Questionnaire Branch Map
Dev-only view showing all 68 questions across 10 sections. 32 conditional questions are highlighted with their trigger conditions.
has-legal-departmentyes-no-naDoes your organization have a legal department or retain outside counsel?
This helps us tailor legal-specific questions in later sections to your organization.
policy-objectivescheckbox-listrequiredWhat are the main objectives of the firm in defining acceptable generative AI use? For example (not intended to be an exhaustive list):
obj-researchConducting accurate research?obj-timesavingFinding time-saving workflows?obj-hallucinationAvoiding hallucination risks?obj-privacyProtecting data and privacy?obj-ipProtecting intellectual property?obj-otherOther (please specify)policy-objectives-othertext-areaPlease specify the other objective(s):
policy-approachsingle-selectrequiredTo achieve these objectives, does the firm intend to approach generative AI with a general ban or to define allowable generative AI use for work purposes?
Examples of allowable use: First-draft report or brief generation, Boilerplate generation (e.g., trusts, contracts), Email drafting, Image generation (e.g., stock photos for presentations), Audio transcription from online meetings, Legal research on case law
approach-banGeneral ban on generative AI use for work purposes — Prohibit all generative AI tools except where explicitly permittedapproach-defineDefine allowable generative AI use for work purposes — Identify and approve specific use cases and toolsnot-sure-approach-defineNot sure — defaulting to "Define allowable use" for now — You can revisit this later. Defaulting to the more inclusive option so related questions are not skipped.policy-target-datedate-pickerrequiredWhat is the target creation or effective date for this policy?
Note: This date will appear on the questionnaire results that will help you draft your Policy. You can update it later.
policy-ownertext-inputrequiredWhat individual or team is responsible for maintaining this policy?
policy-review-frequencysingle-selectrequiredHow often will this policy be reviewed and updated?
Note: This policy was created on {{policy-target-date}} and will be updated at least {{self-label}}. We recommend beginning the review and refresh process well in advance of the target review date.
review-quarterlyQuarterlyreview-biannuallyTwice per yearreview-annuallyAnnuallyreview-as-neededAs needed based on technology changespolicy-exception-processtext-arearequiredWhat will the process be for reviewing and approving exceptions to the policy (for example, to review potential new vendors or to temporarily authorize specific employees to use generative AI tools for a specific task)?
ai-philosophysingle-selectrequiredDoes this firm want employees to emphasize using generative AI workflows as often as possible? Or does this firm follow the principle that tasks should only be performed with AI if there is already a net time savings compared to non-AI processes after both performing the task and reviewing the output?
philosophy-nativeAI-Native: Emphasize employees learning to use generative AI for workflows as often as possible, even if it might be slower going in the short-term, to become more familiar with AI tools. Some employees may share "vibecoded" solutions with others.philosophy-focusedAI-Focused: Have certain employees experiment with generative AI beyond regular work duties, share findings and best practices with broader teamphilosophy-assistedAI-Assisted: Use AI only when there is already a net time savings after task completion and reviewphilosophy-cautiousAI-Cautious: Use AI for some limited administrative or repetitive tasks.philosophy-againstFirmly Against: Minimize or prohibit AI use except where absolutely necessarythird-party-transcription-consentsingle-selectrequiredWould this firm consent to or deny consent to third-party use of GenAI transcription tools, e.g., on a Zoom call?
consent-allowConsent to third-party GenAI transcriptionconsent-denyDeny consent to third-party GenAI transcriptionconsent-case-by-caseCase-by-case basis depending on meeting contentother-jurisdictionsyes-no-naAre any attorneys at this firm admitted to practice law in jurisdictions other than your primary state (e.g., member of the Bar, pro hac vice)?
Different jurisdictions may have their own rules, standing orders, or judicial policies regarding the use of AI in legal practice. Identifying all applicable jurisdictions helps ensure compliance.
jurisdiction-local-rules-checkedyes-no-naFor each jurisdiction where attorneys are admitted, have you checked for local rules, standing orders, or judicial policies regarding the use of AI in legal filings or practice?
