A proposal for the establishment of a formal AI Governance Programme at [Firm Name] LLP — presented to the Management Committee for decision.
[Firm Name] LLP is currently deploying artificial intelligence tools across its practice — including [list tools: e.g. Microsoft Copilot, Harvey AI, ChatGPT] — without a formal governance framework. This paper presents the business case for establishing an AI Governance Programme and requests the Management Committee's approval to commission an external governance assessment and programme implementation.
The EU AI Act full high-risk AI system obligations activate in August 2026. The SRA has issued AI guidance that creates professional conduct obligations now. The ICO is actively enforcing UK GDPR against AI deployments. The firm's current posture creates live regulatory exposure estimated at up to [€X million based on firm revenue] in potential EU AI Act fines.
This paper recommends the Management Committee approves a three-phase AI Governance Programme, commencing immediately, with an external governance partner engaged to deliver assessment and implementation. The total investment required is [£X] over 12 months — a fraction of the regulatory exposure the programme eliminates.
Approval to commission an AI Governance Assessment (Phase 1) at a cost of [£8,000–£12,000], with authority delegated to [Managing Partner / COO] to proceed to Phases 2 and 3 subject to Phase 1 findings.
AI tools are being actively used across the firm's practice areas. Based on a preliminary assessment, the following tools are in active use:
| Tool | Usage | Governance Status | Risk Level |
|---|---|---|---|
| [Tool 1 e.g. Microsoft Copilot] | [Usage description] | No formal governance | Critical |
| [Tool 2 e.g. Harvey AI] | [Usage description] | No DPA in place | Critical |
| [Tool 3] | [Usage description] | Informal approval only | High |
| Personal AI accounts (shadow) | Unknown — likely widespread | Not approved or governed | Critical |
Three regulatory frameworks create immediate and concurrent obligations for the firm:
Full high-risk AI system obligations activate in August 2026 — eight weeks from the date of this paper. Law firms using AI in legal research, document drafting, or case assessment may be deploying high-risk AI systems under Annex III. Obligations include: AI system inventory and risk classification, technical documentation, human oversight protocols, AI literacy training, and provider due diligence. Maximum fine: €35 million or 7% of global annual turnover.
The SRA's Technology and Innovation Guidance, issued in 2024 and updated in 2025, creates professional conduct obligations around AI use. Under the Code of Conduct for Solicitors, Para 3.2 requires solicitors to maintain competence in the tools they use in practice. Para 3.5 makes supervising solicitors personally accountable for all work carried out by those they supervise — including AI-generated work. Para 6.3 requires adequate protection of client confidential information. Under the Code of Conduct for Firms, Rules 2.1(a), 4.2, 4.3, and 4.4 require effective governance systems, competent service, staff competence maintenance, and effective supervision of client matters. A supervising solicitor who cannot demonstrate adequate oversight of AI use on their matters faces personal regulatory action by the SRA.
Processing client personal data through AI tools without Data Processing Agreements is an active GDPR Article 28 violation. The ICO has indicated it will take enforcement action against organisations that deploy AI without adequate data protection controls. Maximum fine: £17.5 million or 4% of global annual turnover.
44% of UK law firms currently have no formal AI governance policy. 60% of in-house legal teams do not know whether their outside counsel are using AI on their matters. The firms that demonstrate governance will win mandates; the firms that cannot will lose them. AI governance is becoming a competitive requirement, not merely a compliance obligation.
The Management Committee should consider five categories of risk arising from the firm's current ungoverned AI deployment:
| Risk Category | Specific Risk | Likelihood | Impact | Severity |
|---|---|---|---|---|
| Regulatory | EU AI Act enforcement action post-August 2026 | High if no action | €35M / 7% revenue | Critical |
| Professional Conduct | SRA investigation following AI-related client complaint | Medium — rising | Unlimited / practice closure | Critical |
| Data Protection | ICO enforcement for client data in AI tools without DPAs | High — ongoing | £17.5M / 4% turnover | Critical |
| Professional Negligence | AI hallucination in client document — undetected by fee earner | Medium | Professional indemnity claim | High |
| Commercial | Loss of client mandate — client discovers AI used without disclosure | Medium — rising | Revenue impact + reputational | High |
Under SRA Code of Conduct for Solicitors Para 3.5, supervising solicitors remain personally accountable for work carried out by those they supervise — including AI-assisted work. This is not firm-level risk only. A partner who supervises a fee earner using AI on a client matter without adequate governance controls may face personal SRA disciplinary proceedings if something goes wrong. The Code for Firms simultaneously exposes the firm to institutional sanction under Rules 2.1(a) and 4.4. Both proceedings can run concurrently from the same incident. Not knowing that AI was used on your matter is not a defence — it is evidence that your supervision system failed.
The proposed programme comprises three phases, designed to achieve EU AI Act compliance by August 2026 and establish ongoing operational governance thereafter.
An external AI governance assessment conducted by Cardinal AI Systems, covering:
Investment: [£8,000–£12,000] · Timeline: 4–5 weeks · Output: Full governance audit report + remediation roadmap
Implementation of core governance infrastructure:
Investment: [£5,000–£8,000/month × 3 months] · Timeline: Months 2–4
Ongoing governance operations:
Investment: [£5,000–£8,000/month retained] · Timeline: Month 5 onwards
| Role | Proposed Appointee | Responsibilities |
|---|---|---|
| AI Governance Lead | [Partner Name] | Overall accountability for AI governance programme. Management committee reporting. External governance partner relationship. |
| Management Committee Sponsor | [Managing Partner] | Programme authority. Budget approval. Board reporting. |
| IT Director | [Name] | AI tool inventory management. Technical implementation. Vendor management. |
| DPO / Compliance Manager | [Name] | DPIA completion. DPA execution. ICO liaison. Data protection compliance. |
| External Governance Partner | Cardinal AI Systems · Ronke Jegede | Assessment, framework design, implementation support, ongoing advisory. |
| Phase | Description | Timeline | Investment |
|---|---|---|---|
| Phase 1 | AI Governance Assessment — full audit, gap analysis, roadmap | Weeks 1–5 | [£8,000–£12,000] |
| Phase 2 | Governance Foundation Build — policy suite, training, EU AI Act compliance | Months 2–4 | [£15,000–£24,000] |
| Phase 3 | Operational Governance — retained programme, ongoing advisory | Month 5+ | [£5,000–£8,000/month] |
| Internal | AI Governance Lead time (estimated 0.2 FTE partner equivalent) | Ongoing | Internal allocation |
The total programme investment over 12 months is [£X]. This compares to a potential EU AI Act maximum fine of [€X based on firm revenue], potential ICO fines of up to £17.5 million, and the unquantifiable commercial cost of losing client mandates due to inability to evidence AI governance. The programme pays for itself in risk elimination.
The Management Committee is asked to consider and approve the following resolution:
Cardinal AI Systems is a UK-registered AI intelligence and governance company founded by Ronke Jegede — AI Governance Architect with 30 years of corporate governance experience, an LLB in Law, and executive education at Harvard Business School.
Cardinal AI Systems has deployed AI governance systems for government ministries, financial services firms, healthcare providers, and enterprise clients across the UK and Nigeria. Our governance platforms — including RegulatoryShield (AI compliance intelligence) and the Cardinal AI Governance Maturity Model for Legal (CAGML) — are purpose-built for regulated sector deployments.
Contact: Ronke Jegede · ronke@cardinalaisystems.com · cardinalaisystems.com · avoidthefine.co.uk
Registered: Whitehall Strategic Alliance Ltd · Company No. 16814534 · Registered in England and Wales