top of page
Homepage
Contact Us

ISO 42001 and AI Governance: What Law Firms Need to Know

  • Darren Wild
  • Apr 11
  • 7 min read

TLDR


ISO 42001 is the first international standard for governing the use of artificial intelligence within an organisation. UK law firms are not required to adopt or certify against it. However, the issues it addresses, oversight, accountability, confidentiality, supervision, supplier due diligence, and documented risk management, already sit inside existing SRA obligations.


The SRA has now published guidance on the use of AI and technology, but it remains principles-based rather than prescriptive. Firms are expected to understand and manage the risks of AI themselves.


For most firms, the immediate issue is not whether to pursue certification. It is whether they can show that they know what AI tools are being used, what client data those tools touch, who is accountable, and how the resulting risks are being managed.


Key Takeaways


  • ISO 42001 is voluntary, but the governance it promotes aligns closely with existing SRA duties.

  • The SRA now expects firms to have leadership oversight, documented risk assessments, training, monitoring, and clear accountability for AI use.

  • The most immediate risk for most firms is unapproved or poorly governed use of public AI tools by fee earners.

  • Insurers are increasingly asking firms about AI governance, particularly where client data or automated decision-making is involved.

  • Most firms do not need immediate certification. They do need a clear inventory of AI tools, a governance framework, and documented controls.


Many firms believe they are handling AI cautiously. In practice, what often exists is a loose awareness that people are using tools the firm has not formally approved, a short policy circulated months ago, and an assumption that because nothing has gone wrong yet, the risk is manageable.


That assumption is becoming harder to defend.


Adoption of AI in the legal sector has moved quickly. Individual solicitors are experimenting with drafting tools, transcription services, meeting summaries, legal research assistants, and public generative AI platforms. In many firms, that use has grown faster than the governance around it.


The question is no longer whether AI is being used. It is whether the firm can show that it understands where AI is being used, what risks arise from that use, and how those risks are being controlled.


What ISO 42001 Actually is


ISO/IEC 42001:2023 is an international management system standard for artificial intelligence. It was published in December 2023 and provides a structured framework for establishing, implementing, maintaining, and improving governance around AI.


For firms already familiar with ISO 27001, the structure will feel familiar. It follows the same management system approach:


  • Define the scope

  • Identify risks

  • Put controls in place

  • Allocate accountability

  • Monitor and review

  • Improve over time


What makes ISO 42001 different is that it applies those disciplines specifically to AI. In practice, that means:


  • Maintaining an inventory of the AI systems and services used within the firm

  • Understanding what client, employee, or matter data those systems process

  • Assessing risks such as inaccuracy, hallucination, bias, confidentiality, data residency, and over-reliance

  • Setting rules for human oversight and approval

  • Monitoring suppliers and third-party AI providers

  • Recording incidents, decisions, and lessons learned


For many firms, the exercise of creating that inventory is revealing. Few firms can currently produce a complete list of the AI tools being used by their people. Fewer still can explain what client information has been entered into those tools, where it is stored, or what contractual protections apply.


The SRA Position


In February 2026, the SRA published guidance on the use of AI and technology in legal practice. The regulator expects firms to:


  • Put in place appropriate governance and oversight

  • Carry out risk and impact assessments

  • Train staff

  • Monitor how AI is used in practice

  • Protect confidentiality and client data

  • Ensure that solicitors continue to exercise independent professional judgement


What the SRA has not done is provide a detailed rulebook or an approved list of acceptable tools. The approach remains principles-based.


That means firms still need to interpret how existing duties apply in the context of AI.


Those duties include:


  • Acting in the client's best interests

  • Maintaining confidentiality

  • Providing a competent standard of service

  • Supervising staff appropriately

  • Managing the firm effectively and in accordance with sound governance


Those obligations already existed before AI. The difference is that AI creates new ways for firms to breach them.


A solicitor who relies on an inaccurate AI-generated summary without checking it may create a competence issue. A fee earner who pastes client information into a public AI tool may create a confidentiality issue. A partner who signs off work produced with AI without understanding how it was generated may create a supervision issue.


The regulator is unlikely to draw a distinction between errors made by a person and errors caused by a tool. Responsibility remains with the firm.


Where the Greatest Risks sit


For most COLPs and managing partners, three areas deserve immediate attention.


1. Shadow AI


The greatest short-term risk in many firms is the informal use of AI tools that have never been reviewed or approved.


