickly these rules move. The transparency expectation also comes from the joint regulators' statement, which asks lawyers to record and disclose when and how they have used AI in a matter.

SECTION 07ASCR Rule 9 · Privacy Act NDB scheme

Breach and incident response

  • Use of an unapproved AI tool with client data, or entry of privileged or confidential material into a tool not cleared for it, is a reportable incident. Staff must report suspected incidents to [contact] within 24 hours. Early self-reporting is treated as mitigation, not misconduct.
  • On report, the firm will: identify what data was entered and into which tool; assess the confidentiality, privilege and Privacy Act impact; consider notification to the affected client; assess whether the incident is a notifiable data breach requiring notification to the OAIC and affected individuals; remediate, including requesting deletion where the vendor supports it and revoking access; and record the incident and corrective actions.
  • Where privileged material may have been disclosed, [senior partner or general counsel] must assess waiver risk and any disclosure obligations before the matter next comes before a court.

Why this section exists: Confidentiality incidents involving AI tools engage the same duties as any other disclosure: Rule 9, the retainer and, where personal information is involved, the Notifiable Data Breaches scheme under the Privacy Act. A written, blame-tolerant reporting path matters because AI incidents typically happen under deadline pressure and go unreported when staff fear the consequences more than the breach.

SECTION 08ASCR Rule 4.1.3 · regulator guidance cadence

Policy review and maintenance

  • This policy and the approved tools register are reviewed at least every six months, and immediately when a regulator or law society issues new AI guidance, a court issues or amends an AI practice note, an approved vendor changes its data handling terms, or an incident reveals a gap.
  • [Responsible partner] owns this policy. The version number, review date and change history are recorded at the end of this document.
  • The firm monitors guidance from its law society and legal services regulator, and the practice notes of the courts and tribunals it appears before.

Why this section exists: The source material for this template moved three times in eighteen months: the joint regulators' statement in December 2024, the Law Society of NSW's updated solicitor's guide in January 2026 and the Victorian Supreme Court's SC GEN 25 in May 2026. A policy reviewed annually would have been out of date for most of that period. Keeping pace with the tools and rules of practice is part of the Rule 4.1.3 duty of competence and diligence.

Where each professional duty is covered

Use this mapping to show a managing partner, insurer or regulator that the policy is built on the duties, not around them.

ASCR Rule 9: confidentiality
Sections 2, 3, 4 and 7: enterprise-only approval, prohibited data categories, prompt de-identification rules and incident response.
Legal professional privilege
Sections 3, 4 and 7: privilege carve-outs in the tool register, privileged material excluded from prompts, waiver-risk assessment after incidents.
ASCR Rule 4.1.3: competence and diligence
Sections 5 and 8: mandatory training on approved tools and a review cadence that keeps the policy current with regulator and court guidance.
ASCR Rule 19: duty not to mislead the court
Sections 5 and 6: mandatory verification of every AI-generated citation and statement before filing, and compliance with court AI practice notes.
ASCR Rule 37: supervision of legal services
Sections 1 and 5: policy scope covering all staff and contractors, and supervising solicitors reviewing AI-assisted work with full rigour.
Court practice notes (NSW SC Gen 23, Vic SC GEN 25)
Section 6: prohibited uses for evidence documents, the SC Gen 23 disclosure statement, leave for expert reports and the SC GEN 25 verification expectations.
Privacy Act 1988 (Cth): APPs 8 and 11, NDB scheme
Sections 3 and 7: security and cross-border conditions on tools processing personal information, and OAIC notification in the breach workflow.

How to adopt this template

Five steps between reading this page and having an enforceable policy.

1
Fill the placeholders
Replace every [bracketed] item: firm name, responsible partner, reporting contact, proposal channel and litigation partner. An unowned policy is an unenforced policy.
2
Build the approved tools register first
Section 2 depends on a real register. List the tools your firm already uses, including the unofficial ones, and assess them against the criteria before circulating the policy.
3
Check your courts
Section 6 covers the NSW and Victorian Supreme Court practice notes as at July 2026. Add the current rules of the courts and tribunals your firm actually appears before.
4
Have it reviewed
This is general information, not legal advice. Have the adapted policy reviewed against your state or territory's conduct rules, your law society's guidance and your professional indemnity insurer's expectations.
5
Train, sign, enforce
Circulate the policy, train all staff on it, collect acknowledgments, and back it with technical controls so compliance does not depend on memory under deadline pressure.

Get the template

The eight sections above are the full template. There is no separate document to download for this AU edition yet: copy the sections straight into your firm's precedent system and fill the placeholders. If you want offline copies of Aona's governance templates, the bundle below includes all 29 .docx templates, including the generic AI Acceptable Use Policy this edition builds on.

Get all 29 templates in one ZIP. Policies, registers, checklists and rollout plans.

Policy on paper, enforced in practice

A policy fails silently when it depends on memory under deadline pressure. Aona provides the technical layer that makes sections 2, 4 and 7 operational.

See every AI tool in use

Continuous shadow AI discovery shows which AI tools partners, associates and support staff actually use, so your approved tools register reflects reality rather than hope.

Shadow AI Discovery →

Enforce the register

Guardrails and AI-aware data loss prevention stop confidential and privileged material reaching unapproved tools at the moment of the prompt, not in next quarter's audit.

AI Data Loss Prevention →

Keep the evidence

Audit trails of AI usage and policy enforcement give you an answer when a client, a court or a regulator asks how a matter's information was handled.

AI Governance for Legal →

To be clear about scope: no software makes a firm compliant with its professional obligations, and Aona does not claim to. Supervision, verification and judgment remain the lawyer's job. What Aona provides is the workforce layer: visibility of AI use across the firm, technical enforcement of your approved tools register and data rules, and the audit evidence behind them.

FAQ

Law firm AI policy: common questions

No statute or conduct rule mandates a document called an AI policy, but the regulators' expectations point firmly at one. The joint Statement on the use of artificial intelligence in Australian legal practice, issued in December 2024 by the Law Society of NSW, the Legal Practice Board of Western Australia and the Victorian Legal Services Board and Commissioner, says law practices should implement clear, risk-based policies covering which staff may use AI tools and for what purposes, with continuous and active supervision. A written policy with an approved tools register is the practical way to evidence that, and it is what this template provides.

Make the Policy More Than a Document

See which AI tools your firm actually uses, enforce your approved tools register at the point of the prompt, and keep the audit trail that answers clients, courts and regulators.