Note: Several jurisdictions have issued standing orders or local rules requiring disclosure of AI use in legal filings. These requirements vary by jurisdiction and may change frequently. We recommend reviewing this with the consultant for each jurisdiction.
illinois-ai-policy-acknowledgedyes-no-naIllinois-based law firms: have you discussed the Illinois Supreme Court Policy on Artificial Intelligence (January 2025) with the consultant yet?
Note: The Illinois Supreme Court issued a policy on AI use in January 2025 that may affect your governance requirements. We recommend discussing this during your consultation.
csr-vs-ai-depositionsingle-selectWould this firm as a matter of policy object to another firm's use of AI transcription rather than a certified shorthand reporters (CSRs) to produce transcripts of a deposition?
Note: Some AI deposition tools are marketed to attorneys as having real-time cross-examination of witnesses against evidence and other testimony as the deposition transcript is being generated. Compare to CSR professional ethics on neutrality.
csr-objectYes, object to AI transcription for depositionscsr-no-objectNo objection to AI transcription for depositionscsr-case-by-caseCase-by-case basisai-disclosure-to-clientssingle-selectrequiredWill this firm disclose its use of AI to clients as a general matter?
Note: Some jurisdictions and bar associations are moving toward requiring disclosure of AI use in legal work. Proactive disclosure can build client trust and reduce risk.
disclose-yesYes, disclose AI use to clients by defaultdisclose-case-by-caseCase-by-case based on engagement typedisclose-noNo, do not disclose unless requiredclient-chatbot-advice-prospectivetext-areaHow will the firm advise prospective clients about the use of AI chatbots in preparation for conversations with their attorney or other legal matters?
Note: Clients increasingly use ChatGPT and similar tools to research legal questions before consulting an attorney. Their AI-generated understanding may be inaccurate and could affect the attorney-client relationship.
client-prior-chatbot-usetext-areaHow will the firm advise prospective clients about prior use of AI chatbots related to the legal matter before engaging your firm?
Note: Clients may have shared privileged or sensitive information with AI tools before retaining counsel. This could affect privilege, create discoverable records, or introduce inaccurate assumptions about their legal position.
tools-presumptionsingle-selectrequiredIs the use of generative AI tools or features presumptively allowed for work purposes, or only when explicitly allowed?
e.g., your firm uses a calendar program that later adds an AI "secretary agent" that can take meeting minutes and schedule follow-up call: may employees use these features without explicit permission?
presumption-allowedPresumptively allowed unless specifically prohibitedpresumption-prohibitedOnly allowed when explicitly approveddedicated-tools-prohibitedsingle-selectrequiredAre all dedicated generative AI tools (such as ChatGPT) presumptively prohibited if they are not specifically approved?
dedicated-prohibitedYes, all dedicated AI tools are presumptively prohibiteddedicated-case-by-caseEvaluated on a case-by-case basisdedicated-allowedNo, dedicated AI tools are generally permittedwebsites-blockedsingle-selectrequiredWill the websites of unapproved AI tools be blocked (e.g., "chatgpt[.]com")?
blocked-yesYes, block unapproved AI tool websitesblocked-partialBlock some high-risk sites onlyblocked-noNo, rely on policy compliancenot-sure-blocked-yesNot sure — defaulting to "Yes, block" for now — You can revisit this later.websites-blocked-responsibletext-areaWho will be responsible for implementing and maintaining website blocks for unapproved AI tools (e.g., DNS filtering, firewall rules, browser policies)?
training-level-allowedsingle-select(If allowed) What level of training should employees receive before being authorized to use generative AI for work purposes?
This firm allows trained employee use of generative artificial intelligence (GenAI) tools for work purposes on work devices. Approved GenAI tools and GenAI features should be used on work devices. No work-related activity should be conducted on personal or other non-work devices using unapproved GenAI tools.
training-basicBasic awareness training (1-2 hours)training-intermediateIntermediate training with hands-on exercises (half day)training-comprehensiveComprehensive certification program (full day or more)training-role-specificRole-specific training tailored to job functiontraining-level-bannedsingle-select(If banned) What level of training should employees receive to avoid generative AI-related risks if generative AI tools are generally not permitted for work purposes?
