AI Governance Checklist for Small Law Firms: 25 Controls You Can Implement This Month

By Marcelo Lorenzetti, Founder, SavvyLex | April 2026 | 7 min read WHY SMALL FIRMS ARE THE MOST EXPOSED Large law firms have compliance departments, IT security teams, and outside counsel reviewing their technology decisions. Small firms — solo practitioners, boutiques, and regional firms under 20 attorneys — have none of that. Yet small firms are adopting AI at the same rate as large ones. ChatGPT, Copilot, and consumer legal AI tools are already inside your practice. The question is whether any governance structure exists around them. In most small firms, the answer is no. And that is where the exposure lives. This checklist gives you 25 concrete, actionable controls organized across five domains. You do not need a compliance team to implement them. You need 30 days and a commitment to doing AI right. Related: AI Governance for Law Firms: A Complete Guide — savvylex.com/post/ai-governance-law-firms-complete-guide DOMAIN 1: POLICY FOUNDATION (Controls 1-5) Control 1: Write a One-Page AI Acceptable Use Policy You do not need a 40-page enterprise document. You need one page that answers: which tools are approved, what client data may never enter those tools, and what verification is required before any AI output is used in client work. If it does not exist in writing, it does not exist. Control 2: Define Your Approved Tool List List every AI tool your firm uses or permits. For each one: is it approved for client-sensitive work? If not, document that restriction explicitly. Control 3: Review Your State Bar's AI Guidance Every major state bar and the ABA has issued guidance on AI in legal practice. Read yours. The obligations — competence, supervision, confidentiality — are the floor, not the ceiling. Control 4: Update Your Engagement Letters Your engagement letters should disclose your firm's AI use practices and obtain client consent where required. One paragraph. Add it now. Control 5: Designate an AI Policy Owner In a solo practice, that is you. In a small firm, designate one attorney. Someone needs to own AI governance decisions, answer questions, and update the policy as tools and regulations change. DOMAIN 2: DATA AND CONFIDENTIALITY (Controls 6-10) Control 6: Read Every AI Vendor's Terms of Service Specifically look for: does the vendor use your submitted content to train its models? If yes, that tool is not safe for client-sensitive work. This alone eliminates most consumer AI tools from firm use. Control 7: Never Input Client PII Into Unapproved Tools Personally identifiable information, privileged communications, protected health information — none of it goes into consumer AI tools. Ever. Write this as an explicit prohibition. Control 8: Require Business Associate Agreements for Healthcare Work If your firm touches PHI — even indirectly — every AI vendor must sign a BAA. No BAA, no use for that matter. Control 9: Audit What's Already in Use Survey your attorneys and staff: what AI tools are they actually using today? You will find tools you did not approve. That inventory is your starting point, not your finish line. Control 10: Define Your Data Boundary Know exactly where your firm's data boundary is. What stays inside? What goes to vendors? What do vendors retain? Draw the boundary. Then enforce it. DOMAIN 3: CITATION HYGIENE AND VERIFICATION (Controls 11-15) Control 11: Establish a Mandatory Citation Verification Protocol Every AI-generated legal citation must be independently verified against the original source before use in any client work or court filing. This is non-negotiable. This is how you avoid sanctions. Control 12: Never File AI-Generated Citations Without Checking Them Attorneys have been sanctioned — some faced suspension — for filing AI-fabricated citations in federal court. Verification is not optional. Control 13: Use Citation-First Legal AI Tools Tools built on a Trust-Zero architecture retrieve verified sources before generating any response. This eliminates the hallucination risk at the source rather than catching it downstream. Learn more: savvylex.com/post/what-is-trust-zero-legal-ai Control 14: Document Every Verification Step Log what citation was generated, what source was checked, when verification occurred, and who performed it. This is your malpractice defense record. Control 15: Train Every Staff Member on Citation Hygiene Paralegals and legal assistants use AI too. They need the same verification