AI Governance Policy Drafting Session — Role Simulation

Profile

Chairs the meeting and must synthesize competing views into a workable framework. Her priority is speed and credibility — the firm needs a presentable governance document before the Friday client deadline and the state bar deadline next week.

Objectives

• Produce a governance framework that is comprehensive enough to satisfy regulators and clients but concise enough to be implementable within 30 days
• Navigate the internal politics — balancing accountability for Ashworth with the need to retain her revenue and expertise
• Establish Osei's authority as CISO without alienating the partnership, who are unaccustomed to technology oversight of their practices

Constraints

Sinclair knows that the insurance exclusion for unauthorized third-party applications means the firm may face uninsured liability. She must ensure the governance framework addresses this gap going forward.

Exclusive Information

Sinclair has received a private call from the senior partner at Crawford Pharmaceutical's alternative outside counsel firm, offering to 'take the matter off her hands gracefully.' She has not told anyone about this call. She also knows that two additional partners have been using unapproved AI tools and that the governance framework must address their situations before those become public as well.

Profile

Three days into the job, working with incomplete knowledge of the firm's systems. Brings deep cybersecurity expertise from financial services but limited understanding of law firm culture, partnership dynamics, and legal professional obligations.

Objectives

• Establish a governance framework with teeth — mandatory tool vetting, data classification, monitoring, and enforcement mechanisms that meet enterprise security standards
• Secure budget and authority commitments from the partnership for the infrastructure upgrades needed to support the governance framework
• Create an incident response protocol so the firm is prepared if another breach occurs

Constraints

Osei's infrastructure assessment reveals that implementing enterprise-grade governance controls will cost $800,000-$1.2 million in the first year. The firm's current IT budget is $340,000 annually. He must propose a framework that is aspirationally robust but pragmatically phased.

Exclusive Information

Osei has discovered during his infrastructure review that the firm's document management system has a logging gap — there is no complete record of which documents Ashworth uploaded to LegalMind Analytics. The 4,200-page figure reported publicly is the vendor's estimate, but the actual exposure could be larger. He has not shared this finding with anyone yet because he wants to verify it before creating additional panic.

Profile

The partner whose use of LegalMind Analytics caused the breach. She is present because Sinclair believes that excluding her would be both unfair and counterproductive — the governance framework needs input from practitioners who understand why attorneys adopt unauthorized tools.

Objectives

• Ensure the governance framework addresses the root cause — the gap between attorneys' technology needs and the firm's approved tool offerings — rather than just punishing unauthorized adoption
• Protect her team of three associates who used LegalMind Analytics at her direction from individual disciplinary action
• Demonstrate accountability and constructive engagement to rebuild credibility with the partnership and clients

Constraints

Ashworth's continued presence at the firm is politically contentious. Some partners want her suspended or expelled. She must contribute meaningfully to the governance discussion without appearing to be deflecting blame or minimizing the harm her actions caused.

Exclusive Information

Ashworth has conducted her own review and discovered that LegalMind Analytics' terms of service — which she never read — included a clause granting the vendor a royalty-free license to use uploaded documents for AI model training purposes. This means the exposed documents may have been incorporated into the vendor's training data, creating a broader and potentially irremediable exposure beyond the data breach itself. She has not disclosed this to anyone.

Profile

A fifth-year associate elected to the firm's technology committee by the associate class. Represents the perspective of junior lawyers who use AI tools daily and are most directly affected by governance policies they had no role in creating.

Objectives

• Ensure the governance framework does not eliminate AI tool access that associates rely on for competitive efficiency and workload management
• Advocate for a streamlined tool approval process — the current informal system takes months and discourages innovation
• Push for training and support resources rather than punitive enforcement, recognizing that associates often adopt tools because partners assign unrealistic deadlines

Constraints

Park knows that associates are the heaviest users of AI tools in the firm and that many are using unapproved tools for tasks ranging from research drafting to time entry. A restrictive governance framework will face immediate noncompliance from the associate class.

Exclusive Information

Park has been quietly running an anonymous survey of associates about AI tool use. The preliminary results show that 67% of associates have used at least one unapproved AI tool for firm work in the past six months. The most common reason cited is 'the approved tools are inadequate for my needs.' 23% report that a partner specifically asked them to use an AI tool that was not approved. He has not shared these results with firm leadership.

Profile

Senior counsel who chairs the firm's professional responsibility committee. A former state bar disciplinary counsel, she understands the regulatory exposure better than anyone in the room and has strong views on the ethical obligations that the governance framework must address.

Objectives

• Ensure the governance framework satisfies the state bar's expected requirements and positions the firm favorably in any disciplinary proceedings
• Establish clear ethical guidelines for AI use that go beyond technical security to address duties of competence, confidentiality, and supervision
• Create a reporting and escalation mechanism for AI-related ethical concerns that protects attorneys who raise issues in good faith

Constraints

Vance has been contacted by the state bar's ethics committee chair, who indicated informally that the bar is considering using this case as the basis for a new formal ethics opinion on AI governance in law firms. The governance framework the firm produces may influence statewide standards.

Exclusive Information

Vance has reviewed the disciplinary history and discovered that the firm received an informal ethics inquiry 18 months ago from a different partner about whether using a cloud-based AI summarization tool for client documents required client consent. The inquiry was routed to the firm's general counsel, who provided an informal 'green light' without conducting a formal analysis. This prior inquiry — never documented in a formal opinion — suggests the firm had notice of the AI governance gap well before the breach.