Skip to content
Veteran-Owned. Built by engineers who've actually done the work.
← All briefs
low

ABA Formal Opinion 512 — what it changes for AI use at law firms

A plain-English read of ABA Formal Opinion 512, with concrete posture changes most firms will want to make to the technology section of their engagement letter.

AI-assisted Drafted by Carbynix's structured-reasoning pipeline. Sources linked below. Errors? Tell us — we correct in 24 hours.

What changed

ABA Formal Opinion 512, issued in 2024 and increasingly cited in state bar guidance in 2026, lays out the duty-of-competence and duty-of-confidentiality implications of using generative AI tools in legal practice. The short version: lawyers have an affirmative duty to understand how AI tools handle privileged client data before using them, and to disclose AI use when it materially affects the work product.

What it changes for most firms

Three concrete posture changes worth making this quarter:

1. Engagement letter — technology section

Add a paragraph that:

  • Discloses your firm’s general posture on AI use in client work
  • States that no privileged client information is sent to consumer-grade AI tools
  • Identifies the AI vendors your firm uses and their data-handling commitments (e.g., zero-retention enterprise contracts)

Sample language from our partner firms is available on request.

2. Vendor due diligence — AI tools

For every AI tool used in client matters, document:

  • Whether the vendor trains on customer prompts (if yes, it’s a hard no for privileged work)
  • Data residency (US? EU? Where do prompts and outputs live?)
  • Audit log availability (can you reconstruct what was sent?)
  • Termination clauses (what happens to your data when the contract ends?)

ConsumerChatGPT and Gemini consumer tier do not pass this test. Enterprise contracts from OpenAI, Anthropic, Google Cloud do, with the right configuration.

3. Internal guidelines — what staff can and can’t do

Most firms we work with land on these defaults:

  • Allowed without disclosure: AI for non-privileged research (case law lookup, statute summaries)
  • Allowed with engagement-letter disclosure: AI-assisted drafting of pleadings, contracts, where the lawyer reviews and is responsible
  • Not allowed: Pasting client documents into consumer AI tools, generating legal advice without lawyer review, AI-only client communication

What this has to do with security

Two things:

  1. The vendor due-diligence question is structurally identical to the security due-diligence question. If your firm has a security questionnaire process, it should already cover most of the ABA 512 vendor checklist.
  2. AI tools are now part of your data-protection surface area. Anyone who can prompt an AI from a firm laptop is a potential data-egress vector. This is the same posture problem as DLP, which means the same telemetry catches it.

Carbynix’s law-firm package monitors AI tool usage as part of the standard endpoint baseline. Rule pack CBNX-LAW-301 flags unusual outbound to AI vendor endpoints and pastes-from-clipboard events targeting AI tool URLs.

Drafted by Carbynix’s structured-reasoning pipeline from the published ABA opinion text and observed customer-environment policy implementations. This is not legal advice. Errors? Tell us — we correct in 24 hours.