Fee earners are often using publicly available tools to summarise documents, draft correspondence, create first drafts of advice, or research unfamiliar topics. In many cases, this is happening without IT, compliance, or the COLP being aware.


The SRA has specifically highlighted the risk of confidential information being entered into AI systems that operate on public or third-party infrastructure. A policy that simply says "do not use AI" is unlikely to work.


A more realistic approach is to:


  • Identify what tools are already in use

  • Approve a limited number of permitted tools

  • Define what information may and may not be entered into them

  • Train people on the difference between acceptable and unacceptable use


2. Supervision and Professional Judgement


AI can assist legal work. It does not replace professional responsibility. The solicitor, not the software vendor, remains accountable for the advice given to the client.


That means:


  • AI-generated output should be reviewed before it is relied upon

  • Junior staff using AI still require supervision

  • Firms should document who is responsible for reviewing and approving work

  • There should be a clear distinction between administrative use of AI and substantive legal judgement


This is particularly important where AI is being used for drafting, legal research, or decision support. Errors in those areas may not be obvious. The more plausible the output appears, the greater the risk that it is accepted without sufficient challenge.


3. Insurance and Client Expectations


Professional indemnity insurers are increasingly asking questions about AI use, particularly where firms are using AI in client-facing work or processing confidential information.


Firms should not assume that existing insurance arrangements automatically address every AI-related scenario.


The prudent approach is to:


  • Review AI use with the firm's broker and insurer

  • Understand whether there are any relevant exclusions or disclosure obligations

  • Record the governance steps the firm has taken


Clients are also becoming more interested in how their firms use AI.

Larger clients, particularly those in regulated sectors, are beginning to ask:


  • What AI tools are used?

  • What client data is entered into them?

  • Where is that data stored?

  • What controls and approvals are in place?


A firm that can answer those questions confidently is likely to be in a stronger position than one that cannot.


What Good AI Governance Looks Like


For most firms, the immediate priority is not certification. It is establishing a basic but defensible governance framework.


At minimum, that framework should include:


  1. A register of approved AI tools and services

  2. A short AI policy that defines permitted and prohibited use

  3. A risk assessment process before any new AI tool is introduced

  4. Named accountability, typically involving IT, compliance, the COLP, and a senior partner

  5. Staff training

  6. A process for recording incidents or concerns

  7. Periodic review of how AI is being used in practice


The size and complexity of that framework should reflect the size and risk profile of the firm.


A small firm using AI only for internal administrative tasks may need little more than a policy, a register, and basic training.


A larger firm using AI in legal research, drafting, client portals, or regulated-sector work is likely to need:


  • Formal risk assessments

  • Supplier due diligence

  • Contractual review of AI vendors

  • More detailed oversight and audit arrangements

  • Consideration of whether to align formally with ISO 42001 or pursue certification


Is Certification Worth It?


For most firms, probably not immediately.


Certification can be valuable where:


  • The firm works with large corporate or public sector clients

  • Clients are asking for evidence of AI governance

  • The firm already holds ISO 27001 or ISO 9001 and wants a similar structure for AI as part of an integrated management system

  • The firm intends to use AI extensively in client-facing services


However, a firm does not need a certificate to benefit from the discipline behind the standard.


The most valuable part of ISO 42001 is not the certificate on the wall. It is the work involved in understanding what is happening inside the firm, documenting the risks, and putting sensible controls in place.


Many firms will gain most of the benefit by using ISO 42001 as a framework without pursuing formal certification.


The Direction of Travel


The wider regulatory direction is clear.


The EU AI Act begins to take effect in stages during 2025 and 2026. Clients operating in regulated sectors will increasingly expect their advisers to understand issues such as transparency, human oversight, risk classification, and governance.


The SRA has also shown that it is willing to authorise new models of legal practice built around AI. In 2025, it approved Garfield.Law, an AI-led law firm, after reviewing the controls the firm had in place around supervision, accountability, and the management of hallucination risk.


The message is not that firms should avoid AI.


It is that firms need to be able to show that they are using it responsibly.


The Question Every COLP Should Ask


If the SRA, your insurer, or a major client asked tomorrow to see your firm's AI governance arrangements, what would you show them?


If the answer is currently limited to a short policy document and a general assumption that people are being sensible, the firm is likely to have more exposure than it realises.


ISO 42001 is not the only answer. But it is a practical and defensible place to start.

Comments

bottom of page