Confidential · AI Governance Audit Report
AI Governance
Audit Report
Hartley & Clarke LLP · Prepared by Cardinal AI Systems
Confidential · For Internal Use Only · Cardinal AI Systems · cardinalaisystems.com
Executive Summary
Hartley & Clarke LLP presents significant AI governance exposure across five critical domains.
This audit assessed Hartley & Clarke LLP's current AI governance posture against EU AI Act obligations, SRA Code of Conduct requirements, UK GDPR, and ICO AI guidance. The firm is actively deploying AI tools — including Microsoft Copilot, Harvey AI, and informal personal ChatGPT use — without a documented governance framework, client disclosure protocols, or vendor due diligence. The EU AI Act high-risk AI obligations activate in August 2026. The firm's current posture exposes it to regulatory sanction, SRA disciplinary proceedings, and client relationship damage. This report identifies 14 violations across five domains, five of which are critical, and provides a prioritised 12-month remediation roadmap.
Section 01
Scope & Methodology
This audit was conducted by Ronke Jegede, Founder of Cardinal AI Systems, over a five-day assessment period. The assessment covered five domains: AI tool inventory and governance, data protection compliance, client transparency obligations, SRA professional conduct alignment, and EU AI Act readiness.
Documents reviewed included the firm's AI Acceptable Use Policy (v1.0, undated), client engagement letter templates, data handling policy, IT acceptable use policy, and responses to the Cardinal AI Governance Diagnostic questionnaire completed by the Managing Partner and IT Director.
Assessment Framework
| Framework | Obligations Assessed | Status |
|---|
| EU AI Act (Articles 4, 9–15, 50) | High-risk AI obligations, transparency, AI literacy | Critical Gaps |
| SRA Code of Conduct for Solicitors 2019 | Para 3.2 (competence) · Para 3.5 (supervision accountability) · Para 6.3 (confidentiality) · Code for Firms Rules 2.1(a), 4.4 | Critical Gaps |
| UK GDPR (Articles 5, 6, 25, 28, 32) | Lawful basis, processor agreements, security, data by design | High Risk |
| ICO AI Guidance | Transparency, fairness, accountability in AI systems | High Risk |
| Law Society AI Practice Notes | Client disclosure, competence, oversight of AI outputs | Medium Risk |
Section 02
AI Tool Inventory Findings
The assessment identified seven AI tools in active use at Hartley & Clarke LLP. Of these, five were deployed without formal approval, vendor due diligence, or data processing agreements. Two tools — personal ChatGPT accounts and Gemini — are being used by fee earners on client matters without firm knowledge.
| Tool | Usage | Approval Status | DPA in Place | Risk |
|---|
| Microsoft Copilot | Document drafting, research | Informal approval | Partial (M365) | High |
| Harvey AI | Legal research, drafting | No formal approval | No | Critical |
| ChatGPT (personal) | Drafting, research — shadow use | Not approved — shadow | No | Critical |
| Gemini (personal) | Research — shadow use | Not approved — shadow | No | Critical |
| Luminance | Contract review | Formal approval | Yes | Medium |
| Clio AI | Matter management | Informal approval | Partial | Medium |
| Otter.ai | Meeting transcription | No approval — shadow | No | High |
Key finding: Client confidential information, privileged communications, and personal data are being processed through Harvey AI, personal ChatGPT accounts, and Otter.ai without data processing agreements, without client knowledge, and without any assessment of where that data goes or how long it is retained. This is a live GDPR Article 28 violation and a potential SRA Code breach.
Section 03
Violation Register
SRA Code for Solicitors Para 3.2 · EU AI Act Article 4 (AI literacy obligation)
The firm's current AI Acceptable Use Policy (v1.0) does not meet SRA expectations or EU AI Act requirements. It contains no matter-specific guidance, no client data restrictions, no supervision requirements, and no disclosure obligations. It was last reviewed more than 18 months ago.
Required ActionRedraft AI Acceptable Use Policy to meet SRA guidance and EU AI Act Article 4 obligations. Mandatory firm-wide training before deployment.
UK GDPR Article 28 · SRA Code of Conduct Para 6.3 · UK GDPR Article 32
Fee earners are processing client personal data, privileged communications, and sensitive case information through Harvey AI, personal ChatGPT accounts, and Otter.ai — none of which have executed Data Processing Agreements with the firm. This is an active GDPR violation and may constitute a breach of client confidentiality under SRA Code Para 6.3.
Required ActionImmediate suspension of Harvey AI and personal AI tool use for client matters pending DPA execution and security assessment. Retrospective review of matters processed through these tools.