This firm does not allow trained employee use of generative artificial intelligence (GenAI) tools for work purposes on work devices. GenAI tools and GenAI features should not be used on work devices. No work-related activity should be conducted on personal or other non-work devices using unapproved GenAI tools.
training-awarenessBasic awareness of why AI is prohibitedtraining-risksTraining on AI risks and how to identify AI-generated contenttraining-comprehensive-banComprehensive training on risks, identification, and reportingprohibited-tool-actiontext-arearequiredWhen an employee becomes aware of the availability of a prohibited or unapproved GenAI tool on a work device, what actions must the employee take?
new-feature-actiontext-arearequiredWhen an employee becomes aware of the availability of a prohibited or unapproved new GenAI feature in an existing software tool, what actions must the employee take?
consequences-work-devicetext-arearequiredWhat are the consequences for an employee using unapproved generative AI tools on a work device for work purposes?
consequences-personal-devicetext-arearequiredWhat are the consequences for an employee using unapproved generative AI tools on a personal device for work purposes?
contractor-programmers-policytext-areaTo what extent will the firm apply these policies to its contractors using large language models for computer programming tasks? Will the firm expect the same policies, or focus on top risk categories, such as the use of "agents" in high-risk "dangerous" or "YOLO" modes?
csr-hiring-policysingle-selectCourt Reporters—Internal Use. Does this firm hire only certified shorthand reporters (CSRs) to produce transcripts for legal proceedings?
csr-onlyYes, CSRs onlycsr-preferredCSRs preferred but not requiredcsr-ai-allowedAI transcription services are permittednot-sure-csr-preferredNot sure — defaulting to "CSRs preferred" for now — You can revisit this later.csr-due-diligenceyes-no-naDoes this firm's due diligence when selecting CSRs include demonstrated knowledge of the risks of generative AI misuse?
csr-ai-use-policysingle-selectTo what extent will the firm apply these policies to its CSR contractors using generative AI models to aid in transcription?
Will the firm expect the CSR to refrain from all generative AI use (e.g., an AI transcript inserting an entire sentence without CSR review based on analysis of the raw audio file) or would low-risk uses be permissible, such as accepting a suggested spelling of medical terminology?
csr-no-aiRefrain from all generative AI usecsr-low-riskLow-risk uses permissible (e.g., spelling suggestions)csr-case-by-caseCase-by-case approval requiredundisableable-featuressingle-selectrequiredIf unapproved GenAI features in existing software cannot be removed or disabled, must employees refrain from using these features?
e.g., "employees shall not rewrite text in MacOS Pages using the Apple Intelligence feature"
refrain-yesYes, employees must refrain from using these featuresrefrain-case-by-caseCase-by-case evaluation neededrefrain-noNo, incidental use is acceptabletools-inventory-introinfo-displayThe following inventory will help identify which AI tools and features your employees may be using. This includes both dedicated AI tools and AI features embedded in common software.
For each tool, indicate: (1) if employees currently use it for work, (2) if it is available on work devices, and (3) if it is available on personal devices used for work.
Note: This inventory is an iterative process and does not need to be completed entirely in one session. Your progress is saved automatically, and you can return to update it at any time during the consultation.
external-transcription-awarenesscheckbox-listrequiredWhich external sources of LLM transcription might your organization encounter?
Note: See Recommendation 2 regarding ground truth documents.
ext-bodycamLaw enforcement body camera-to-police report tools (e.g., Axon Draft One)ext-depositionAI deposition toolsext-meetingMeeting transcription tools from external partiesexternal-content-awarenesscheckbox-listrequiredWhich external sources of AI-generated content should employees be trained to be familiar with?
