Questionnaire Branch Map

What are the main objectives of the firm in defining acceptable generative AI use? For example (not intended to be an exhaustive list):

To achieve these objectives, does the firm intend to approach generative AI with a general ban or to define allowable generative AI use for work purposes?

Examples of allowable use: First-draft report or brief generation, Boilerplate generation (e.g., trusts, contracts), Email drafting, Image generation (e.g., stock photos for presentations), Audio transcription from online meetings, Legal research on case law

What individual or team is responsible for maintaining this policy?

How often will this policy be reviewed and updated?

Note: This policy was created on [CREATION DATE] and will be updated at least [PERIODICALLY].

What will the process be for reviewing and approving exceptions to the policy (for example, to review potential new vendors or to temporarily authorize specific employees to use generative AI tools for a specific task)?

Does this firm want employees to emphasize using generative AI workflows as often as possible? Or does this firm follow the principle that tasks should only be performed with AI if there is already a net time savings compared to non-AI processes after both performing the task and reviewing the output?

Would this firm consent to or deny consent to third-party use of GenAI transcription tools, e.g., on a Zoom call?

Would this firm as a matter of policy object to another firm's use of AI transcription rather than a certified shorthand reporters (CSRs) to produce transcripts of a deposition?

Note: Some AI deposition tools are marketed to attorneys as having real-time cross-examination of witnesses against evidence and other testimony as the deposition transcript is being generated. Compare to CSR professional ethics on neutrality.

(If allowed) What level of training should employees receive before being authorized to use generative AI for work purposes?

This firm allows trained employee use of generative artificial intelligence (GenAI) tools for work purposes on work devices. Approved GenAI tools and GenAI features should be used on work devices. No work-related activity should be conducted on personal or other non-work devices using unapproved GenAI tools.

(If banned) What level of training should employees receive to avoid generative AI-related risks if generative AI tools are generally not permitted for work purposes?

This firm does not allow trained employee use of generative artificial intelligence (GenAI) tools for work purposes on work devices. GenAI tools and GenAI features should not be used on work devices. No work-related activity should be conducted on personal or other non-work devices using unapproved GenAI tools.

When an employee becomes aware of the availability of a prohibited or unapproved GenAI tool on a work device, what actions must the employee take?

When an employee becomes aware of the availability of a prohibited or unapproved new GenAI feature in an existing software tool, what actions must the employee take?

What are the consequences for an employee using unapproved generative AI tools on a work device for work purposes?

What are the consequences for an employee using unapproved generative AI tools on a personal device for work purposes?

To what extent will the firm apply these policies to its contractors using large language models for computer programming tasks? Will the firm expect the same policies, or focus on top risk categories, such as the use of "agents" in high-risk "dangerous" or "YOLO" modes?

Court Reporters—Internal Use. Does this firm hire only certified shorthand reporters (CSRs) to produce transcripts for legal proceedings?

Does this firm's due diligence when selecting CSRs include demonstrated knowledge of the risks of generative AI misuse?

To what extent will the firm apply these policies to its CSR contractors using generative AI models to aid in transcription?

Will the firm expect the CSR to refrain from all generative AI use (e.g., an AI transcript inserting an entire sentence without CSR review based on analysis of the raw audio file) or would low-risk uses be permissible, such as accepting a suggested spelling of medical terminology?

Is the use of generative AI tools or features presumptively allowed for work purposes, or only when explicitly allowed?

e.g., your firm uses a calendar program that later adds an AI "secretary agent" that can take meeting minutes and schedule follow-up call: may employees use these features without explicit permission?

If unapproved GenAI features are added to existing tools that are otherwise permitted, how should employees handle that?

If unapproved GenAI features in existing software cannot be removed or disabled, must employees refrain from using these features?

e.g., "employees shall not rewrite text in MacOS Pages using the Apple Intelligence feature"

Are all dedicated generative AI tools (such as ChatGPT) presumptively prohibited if they are not specifically approved?

Will the websites of unapproved AI tools be blocked (e.g., "chatgpt[.]com")?

The following inventory will help identify which AI tools and features your employees may be using. This includes both dedicated AI tools and AI features embedded in common software.

For each tool, indicate: (1) if employees currently use it for work, (2) if it is available on work devices, and (3) if it is available on personal devices used for work.

Which external sources of LLM transcription might your organization encounter?

Note: See Recommendation 2 regarding ground truth documents.

Which external sources of AI-generated content should employees be trained to identify?

What processes will your organization implement to verify the authenticity of externally-sourced content?

