AI for UK Law Firms: What Partners Need to Know

The Solicitors Regulation Authority has not banned AI use in UK law firms, and it has not required firms to adopt it either. What it has done is make clear that the SRA Principles and the Code of Conduct apply to AI-assisted work in exactly the way they apply to any other work. This article sets out, in plain terms, what that means for a UK law firm in 2026: what the SRA expects, where confidentiality breaks on common AI tools, what hallucination looks like in legal work, where UK GDPR and the ICO sit, what the workflow of a well-governed AI-using firm actually looks like, and the three decisions the managing partner cannot delegate.

The framing throughout is to describe what the regulators expect. Nothing in this article asserts SRA or Law Society alignment, endorsement, or accreditation on behalf of Learn AI. Any copy that would bind the firm should be reviewed by the firm's COLP, COFA, or an external solicitor.

What does the SRA actually expect from fee-earners using AI?

The SRA expects the same thing of AI-assisted work as of any other work: that the fee-earner is competent to do it, supervises it properly, acts in the client's interests, and maintains the firm's integrity. AI does not create new obligations. It creates new ways to breach existing ones.

Four points follow from that.

First, the SRA Principles on integrity, acting in the client's best interests, and maintaining public trust apply to any output that leaves the firm, whether drafted by a fee-earner, a trainee, an outsourced paralegal, or an AI tool. The provenance of the draft does not change the obligation on the person who signs it.

Second, the Code of Conduct for Solicitors requires fee-earners to maintain competence and to supervise delegated work adequately. AI assistance is a form of delegation in the sense that matters here: work is being done by something other than the named fee-earner. The competence obligation then runs to knowing what the tool can and cannot do, knowing how to check its output, and knowing when to reject it. It does not run to understanding transformer architecture.

Third, the Code of Conduct for Firms expects firms to have effective systems and controls, adequate supervision, and a culture of compliance. The systems-and-controls angle is where AI governance actually lives in the firm. It is less about who writes the prompt and more about how the firm evidences that an AI-assisted output was reviewed by the right person on the right basis before it left the building.

Fourth, the SRA's published statements on technology use (including the 2023 notice on the use of generative AI in courts, echoed in subsequent updates) make explicit that fee-earners are responsible for the accuracy of anything they submit, regardless of whether it was generated by an AI tool. Sanctioned filings in England and Wales since that notice have included fabricated citations that the court identified and the fee-earner did not. The pattern is not a hypothetical future risk; it has already produced disciplinary outcomes.

The training we deliver inside the AI track for UK law firms is built around those four points. Fee-earners leave with a workable mental model of where AI belongs in matter work, and firms leave with a template for evidencing that the supervising fee-earner took responsibility for the output.

Where confidentiality breaks on common AI tools, and what a law firm does about it

Confidentiality breaks on most consumer-grade AI tools the moment a fee-earner pastes privileged material into them. It does not break on properly-configured enterprise AI tools with the right tenancy, retention, and training-opt-out posture. The gap between the two is a governance question the firm can answer once and apply across the fee-earner base.

The detail matters. Three configurations commonly produce breaches:

• Consumer accounts on public AI products where user input is retained, logged, and in some cases used to train the underlying model. A fee-earner who pastes a draft witness statement into such a tool has, in practical terms, disclosed the content to a third party. Whether the tool subsequently does anything with the content does not change the fact of the disclosure.
• Free tiers of enterprise products where the data-handling defaults are more permissive than the paid tier. The organisation name on the login does not guarantee the data-handling posture.
• Enterprise tenancies where the configuration has not actually been set to the privacy-preserving posture the firm assumes. Microsoft Copilot inside a Microsoft 365 tenant, for example, behaves differently depending on whether the tenant has been configured to restrict cross-tenant data sharing, training on tenant content, and third-party plug-in access. The default is not always the firm's preferred position.

What a law firm does about this is not exotic. It maps the tool estate against a simple matrix (consumer, enterprise, properly-configured enterprise), issues a written rule of what belongs in which category, and ties that rule to the matter-opening process rather than leaving it to fee-earner judgement. The firm's IT partner or managed service provider typically already has the tenancy-level controls; the missing piece is the fee-earner-facing rule in language fee-earners will actually read.

The workshop output on the legal track produces exactly that rule, pre-formatted for circulation and embedding in the matter-management system.

What AI hallucination looks like in legal work, and what verification looks like

AI hallucination in legal work looks like a fluent, plausible reference to a case that does not exist, a statute that does not apply in the jurisdiction, or a citation that has been mangled between the correct case and a similar one. The verification response is procedural rather than technical: every AI-drafted output that will leave the firm passes through a named human review step before it does, and the fee-earner responsible for the matter is on record as the reviewer.

Three common hallucination patterns are worth naming because fee-earners can learn to see them:

• Fabricated case names with plausible-looking citations. The AI tool pattern-matches the shape of a citation from similar cases in its training data and produces something that looks right, reads right, and does not exist. UK courts have already identified and sanctioned this.
• Mis-attributed holdings. A real case is cited for a proposition that case did not establish. The citation is real, the case is real, the proposition is wrong. This is harder to spot than a fabricated case because a citation check passes without flagging anything.
• Jurisdictional drift. A proposition from US, Australian, or Canadian case law is cited as though it applied in England and Wales. The underlying law may or may not be similar; the citation is misleading regardless.

The response is not to tell fee-earners to read the entire output more carefully. That does not scale and it does not work. The response is a procedural rule: any AI-drafted research note, letter, draft statement, or filing is treated as a first draft from a junior whose work cannot be deemed competent without review. The supervising fee-earner owns the verification step and signs to say it has been done.