Note: identification of AI-generated content is not always possible, so familiarity with where it may appear is the goal.
ext-ai-overviewScreenshots of Google AI Overview and other AI-generated summaries without attributionext-ai-imagesAI-generated images, e.g., an AI-modified image of a suspect in a law enforcement announcementext-fake-papersFake academic papers and preprintsext-fake-imagesFake academic stock images (charts, maps, diagrams), including in paid image databasesext-voice-deepfakesVoice deepfakes (AI-cloned audio impersonating known individuals)ext-video-deepfakesVideo deepfakes (AI-generated or AI-altered video of real people)ext-sextortion-deepfakesSextortion / nudification deepfakes (AI-generated explicit imagery used for extortion)ext-blurry-image-enhanceGenAI enhancement of blurry or low-resolution real images (hallucinated details presented as real)ext-property-deepfakesGenAI modification of property images (homes, vehicles, etc.) used in listings or insurance claimsext-refund-fraudRefund fraud through deepfakes (AI-fabricated purchase evidence or product return imagery)ext-work-invoice-fraudWork and invoicing fraud through deepfakes (AI-fabricated proof of completed work or services)ext-legal-slopClient-prepared "legal slop" — AI chatbot-drafted documents, letters, or legal arguments submitted to your organizationexpert-witness-ai-usesingle-selectHas this firm considered the risk that an expert witness may have used generative AI in preparing their report, analysis, or testimony?
Expert witnesses may use AI tools to draft reports, analyze data, or generate visualizations without disclosure. AI-generated content in expert testimony could introduce hallucinated facts, unverifiable analysis, or biased conclusions that may not withstand cross-examination.
Note: Consider requiring expert witnesses to disclose any use of generative AI tools in their engagement agreements.
expert-policy-existsYes, we have a policy addressing expert witness AI useexpert-policy-plannedNot yet, but we plan to address thisexpert-policy-noneNo, we have not considered thisthird-party-mitigationtext-areaWhat processes will your organization implement to verify the authenticity of externally-sourced content?
llm-latest-enforcementsingle-selectDoes this firm enforce the use of the latest LLM within a particular tool?
Note: Choice of LLM model may be determined by your AI software provider rather than being a user-configurable option.
latest-enforcedYes, always use the latest modellatest-recommendedRecommended but not enforcedlatest-flexibleFlexible based on use casellm-older-model-reasonscheckbox-listAre there reasons why an older model would be used?
Examples: GPT-5, GPT-4o, GPT-4b micro (medical research), Claude Opus 4.1, Claude Sonnet 4.5, Meta Llama 4, Meta Code Llama, Meta Llama Guard
Note: Choice of LLM model may be determined by your AI software provider rather than being a user-configurable option.
older-costCost considerationsolder-compatibilityCompatibility with a tested workflowolder-stabilityStability/reliability concerns with newer modelsolder-complianceCompliance or regulatory requirementschatbot-permittedsingle-selectrequiredDoes this firm permit employee use of any LLM-enabled chat interfaces for work purposes on work devices?
chatbot-yesYes, specific approved chatbots onlychatbot-noNo, chatbots are not permittednot-sure-chatbot-yesNot sure — defaulting to "Yes" for now — Defaulting to the more inclusive option so safeguard questions are not skipped.chatbot-approved-listtext-areaWhich chatbots are approved?
Reminder: Approved chatbot(s) should be used only by employees who have received training on GenAI risks such as hallucinations, data privacy, bias, prompt injection, and sycophancy.
chatbot-reminders-acknowledgedcheckbox-listAcknowledge the following best practices for chatbot use:
reminder-sensitiveSensitive data should only be entered if the approved chatbot offers additional information security features (e.g., specialty legal tool, HIPAA compliance, on-premises "on-prem" inference, local LLMs, or dedicated servers)reminder-maskedMasked data should be used when using general-purpose LLMsreminder-memoryChatGPT "Memory" features and similar should be disabledreminder-trainingOpt out of all any permissions allowing chats to be used for AI model training purposesreminder-linksEnsure that when you share links for citations, they are to external webpages, rather than to the chat itself, which may compromise confidentialityllm-writing-permittedsingle-selectDoes this firm permit trained employee use of approved LLM-enabled writing aids?
