Do we really need a written AI policy if we are a small firm?

Yes, and the smaller you are the more useful it is. A six-lawyer firm can have a one-page policy. The point is not the page count. The point is that when an associate uses ChatGPT on a personal device for client work, you can say 'we have a policy on this' instead of having to invent the rule on the spot. Most clients now ask.

What if our policy contradicts what our IT vendor recommends?

Your policy wins. The IT vendor is in scope to advise. The partners are in scope to decide. We have had several installs where we shipped a policy that constrained the IT vendor's preferred default. The vendor adjusted. That is the right ordering.

Do we have to publish the policy externally?

A redacted version, on the website, helps with client trust and is what the DPDP framework is moving towards. The full policy stays internal. Our template has both versions baked in.

A defensible AI-use policy for an Indian law firm: the actual document we ship

TL;DR

Every Matter Labs install ships with the same six-section AI-use policy. We have refined it across 14 deployments. The full template runs to about 1,400 words. This post walks through each section, why it is there, and the version of it we hand to the firm's data governance committee on day one.

Why a policy at all

The honest reason most Indian firms don't have an AI policy yet is that nobody has needed one. ChatGPT showed up in November 2022. Most firms shrugged. By mid-2024, associates were using it on personal laptops to summarise judgments and draft replies. By 2025, partners started catching on. By now, most firms know they should have a policy and don't, because nobody has time to write one.

We wrote one. We use it on every install. It is short, it is partner-readable, and it has held up when clients have asked.

The six sections

1. Scope

The first paragraph defines what the policy covers and what it does not. Specifically:

The policy applies to any use of generative AI tools by partners, associates, paralegals, secretaries, or interns of the firm.
It applies to firm-issued devices and to personal devices used for firm work.
It applies to AI tools the firm has approved (the installed Matter Labs workflows) and to AI tools the firm has not approved (ChatGPT on personal accounts, public Gemini, Claude.ai, etc.).
It does not apply to AI features that are bundled into general-purpose software the firm has licensed (Outlook's draft suggestions, Word's grammar checker, etc.) below a defined threshold of capability.

That last carve-out matters. Without it, the policy becomes unenforceable.

2. Approved tools and prohibited tools

A short, dated list. We update it quarterly with the firm.

The approved list typically includes the firm's installed Matter Labs workflows, the firm's enterprise contract with one major LLM provider (e.g., Azure OpenAI under the firm's tenant), and any AI features bundled in M365 or Google Workspace under the firm's enterprise agreement.

The prohibited list typically includes any consumer-facing AI tool used on a personal account for firm work (ChatGPT.com, Claude.ai, Gemini.google.com), any AI tool that the firm has not been able to verify will not retain or train on inputs, and any AI tool used for matter work without a partner's approval.

The list is dated. The list is short. The list is reviewed every quarter.

3. Data handling

This is the longest section. It covers four sub-rules.

Privileged data does not leave the firm's environment. Privileged client information goes through approved tools only. The approved tools are configured to keep data inside the firm's own M365 or Workspace tenant.

No training on firm data. The firm's data is never used to train any model that is shared with other firms. Where a workflow uses a hosted model, it is configured to opt out of provider-side training to the maximum extent the provider supports. The data processing addendum is on file.

Audit log. Every AI-generated output produced through an approved workflow is logged with the matter number, the user, the time, and the model version. The log is retained for the duration of the matter plus seven years.

Cross-border transfer. No personal data of clients or third parties is transferred outside India for AI processing without the partner-in-charge's written approval, recorded against the matter file.

4. Human in the loop

Three sub-rules, all of which live or die by partner enforcement.

Every AI output is a draft. No AI output is treated as a finalised document without a human review at the appropriate level of seniority. For a Section 138 reply, the appropriate level is a senior associate plus a partner. For a routine NDA, an associate plus a partner. For client-facing communications, a partner.

No auto-send. No AI workflow at the firm sends a document, email, or filing to a client, opposing counsel, court, or third party without a human in the loop. The workflows are configured this way technically, but the policy reinforces it in case a future tool tries to add the feature.

Documented disagreement. If an associate disagrees with an AI output and overrides it, the override is logged with a reason. This builds the firm's training data for prompt refinement and creates a defensible record.

5. Grievance officer and escalation

The firm names a grievance officer (a partner) in this section, with email and phone. Anyone (associate, client, third party) who has a concern about how the firm has used AI can raise it with the grievance officer. The grievance officer logs every concern, responds within 30 days, and reports quarterly to the data governance committee.

This section is also what we publish on the website in a redacted form, to satisfy the DPDP Act's section 8(9) requirement.

6. Review and amendment

The policy is reviewed quarterly. The data governance committee (typically two partners and the firm's ops head) signs off on each version. Each version is dated. Old versions are retained.

This is the section every existing AI-policy template gets wrong. They publish a policy and then never update it. The Indian regulatory framework is moving fast. The technology is moving faster. A policy that is not reviewed quarterly is a policy that gets out of date in six months and creates more risk than it removes.

What we customise per firm

The template is 1,400 words. About 1,000 of those are the same at every firm. The other 400 are firm-specific:

The named approved-tool list (depends on the firm's enterprise contracts)
The named grievance officer
The matter file conventions (some firms use matter numbers; some use matter codes)
The retention periods (some firms have specific bar council rules to follow)
Any client-specific carve-outs (some clients have negotiated AI-restriction clauses in their engagement letters)

The customisation usually takes one 90-minute session with the data governance committee in week one of an install.

What this is not

This is not a substitute for proper legal advice on the firm's data governance setup. It is the operational policy that runs alongside the firm's legal compliance work. The firm's existing privacy lawyer or data protection counsel reviews the template before it goes into force.

If you want a copy of the template, book a teardown. We ship it with every install, and we are happy to share a redacted version of it on the call.