discipline as attorneys. Make citation hygiene training mandatory for everyone who touches legal research. DOMAIN 4: HUMAN REVIEW AND WORKFLOW CONTROLS (Controls 16-20) Control 16: Define Human-in-the-Loop Checkpoints For every AI-assisted workflow in your practice, define the point where a qualified human reviews and approves the output before it is used. Write it down. Make it mandatory. Control 17: Never Send AI-Drafted Client Communications Without Review Every AI-drafted email, letter, or document that goes to a client must be reviewed by an attorney before sending. No exceptions. Control 18: Review AI Summaries Against Source Documents AI document summaries can miss material clauses, mischaracterize terms, or omit exceptions. Always review the source document for anything material. Control 19: Establish an AI Output Review Checklist For common AI-assisted tasks (research memos, contract drafts, motion drafts), create a standard review checklist. Consistent review prevents consistent errors. Control 20: Do Not Use AI for Final Judgment Calls AI assists analysis. Attorneys make judgment calls. Draw that line explicitly in your workflow design and your client communications. DOMAIN 5: DOCUMENTATION AND AUDIT READINESS (Controls 21-25) Control 21: Log AI Tool Use in Your Matter Files Note when AI was used, which tool, what task, and what was produced. This is your audit trail and your malpractice record. Control 22: Retain AI-Generated Outputs With Your Work Product If AI output informed your work product, retain it. You may need it to demonstrate what the AI produced versus what you verified and modified. Control 23: Track Training Completion Track who completed AI governance training and when. This documentation supports a competence defense if your firm's AI use is ever questioned. Control 24: Schedule a Quarterly Governance Review AI tools change. Regulations change. Your approved tool list and your policy need to be reviewed at least quarterly. Control 25: Conduct an Annual AI Risk Assessment Once a year, assess: what AI tools are we using, what risks have emerged, what regulations have changed, and what controls need to be updated? YOUR 30-DAY IMPLEMENTATION PLAN Week 1 — Foundation: Controls 1, 2, 3, 5, 9 — get the policy written and the inventory done. Week 2 — Data Protection: Controls 6, 7, 8, 10 — lock down your data boundary and vendor terms. Week 3 — Verification: Controls 11, 12, 13, 15 — establish citation hygiene as a firm-wide standard. Week 4 — Workflow and Documentation: Controls 16, 17, 21, 22, 24 — build the review checkpoints and start logging. By day 30, you will have a working governance framework — not a perfect one, but a defensible one. FREQUENTLY ASKED QUESTIONS Do small law firms really need formal AI governance? Yes. The ethical obligations — competence, supervision, confidentiality — apply to every attorney regardless of firm size. The practical risk is if anything higher for small firms that lack institutional safeguards. What is the single most important control for a solo practitioner? Citation verification — Control 11. The most documented AI failure in legal practice is the submission of hallucinated citations in court filings. How do I know if an AI tool is safe for client-sensitive work? Three tests: (1) Does the vendor's ToS prohibit using submitted content for model training? (2) Is the vendor SOC 2 certified? (3) Does the vendor offer a BAA for HIPAA-covered work? What does a Trust-Zero AI tool do differently? A Trust-Zero legal AI tool retrieves and verifies sources before generating any response, enforces mandatory citation, logs every interaction, and refuses to answer when no verified source exists. Learn more: savvylex.com/post/what-is-trust-zero-legal-ai How does SavvyLex help small firms? SavvyLex provides the full governance stack: Vera for citation-first legal research, SkillBuilder for trackable attorney training, and SavvyLex Consulting for governance framework design. THE BAR IS NOT HIGH. THE RISK IS. You do not need a perfect AI governance program. You need a defensible one. Twenty-five controls in 30 days gets you there. Start with a SavvyLex AI Governance Readiness Assessment at savvylex.com Marcelo Lorenzetti is the founder of SavvyLex and a specialist in AI systems for regulated organizations. He holds certifications from IBM (Generative AI series), AWS, Columbia University (Math for AI), and is currently enrolled in MIT Professional Education (2025-2026).