Reminder: Employees must review all AI-generated text and are ultimately responsible for its accuracy.
writing-yesYes, with required human reviewwriting-limitedLimited use cases onlywriting-noNo, AI writing aids are not permittedediscovery-permittedsingle-selectDoes this firm permit employees to use general purpose or specialty LLM-enabled tools for the purposes of analyzing and classifying eDiscovery documents as relevant or irrelevant?
ediscovery-yesYes, with appropriate safeguardsediscovery-noNo, eDiscovery classification must be human-onlynot-sure-ediscovery-yesNot sure — defaulting to "Yes" for now — Defaulting to the more inclusive option so safeguard questions are not skipped.ediscovery-quality-teststext-areaWhat tests do you have to score the quality of output?
ediscovery-batchingtext-areaWhat batching methods would be used to deal with context rot?
ediscovery-securitytext-areaWhat security measures are in place to identify potential indirect prompt injection influencing the classification?
hiring-llm-prohibitedsingle-selectrequiredDoes this firm/company prohibit employee use of all general purpose or specialty LLM-enabled hiring tools for the purposes of analyzing resumes or screening and selecting from a pool of job applicants for interviews and hiring decisions?
Note: Recommendation 4: Not recommended due to unexplainable biases and prompt injection risks.
hiring-prohibitedYes, LLM hiring tools are prohibited (Recommended)hiring-allowedNo, LLM hiring tools are permitted with safeguardswebsite-ai-designsingle-selectrequiredMay an approved generative AI web design tool or coding platform be used to create and modify the company website?
Examples: Wix AI, Squarespace AI, WordPress AI blocks, Framer AI
Reminder: Avoid sharing sensitive data.
website-ai-yesYes, approved AI tools may be usedwebsite-ai-noNo, manual design onlywebsite-ai-searchsingle-selectrequiredWill this firm (or its contractors) be permitted to add generative AI search features to the firm's website?
Examples: Algolia AI, custom ChatGPT widget, Intercom AI
website-search-yesYeswebsite-search-noNowebsite-search-evaluateTo be evaluatedwebsite-scrapingsingle-selectrequiredWill this firm allow for generative AI tools to scrape the firm's website?
Note: Add instructions to robots.txt prohibiting AI bots from scraping and training. This may limit visibility on generative AI search. For CloudFlare users, this option may be toggled on/off.
scraping-allowYes, allow AI scrapingscraping-denyNo, block AI scraping via robots.txtsearch-engine-aisingle-selectrequiredDoes this firm permit trained employees to use LLM-enabled search engine features for work purposes on work devices, noting that summarization may not be faithful to the underlying citations and requires review of sources?
Examples: Google AI Overviews, Bing Chat/Copilot, Perplexity
search-ai-yesYes, with required source verificationsearch-ai-noNo, use traditional search onlywebsite-embedded-searchsingle-selectrequiredDoes this firm/company permit trained employee use of LLM-enabled search tools embedded within particular websites, noting that summarization may not be faithful to the underlying citations and requires review of sources?
Examples: AI search bars on vendor sites, knowledge bases with AI Q&A
embedded-yesYes, with required source verificationembedded-noNospecialty-searchsingle-selectrequiredDoes this firm/company permit trained employee use of LLM-enabled search and summarization functions embedded within specialized research tools (e.g., Google Scholar or LexisNexis)?
Examples: Google Scholar AI summaries, Westlaw Edge AI, LexisNexis+ AI, Casetext CoCounsel
Note: Summarization may not be faithful to the underlying citations and requires review of sources.
specialty-yesYes, with required source verificationspecialty-noNocoding-environmentssingle-selectrequiredDoes this firm/company prohibit all LLM-enabled coding environments, except for specifically approved tools?
This includes, but is not limited to: GitHub Copilot, Claude Code, ChatGPT Codex, Google Antigravity, Microsoft Copilot, Meta Code Llama.
coding-prohibitedYes, all AI coding tools are prohibited except approved onescoding-allowedNo, AI coding tools are generally permittedcoding-naN/A - no programming activitieslocal-llmssingle-selectrequiredIs downloading and running approved "local" LLMs on work devices permitted?
Examples: Ollama, LM Studio, GPT4All, llama.cpp
Note: Employees using local LLMs for work purposes should acknowledge that these smaller LLMs involve a tradeoff between privacy and performance; local LLMs may run on a laptop but will not have the same accuracy as a frontier LLM.
local-yesYes, approved local LLMs are permittedlocal-noNo, local LLMs are not permittedemail-assistants-worksingle-selectrequiredEmail Assistants on Work Devices: Does this firm permit LLM-enabled email summarization and personal assistant "agents" for work purposes or on work devices?
