An article I came across recently laid out the confidentiality obligations attorneys face when using AI tools, walking through ABA Formal Opinion 512 and the specific questions every firm should be able to answer about where client data goes when it enters an AI workflow. It is worth a read for any attorney who has not thought through this carefully yet.
I Want to Push on the Framing Here a Little
Why? I see a version of this same conversation play out in healthcare constantly, and I think it leads to the wrong conclusion.
Here’s my take: The instinct to respond to data governance in AI concerns by slowing down adoption is must be challenged. In my experience, regulation and privacy and liability and interoperability get invoked regularly as reasons to wait. They are real constraints. They should not become blanket justifications for maintaining systems that are already broken.
In the personal injury ecosystem, where Gain operates at the intersection of legal and healthcare, we handle sensitive case data every day: medical records, treatment documentation, medical liens, pre-settlement funding arrangements. The governance question is not abstract for us. Along the way, I’ve found those organizations that handle it best are not the ones that wait for a cleaner regulatory environment. They are the ones that build the infrastructure to govern data responsibly and move.
The Data Is Already Moving. The Question Is Whether It Is Governed.
Opinion 512 asks firms a specific question: for each AI tool in use, where does client data go, and is that consistent with your confidentiality obligations? That is the right question. But I want to note what it does not say. It does not say stop using AI. It says understand what your tools do and govern them accordingly.
Client information in a legal practice is already moving through multiple systems. Case management platforms, billing software, communication tools, document storage, outside vendors. The data does not sit still. The question is whether the movement is governed, visible and consistent with the firm’s obligations.
This is identical to the challenge in healthcare. A single patient visit may involve intake platforms, EHR systems, billing vendors, imaging systems, insurers, specialists and outside labs. The information moves constantly. The problem is not that it moves. The problem is that it moves through fragmented, poorly governed systems that create friction without creating protection.
The same dynamic is true in legal practice. The gap between policy and practice is exactly where compliance breaks down. A firm with an AI policy that does not know where its client data goes has a governance gap, not an AI problem. The solution is not to pull back from the tools. It is to close the gap.
Intake Is Where the Real Exposure Lives, and it Predates AI.
Intake is a high-risk area for AI use. Prospective client identities, adverse party names, conflict check information: all of this surfaces before an engagement agreement is signed, which means before most firms have thought through their data handling obligations for that specific client.
That is a real gap. But I would argue the gap was already there before AI entered the workflow. Firms that have not systematically thought about how intake information is governed and where it flows have an underlying infrastructure problem. AI makes it more visible, and more consequential if it goes wrong.
For plaintiff-side personal injury attorneys, this matters even more. What happens early in a personal injury case shapes everything downstream: the quality of documentation, the strength of the case, the pace at which a client can access care or financial relief. Attorneys who use AI to move faster through intake, with proper governance in place, serve their clients better. Those who avoid it in the name of caution often just move slower without being any more protected.
The Supervision Argument Cuts Both Ways.
Opinion 512 requires attorneys to supervise AI output the same way they supervise the work of associates. I agree with that entirely. But I think the supervision argument is often used to justify not using AI at all, when the right takeaway is the opposite.
The quality of supervision depends on the quality of what the tool knows. A general-purpose cloud AI tool that knows nothing about your client history, your firm’s prior positions, or the specifics of your cases produces output that requires a lot of independent reconstruction before a lawyer can evaluate it. A system built on your firm’s own matter history and client documentation produces output that is already grounded in context that matters.
The investment in purpose-built case management infrastructure is not just a workflow decision. It is a governance decision. Tools that are integrated into a firm’s own data environment, with appropriate access controls and audit capability, make supervision more meaningful, not less.
The firms treating AI as something to bolt onto existing systems without thinking through the data layer are the ones who should be cautious. The firms building the infrastructure first are the ones who get to move fast.
What the Legal Industry Should Actually Be Asking.
The four questions Opinion 512 asks firms to answer are useful. Where does client data go? What does the vendor do with it? Is that consistent with Rule 1.6? Are attorneys reviewing outputs before relying on them? Every firm should have clear answers.
But I want to add a fifth question, and I think it is the more important one: are we building the data infrastructure that allows us to use AI responsibly at scale, or are we using compliance concerns as a reason to avoid building it?
The organizations that will define the next era of legal practice are not the ones that waited for a cleaner regulatory environment. They are the ones that took the governance question seriously, built the systems to answer it, and then moved. The tools are available. The obligation is real. The choice is whether to meet it or use it as an excuse.
In a space where a case record, a medical lien negotiation, or a pre-settlement funding arrangement can affect a client’s financial recovery for years, getting the governance right is not optional. But neither is moving forward.