Lawyers are using AI faster than the ethics opinions can keep up. The ABA Model Rules do not mention AI yet, and the few opinions that exist were written when the major consumer platforms offered weaker protections than they do now. That leaves most of us applying old duties to a new medium with very little official guidance, which is exactly when quiet mistakes get made.
This webinar, hosted by Laura Frederick of How to Contract, featured Carolyn Elefant, who owns an energy-focused law practice in Washington DC and founded the solo and small firm blog MyShingle.com, and Marc Hoag, who runs Hoag Law providing fractional General Counsel services to tech startups and chairs the Beverly Hills Bar Association's AI and the Law section. Between Carolyn's depth across litigation, regulatory, and solo practice work and Marc's tech-founder background and AI-forward client base, the conversation moved past abstract rule-citing and into how the duties actually bite day to day.
The three of them mapped five existing Model Rules onto the way lawyers really use AI right now. They covered the duty of competence as an active, ongoing obligation, why public AI tools count as disclosure to a third party, supervision and the case for a hands-off final reviewer, what to tell clients and what to ask them, and how to protect privilege when AI is no longer just a chat window.
Here are our top ten takeaways from the speakers' comments during the webinar:
Treat AI as an agent, not a tool. A tool does nothing without a human. AI produces output on its own, which is exactly why it carries supervision and verification duties that ordinary software does not. If you adopt that mental model, the rest of the ethical analysis stops feeling like overhead and starts feeling obvious. It also explains why turning off training is never the end of the inquiry.
The Model Rules already cover AI. We do not need a separate AI rulebook to know what is required of us. Competence, confidentiality, supervision, communication, and privilege all apply to AI the same way they applied to email and cloud storage. The medium changed and the duties did not. Waiting for AI-specific regulation is not a strategy, because the technology will outrun the regulation every time.
Competence is now an active, ongoing obligation. Keeping abreast of technology used to be a slow background task. With AI the timelines keep collapsing, so the honest posture is humility plus regular re-checking. You will not keep up in real time, and that is fine, but you cannot opt out either. Build a habit of revisiting your tools and assumptions far more often than you revisit your contract templates.
Public consumer-grade AI is disclosure to a third party. This is the single line to internalize. Uploading client material to a consumer plan of a major AI platform is treated as disclosure, even with training off. Anonymized, generalized questions are a different matter and can be genuinely useful. Anything client-identifying belongs only on an enterprise or properly protected third-party platform.
Know your enterprise protections, including zero data retention. Enterprise tiers can carry contractual protections that give you the confidentiality you have long relied on with commercial research tools. But zero data retention is often not included by default and may have to be negotiated separately. Do not assume the safeguard is there. Confirm it, and make identifying safe tools part of the job rather than a reason to ban everything.
Designate one human reviewer who does not touch AI. When a document passes between people who each run it through AI, you get layered AI instead of layered review, and the hallucination cases show that pattern making things worse. For every team or transaction, name one person as the hands-off final reviewer. That person is the circuit breaker, not just another set of eyes. It is the simplest guardrail discussed and arguably the most effective.
Verification runs both ways, and tool choice is policy. You are the final set of eyeballs on anything AI produced, and in some jurisdictions you also have to fact-check AI content the other side sends you. Assume AI will make mistakes and check accordingly. And do not treat AI as one bucket. The model, the version, and the product built on top all change the output, so firm policy should specify which tools are acceptable.
Disclose your AI use, and ask clients about theirs. A short, non-threatening disclosure in the engagement letter sets expectations without alarming anyone. Not every background feature needs a briefing, but high-risk matters may. Just as important, ask clients what AI they used on materials they send you, because deepfake risk means a client-supplied recording or document could be fabricated. Courts will likely start expecting that conversation.
Be proactive with leadership on AI policy. Do not wait to be asked. Present the policy, the safeguards, and the data-handling approach before something goes wrong, because that is the version leadership wants to hear. Keep the policy to a simple decision tree rather than a long document, and revisit it monthly rather than yearly. Remember the exposure extends past chatbots to anything that plugs into your files, spreadsheets, or browser.
Protect privilege by controlling where information goes, and advise clients to do the same. A recent decision treats uploading privileged material to public AI as a potential waiver, and the risk is not only the lawyer's. Clients can waive protection by discussing privileged matters with a public AI, so advise them directly. Document that volunteer or client research is attorney-directed, use protective orders that bar uploading produced documents to public AI, and remember that the exposure now reaches spreadsheets, browsers, and file systems.
Subscribe to Stay in the Loop
These webinars keep coming, and our weekly newsletter is how you stay close to them. It carries links to upcoming How to Contract sessions plus recaps like this one. Subscribe now so the practical insights reach you whether or not you made it to the live session.