Note: This use case is considered high-risk due to information security research indicating the potential for data exfiltration. It is recommended that this firm prohibit all employee use.
email-work-prohibitedProhibited (Recommended)email-work-allowedAllowed with restrictionsemail-assistants-personalsingle-selectrequiredEmail Assistants on Personal Devices with Work Email: Does this firm permit employee access to personal devices used to access work email?
Note: If so, it may be difficult to ensure that employees do not use LLM-enabled email summarization and personal assistant "agents." Due to the risk of data exfiltration, it is recommended that employees not access work email from any personal device that has LLM features enabled.
email-personal-prohibitedPersonal devices with LLM features should not access work emailemail-personal-allowedAllowed with training on risksemail-personal-no-accessNo personal device access to work email permittedscheduling-assistantssingle-selectrequiredScheduling Assistants: Does this firm permit AI scheduling assistant "agents" that can create calendar events without a human-in-the-loop?
Examples: x.ai, Reclaim.ai, Clockwise AI, Motion
Note: AI scheduling assistant "agents" that can create calendar events without a human-in-the-loop, especially if documents can be attached to those events, carry similar risks to email agents noted above.
scheduling-prohibitedProhibited (Recommended)scheduling-allowedAllowed with restrictionsinternal-transcription-permittedsingle-selectrequiredDoes this firm permit LLM-enabled meeting transcription tools internally?
internal-yesYes, with review processinternal-noNo, human transcription onlynot-sure-internal-yesNot sure — defaulting to "Yes" for now — Defaulting to the more inclusive option so review process questions are not skipped.internal-review-processtext-areaIf so, they may only be used as the first draft: what is the review process to finalize minutes?
Note: For meetings requiring official minutes, it is recommended that a designated individual take minutes. AI transcripts may be used to aid in drafting the minutes when details need to be clarified, but contemporaneous notes should be taken and used as the basis of official minutes. AI transcripts may hallucinate details or mistake which individual was the speaker.
internal-transcription-toolstext-areaWhat tools are permitted for internal meeting transcription?
external-transcription-policysingle-selectWhen attending meetings with external parties, shall employees request that official meeting minutes be taken by an attendee?
external-request-humanYes, request human note-takingexternal-flexibleFlexible based on meeting sensitivityexternal-no-requestNo specific request requiredexternal-consent-conditionstext-areaIf consent for AI transcription is granted, what are the conditions of proper use of AI transcription and in what situations would AI transcription not be permissible due to concerns about sensitive data (e.g., risks to IP)?
facility-recording-policysingle-selectrequiredDoes this organization prohibit AI wearables (e.g., Meta Ray-Ban smart glasses, Humane AI Pin) and always-on listening/recording devices in its facilities?
Note: AI wearables can passively record conversations, capture images of documents, and transmit data to cloud services — often without visible indicators. In environments where attorney-client privilege, trade secrets, HIPAA-protected information, or other confidential material is discussed, these devices pose significant risk.
recording-prohibitedProhibited in all facility areasrecording-common-areas-onlyAllowed in common areas only (lobbies, break rooms)recording-allowed-with-restrictionsAllowed with restrictionsno-policy-yetNo policy yet — need to establish onevisitor-recording-notificationsingle-selectrequiredAre visitors, clients, and third parties notified of the organization's recording device policy before entering facilities?
notify-checkinYes, at check-innotify-signageYes, via signagenotify-agreementsYes, in engagement or visitor agreementsno-notificationNo notification currentlyrecording-enforcementcheckbox-listHow is the recording device policy communicated and enforced?
enforce-signagePhysical signage at entry pointsenforce-handbookEmployee handbook or policy manualenforce-visitor-checkinVisitor check-in procedureenforce-client-agreementsClient engagement agreementsenforce-contractor-agreementsContractor and vendor agreementsenforce-noneNo formal enforcement yetrecording-exceptionstext-areaIs there a process for granting exceptions to the recording device policy (e.g., accessibility accommodations, approved research use)? If so, describe it.