Legal professionals are trained to be cautious, and for many good reasons. But sometimes those instincts can quietly turn into avoidance or analysis paralysis, especially when it comes to emerging or fast-moving technology. Generative artificial intelligence (GAI) is a perfect example of technology that has taken the world by storm. Artificial intelligence uses computer systems to mimic human intelligence and perform tasks. Common examples include Word processing applications, communication tools, and research databases. GAI is a subset of AI that uses algorithms to create new, original content by learning patterns from training datasets. It has quickly moved from a new and interesting concept to something that is now arguably impossible to avoid. According to the Smokeball 2025 State of Law report, 53% of small firms and solo practitioners surveyed have integrated GAI into their workflows.[1] Pretending it does not exist or telling legal professionals not to use GAI is dangerous and unrealistic. Yet many firms have not created a GAI usage policy. This is where Stoicism, an unexpected philosophy, may offer insight to firms hesitating in this area.

Fear of Change in Legal Culture

Stoics teach that we cannot control certain events, but we can control our response to them. Instead of asking, “Can I stop this from happening?”, a Stoic would ask, “Given that this is happening, how should I respond appropriately?” GAI in legal practice is an example of inevitable change that in a Stoic’s mind would now require a focus on how to appropriately respond. Common reactions to change often include:

• “We should wait until we know more.”
• “I don’t want to be the first to make a mistake with this.”
• “Let’s see what other firms are doing.”

These are not unreasonable thoughts. They are perfectly normal reactions to the unknown. Yet a better approach would be to acknowledge the inevitable and determine how to respond appropriately. Without GAI usage policies, law firms open the door to the development of “shadow systems” — quiet, unregulated use without management and IT knowledge and oversight. No one is sure what is allowed or prohibited. Lack of education or miseducation is present, potentially leading to ethical violations or malpractice claims. That environment is far riskier than putting into place a simple, clear framework.

Practical Tips for Creating a Generative AI Usage Policy

Creating a GAI usage policy allows law firms to recognize the risk, assert control, and provide guidance rather than do nothing or impose a ban. The policy then acts like other risk management tools. It does not need to be complex or overly technical but instead should be simple and focused on practical and ethical guidance. Here are key elements law firms should consider:
 

1. Begin with Education. Before drafting a policy, ensure everyone in the firm understands what GAI is and how these tools are commonly used both inside and outside of a legal organization. Consider offering a training session or written overview explaining this. Include known risks and ethical obligations. See the Oregon State Bar Formal Opinion No. 2025-205 for helpful guidance about ethical obligations when using GAI.
2. Create a Policy Committee. Create a committee to begin the process of drafting. Include anyone who can provide valuable insight to best understand your firm’s needs and specific risks. Start by asking questions:
   1. How can GAI be helpful for the firm? Many different types of GAI programs exist, providing a vast array of features. Narrow down the features your firm is interested in before writing a policy — otherwise it can feel overwhelming.
   2. What types of client data does your firm handle? For example, if your firm handles client financial information and medical records, you must be especially clear about what programs can and cannot be used based on their security and privacy policies.
   3. What is the firm’s current technology infrastructure? It is likely that your firm is already using technology embedded with GAI features. Step back, find out what you already have, and determine if additional GAI programs should be added to your technology stack.
3. List Approved GAI Programs. Although it will evolve as time goes on, begin by creating a list of approved GAI programs. This will provide clear boundaries and allow the firm to properly incorporate those programs into its office systems and IT oversight.
4. Define Approved and Prohibited Uses. After developing the list of approved programs, determine and specify how each program should and should not be used. Clarify the purpose of each tool so staff can distinguish between tasks suitable for using GAI, and tasks requiring professional judgment. Examples of approved uses could include editing documents to improve grammar, summarizing information, or brainstorming. Prohibited uses could include using general purpose GAI tools for legal research or creating client communications without review.
5. Highlight the Importance of Confidentiality. Most general-purpose GAI programs do not securely store information received. Often, they use the data to train the program for improvement purposes. Any policy must include clear language about maintaining client confidentiality. Expressly prohibit staff from inputting any confidential or client-specific information into GAI tools unless the tool is specifically approved for that use.
6. Require Human Oversight and Judgment. Regardless of the program being used and in what fashion, the policy should explicitly state that GAI is supportive technology, not a replacement for educated and professional judgment. All output must be anchored to a source of truth and verified by a human.
7. Require Continuous Education. GAI technology will continue to evolve. Policies will become useless if they do not keep pace with the changes. Continuing education will not only reinforce the specifics of the policy but will also provide an opportunity to share best practices and possibilities for increased efficiency.
8. Periodically Assess the Policy. Periodically assess the policy for possible changes to ensure continued clarity, improved efficiency, and ethical compliance. Review the policy at least annually, and revise immediately if necessary (e.g., security breach, staff misunderstanding or misuse).

Conclusion

Failure to implement a clear GAI usage policy exposes firms to significant risks, including both ethical complaints and malpractice claims. Yet inaction or banning the use of GAI entirely is unrealistic, as it is embedded in most personal and business technology platforms. Implementing a clear, well-thought-out policy that acknowledges these realities and creates strict boundaries can mitigate risk and allow your firm to become more efficient and provide better services to your clients.

For additional guidance and a sample GAI policy, please visit our website at https://www.osbplf.org/services/resources/#forms  > Firm Operations > Office Systems and Procedures.