Does this firm enforce the use of the latest LLM within a particular tool?

Are there reasons why an older model would be used?

Examples: GPT-5, GPT-4o, GPT-4b micro (medical research), Claude Opus 4.1, Claude Sonnet 4.5, Meta Llama 4, Meta Code Llama, Meta Llama Guard

Does this firm permit employee use of any LLM-enabled chat interfaces for work purposes on work devices?

Which chatbots are approved?

Reminder: [APPROVED CHATBOT] should be used by employees who have received training on GenAI risks such as hallucinations, data privacy, bias, prompt injection, and sycophancy.

Acknowledge the following best practices for chatbot use:

Does this firm permit trained employee use of approved LLM-enabled writing aids?

Reminder: Employees must review all AI-generated text and are ultimately responsible for its accuracy.

Does this firm permit employees to use general purpose or specialty LLM-enabled tools for the purposes of analyzing and classifying eDiscovery documents as relevant or irrelevant?

What tests do you have to score the quality of output?

What batching methods would be used to deal with context rot?

What security measures are in place to identify potential indirect prompt injection influencing the classification?

Does this firm/company prohibit employee use of all general purpose or specialty LLM-enabled hiring tools for the purposes of analyzing resumes or screening and selecting from a pool of job applicants for interviews and hiring decisions?

Note: Recommendation 4: Not recommended due to unexplainable biases and prompt injection risks.

May an approved generative AI web design tool or coding platform be used to create and modify the company website?

Reminder: Avoid sharing sensitive data.

Will this firm (or its contractors) be permitted to add generative AI search features to the firm's website?

Will this firm allow for generative AI tools to scrape the firm's website?

Note: Add instructions to robots.txt prohibiting AI bots from scraping and training. This may limit visibility on generative AI search. For CloudFlare users, this option may be toggled on/off.

Does this firm permit trained employees to use LLM-enabled search engine features for work purposes on work devices, noting that summarization may not be faithful to the underlying citations and requires review of sources?

Does this firm/company permit trained employee use of LLM-enabled search tools embedded within particular websites, noting that summarization may not be faithful to the underlying citations and requires review of sources?

Does this firm/company permit trained employee use of LLM-enabled search and summarization functions embedded within specialized research tools (e.g., Google Scholar or LexisNexis)?

Note: Summarization may not be faithful to the underlying citations and requires review of sources.

Does this firm/company prohibit all LLM-enabled coding environments, except for [APPROVED CODING]?

This includes, but is not limited to: GitHub Copilot, Claude Code, Microsoft Copilot, Meta Code Llama.

Is downloading and running approved "local" LLMs on work devices permitted?

Note: Employees using local LLMs for work purposes should acknowledge that these smaller LLMs involve a tradeoff between privacy and performance; local LLMs may run on a laptop but will not have the same accuracy as a frontier LLM.

Email Assistants on Work Devices: Does this firm permit LLM-enabled email summarization and personal assistant "agents" for work purposes or on work devices?

Note: This use case is considered high-risk due to information security research indicating the potential for data exfiltration. It is recommended that this firm prohibit all employee use.

Email Assistants on Personal Devices with Work Email: Does this firm permit employee access to personal devices used to access work email?

Note: If so, it may be difficult to ensure that employees do not use LLM-enabled email summarization and personal assistant "agents." Due to the risk of data exfiltration, it is recommended that employees not access work email from any personal device that has LLM features enabled.

Scheduling Assistants: Does this firm permit AI scheduling assistant "agents" that can create calendar events without a human-in-the-loop?

Note: AI scheduling assistant "agents" that can create calendar events without a human-in-the-loop, especially if documents can be attached to those events, carry similar risks to email agents noted above.

Does this firm permit LLM-enabled meeting transcription tools internally?

If so, they may only be used as the first draft: what is the review process to finalize minutes?

Note: For meetings requiring official minutes, it is recommended that a designated individual take minutes. AI transcripts may be used to aid in drafting the minutes when details need to be clarified, but contemporaneous notes should be taken and used as the basis of official minutes. AI transcripts may hallucinate details or mistake which individual was the speaker.

What tools are permitted for internal meeting transcription?

When attending meetings with external parties, shall employees request that official meeting minutes be taken by an attendee?

Shall employees in attendance grant or deny consent for AI transcription in meetings with third parties?

If consent for AI transcription is granted, what are the conditions of proper use of AI transcription and in what situations would AI transcription not be permissible due to concerns about sensitive data (e.g., risks to IP)?