EU AI Act Article 50 · SRA Transparency Rules · Law Society AI Practice Notes
The firm has no policy requiring disclosure to clients when AI is used on their matter. Engagement letters contain no AI use clauses. 60% of in-house legal teams report they do not know whether outside counsel are using AI. The EU AI Act Article 50 imposes transparency obligations on AI system outputs used in client-facing contexts.
Required ActionImplement AI disclosure clause in all engagement letters. Develop client-facing AI use disclosure statement. Create matter-level AI use log for all active files.
SRA Code for Solicitors Para 3.2 (competence) · Para 3.5 (supervision) · Law Society AI Practice Notes
There is no firm-wide protocol for verifying AI-generated outputs before use in client work. Fee earners are submitting AI-drafted documents without mandatory review steps. This creates direct professional negligence exposure — the SRA holds the supervising solicitor responsible for AI outputs used on a matter regardless of how they were generated.
Required ActionImplement mandatory AI output verification checklist. All AI-drafted documents must be reviewed and approved by a qualified fee earner before client delivery or court submission.
EU AI Act Articles 9–15 · High-Risk AI System Obligations · August 2026 Deadline
The firm has not begun an EU AI Act compliance programme. High-risk AI obligations — including AI system inventory, risk classification, technical documentation, human oversight protocols, and provider due diligence — activate in August 2026. The firm has approximately eight weeks to achieve compliance. At current pace, it will not meet the deadline.
Required ActionInitiate EU AI Act compliance programme immediately. Conduct AI system inventory and risk classification within two weeks. Appoint AI Governance Lead. Engage external governance support.
UK GDPR Article 35 · ICO DPIA Guidance
The firm has not conducted Data Protection Impact Assessments for any AI tool deployment. The ICO requires DPIAs for any processing likely to result in high risk to individuals — AI systems processing personal data meet this threshold.
Required ActionConduct DPIAs for all AI tools processing personal data within 30 days. Document findings and implement identified mitigations.
EU AI Act Article 9 · SRA Governance Expectations
There is no AI Governance Lead, no management committee responsibility for AI oversight, and no escalation path for AI incidents. The SRA expects firms to have clear accountability for technology governance. The EU AI Act requires documented human oversight for high-risk AI systems.
Required ActionAppoint AI Governance Lead (partner-level). Define management committee accountability. Establish escalation and incident reporting pathway.
Section 04
12-Month Remediation Roadmap
Suspend use of Harvey AI and personal ChatGPT/Gemini accounts on client matters pending DPA execution
Appoint AI Governance Lead at partner level with management committee reporting line
Conduct retrospective review of matters processed through unapproved AI tools
Issue firm-wide AI use advisory to all fee earners immediately
Begin EU AI Act compliance programme — AI system inventory and risk classification
Execute Data Processing Agreements with all approved AI tool vendors
Conduct DPIAs for all AI tools processing personal data
Redraft AI Acceptable Use Policy — matter-specific, SRA-aligned, EU AI Act compliant
Implement AI disclosure clause in all engagement letter templates
Deploy AI output verification protocol firm-wide with mandatory training
Build AI tool inventory register with approval status, DPA status, and risk classification
Complete EU AI Act risk classification for all AI systems in use
Implement technical documentation requirements for high-risk AI systems (Article 11)
Deploy human oversight protocols for all AI-assisted legal work (Article 14)
Complete Article 50 transparency compliance — client disclosure and AI output labelling
Conduct mandatory AI literacy training for all fee earners (Article 4)
Submit internal compliance declaration to management committee
Establish AI governance board reporting cadence — quarterly management committee updates
Implement AI incident reporting system with SRA/ICO notification protocols
Deploy ongoing regulatory monitoring — SRA updates, ICO enforcement, EU AI Act guidance
Annual AI governance review and policy refresh cycle
Develop client-facing AI governance statement for business development use
Section 05
Priority Recommendations
Priority 1 — Act within 48 hours: Suspend use of Harvey AI and all personal AI accounts on client matters. This is the single action that most immediately reduces the firm's live regulatory exposure. Every day this continues is a day of potential GDPR violation and SRA Code breach.
Priority 2 — Act within two weeks: Appoint an AI Governance Lead and initiate the EU AI Act compliance programme. The August 2026 deadline is eight weeks away. A programme that is not started now will not be complete in time.
Priority 3 — Act within 30 days: Execute Data Processing Agreements with all AI tool vendors and conduct DPIAs. Redraft the AI Acceptable Use Policy. Update all engagement letter templates with AI disclosure clauses.
This report is the starting point.
Not the destination.
Cardinal AI Systems can deliver your complete AI governance programme — from immediate response through to full EU AI Act compliance and ongoing governance operations. Operational in 90 days.
Ronke Jegede · Founder, Cardinal AI Systems
ronke@cardinalaisystems.com · cardinalaisystems.com
calendly.com/ronke-jegede-cardinalaisystems/30min