That works because it aligns with the existing supervision obligation under the Code of Conduct for Solicitors. It does not require a new regulatory framework; it uses the one the firm already operates under. The workshop produces a one-page template firms can circulate to fee-earners and embed into the matter-management system.

UK GDPR and the ICO: what a law firm needs in place before AI touches client data

A UK law firm needs a lawful basis for processing, a data-flow map that includes the AI tools, a Data Protection Impact Assessment for any tool that processes personal data at scale, and a position on sub-processors and international transfers. The Information Commissioner's Office has been clear on all four points since 2023 and has sharpened the position through 2024 and 2025.

The firm-level checklist looks like this.

Lawful basis. For most law-firm AI use (processing client personal data inside live matters), the lawful basis is performance of the contract of retainer, or legitimate interests with a completed balancing test. For marketing or business-development use, it is usually consent. The basis must be documented before the tool is used, not afterwards.

Data-flow mapping. Every AI tool the firm uses on personal data should appear on the firm's record of processing activities, as required by UK GDPR Article 30. Consumer tools typically do not appear on that record, and that is itself a finding the firm can act on.

Data Protection Impact Assessment. A DPIA is required for processing that is likely to result in a high risk to individuals. A firm-wide rollout of a generative AI tool that processes client correspondence fits that description for most mid-market UK firms. The ICO's published DPIA guidance covers the structure; the tool-specific inputs come from the AI vendor's data-handling documentation.

Sub-processors and international transfers. AI tool providers are almost always sub-processors. If personal data leaves the UK or the EU, the firm needs an appropriate transfer mechanism (typically the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with a UK addendum). Consumer tools rarely provide this cleanly, and enterprise tools sometimes require the firm to opt in to the compliant configuration.

None of this is AI-specific. It is UK GDPR applied to a new category of tool. The reason it appears to be AI-specific is that most firms completed their UK GDPR implementation before generative AI became a live workflow tool, and the record of processing activities and the data-flow map have not been updated since.

The workshop walks through each of the four points against the firm's actual tool estate and produces a finding list the DPO or compliance partner can action inside thirty days.

What changes in a well-governed AI-using law firm: three anonymised workflows

In a well-governed AI-using law firm, fee-earners use AI tools on live matters, the firm knows which tools are approved for which work, every AI-assisted output has a named reviewer, and the audit trail makes the procedural position defensible to a client, a regulator, or an insurer. The mechanics are concrete. Three anonymised workflows make the pattern visible.

Workflow 1: disclosure review on a commercial litigation matter. The associate running the disclosure exercise uses an enterprise-tenancy AI tool, configured for in-region processing and training opt-out, to produce a first pass at document relevance across a fifteen thousand document corpus. The AI output is not used as the final relevance call. The associate reviews flagged documents, the supervising partner samples the unreviewed pool, and the verification step is recorded in the matter file. The time saving is real (the first-pass review compresses by roughly two-thirds in most firms that have measured it), but the matter risk has not moved, because the supervising partner's review duty has not been outsourced to the tool.

Workflow 2: first-draft letter of advice on a tax structuring question. The trainee uses an AI drafting tool to produce a first draft of the non-technical framing and the factual recitals. The tax analysis sections are drafted by the fee-earner from scratch. The AI-drafted sections are flagged as such in the internal version of the document. The supervising partner reviews the entire draft, rewrites as needed, and signs the outgoing version. The client receives a document that has been drafted by the firm, full stop. The benefit of the AI tool is that the trainee spends less time on the non-technical framing and more time on the tax analysis they were hired to learn.

Workflow 3: matter-opening on a new corporate transaction. The business-development team uses an AI research tool to produce a briefing pack on the counterparty's corporate history, recent filings, and publicly reported disputes. The research output is treated as a starting point, not a substitute for the matter-opening due diligence. The fee-earner validates every claim in the briefing pack against the primary source before it informs any advice. The fee-earner's verification log is retained in the matter file.

In all three cases, the common pattern is: enterprise tenancy with the right privacy posture, AI output treated as first draft rather than final product, a named reviewer, a verification step, and a visible audit trail. The training the firm invests in is not primarily technical. It is procedural, embedded in the matter-management system, and tied to the firm's existing supervision obligations.

The three decisions every UK managing partner faces in 2026

Three decisions cannot be delegated by the managing partner in 2026, and every UK law firm will face all three inside the next twelve months.

The first decision is which AI tools the firm will and will not approve for client work. That is a governance decision, not a procurement decision, and it belongs with the partnership because the consequences of getting it wrong (breach, sanction, claim) belong with the partnership.

The second decision is what the firm will do with the fee-earners who are already using unapproved AI tools on client matters. The answer is rarely to discipline them. It is usually to meet them where they are, issue a clear written rule, and migrate them to an approved tool inside an approved configuration. Ignoring the pattern does not make it go away; it just makes the audit trail worse.

The third decision is whether AI fluency becomes part of the competency framework for fee-earner progression. If it does, the firm builds a cohort of associates and junior partners who can use AI safely and productively, and the compounding effect over a three-to-five-year horizon is material. If it does not, the firm will be recruiting externally for those skills in 2028 and 2029 and paying a premium to do so.

If those three decisions are the ones your partnership is currently debating, the Executive AI Briefing for UK partners and directors is designed to collapse them into a defensible position in a single half-day session. If the first question is where the firm even sits today, the AI Readiness Assessment is the fifteen-minute diagnostic that produces a report specific to your firm's sector, role, and governance posture.

The SRA has not told UK law firms to adopt AI, and it has not told them not to. It has told them that their existing obligations apply in full. The firms that accept that, build a procedural answer, and invest in the fee-earner-facing training are the firms that will stay defensible and commercially competitive through the rest of the decade. The firms that wait for a bespoke regulatory regime will be waiting a long time.