A plain-English guide for managing partners and firm administrators. Reviewed for accuracy against the text of the opinion. This article is educational and not legal advice.
The short version
In July 2024, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 512, “Generative Artificial Intelligence Tools.” It does not create new rules. It maps the existing Model Rules of Professional Conduct onto a lawyer’s use of generative AI, and in doing so it sets the standard that state bars, malpractice carriers, and clients are now using to judge whether a firm uses AI responsibly.
If your firm uses ChatGPT, Microsoft Copilot, Claude, or any AI feature inside your existing software, and most firms now do, Opinion 512 already applies to you. This guide explains what it requires, rule by rule, and what a firm should have in place to demonstrate compliance.
Why this matters in 2026, not someday
Three forces turned Opinion 512 from a thoughtful ethics opinion into a practical business issue.
State bars adopted it as the baseline. Bar associations across the country, including guidance relevant to DC, Maryland, and Virginia practitioners, are treating Opinion 512 as the reference point for what “AI competence” means. A lawyer who cannot speak to how their firm handles the issues below is increasingly exposed in a disciplinary inquiry.
Malpractice carriers started asking. 2026 cyber and professional-liability renewals are, for the first time, asking firms whether they have an AI use policy. Some carriers have signaled they will contest claims where AI was used on a matter without governance in place. The absence of a policy is becoming a coverage question.
Clients began to ask too. Sophisticated clients, particularly in-house legal departments, are adding AI-use questions to their outside counsel guidelines. “How does your firm protect our confidential information when using AI” is now a question that gets asked at the engagement stage.
The firms that handle this well are not the ones with the most technology. They are the ones that can show, on paper, that they thought about it.
The six rules Opinion 512 maps onto AI
Opinion 512 works through the Model Rules. Here is what each requires when your lawyers use generative AI, and the practical question your firm should be able to answer for each.
Rule 1.1 — Competence
What it requires: A lawyer must understand the benefits and the risks of any AI tool used in client work. The opinion is clear that a lawyer cannot claim ignorance of how a tool handles data as a defense.
The practical question: Can the people using AI at your firm explain, at a working level, what happens to the information they type into it? If the answer is “it just goes to ChatGPT,” that is the gap.
Rule 1.6 — Confidentiality
What it requires: This is the center of the opinion. A lawyer cannot input confidential client information into a self-learning AI tool without informed client consent, because doing so may disclose that information or allow it to be used to train a model.
The practical question: Are your people using free or personal AI accounts on client matters? Consumer-tier tools may retain and train on what is submitted. Enterprise tiers, properly configured, generally do not. The difference between those two states is the difference between a confidentiality breach and a defensible workflow, and most firms have never drawn the line explicitly.
Rule 1.4 — Communication
What it requires: A lawyer must communicate with clients about the use of AI when that use is material to the representation.
The practical question: Does your engagement letter or client-communication practice address AI use? Firms are taking different positions here, from full written consent to engagement-letter disclosure. The point is to take a position deliberately rather than by accident.
Rule 3.3 — Candor toward the tribunal
What it requires: A lawyer is responsible for the accuracy of what they file. AI “hallucinations,” the confident fabrication of citations and facts, are not a defense. The widely reported sanctions cases involving fabricated AI citations are Rule 3.3 failures.
The practical question: Does your firm have a hard rule that no AI-generated citation reaches a filing without verification in a primary source? If verification depends on individual diligence rather than firm policy, you are one rushed associate away from a sanctions headline.
Rules 5.1 and 5.3 — Supervision
What they require: Partners and supervising lawyers are responsible for the AI use of the lawyers and non-lawyer staff they supervise. This includes paralegals, administrative staff, and contractors.
The practical question: Who at your firm is responsible for AI governance, and how are staff trained? Opinion 512 makes clear that “the associates figured it out themselves” is not supervision.
Rule 1.5 — Fees
What it requires: A lawyer cannot bill a client for time that AI saved as though a human performed the work. If a task that took three hours now takes thirty minutes, the bill reflects thirty minutes plus review time.
The practical question: Do your billing guidelines address AI-assisted work? This is the rule firms most often overlook, and the one a sophisticated client is most likely to notice.
What “compliant” actually looks like
Opinion 512 does not require a particular product or vendor. A firm that can produce the following is in a materially stronger position than one relying on informal practice:
- A written AI use policy that maps to the six rules above. Not a generic template, one that names your approved tools and your confidentiality line.
- An approved-tools list confirming that the AI your firm uses operates at a data tier that does not train on client information.
- A confidentiality boundary that is explicit: what may and may not be entered into AI, and which accounts are permitted.
- A verification rule for anything AI touches that goes to a tribunal or a client.
- Training and a named owner, so supervision is real rather than assumed.
- A billing position on AI-assisted work.
A firm with those six things can answer a carrier’s renewal questionnaire, a client’s outside-counsel question, and a disciplinary inquiry from the same folder.
Where the IT side comes in
Several of these obligations are not really policy questions, they are configuration questions, and this is where most firms stall.
Whether your AI tools train on your data depends on how your Microsoft 365 tenant and your AI subscriptions are configured. Whether attorney credentials are already exposed on the dark web, which would let an attacker impersonate a partner regardless of your AI policy, is a monitoring question. Whether your email can be spoofed in a partner’s name is a DNS configuration question. Opinion 512 compliance and basic law firm cybersecurity turn out to be the same project viewed from two angles.
This is why a policy alone is not enough. The policy states the intent. The IT configuration is what makes the intent true.
A practical next step
If you want to know where your firm actually stands, without committing to anything, the fastest path is a scorecard. Wellforce runs a free Law Firm AI Risk & IT Health Scorecard that scans your firm’s domain for credential exposure, email impersonation risk, DNS posture, and public-facing security gaps, and returns a branded report you can take to your next partner meeting. The Opinion 512 and Rule 1.6 readiness questions are then walked through with Scott Midgley, who leads our law firm practice, in an optional 20-minute review.
It takes about 60 seconds to run, and you do not need to talk to anyone to get the report.
You can also download our AI Use Policy Template, mapped to all six Opinion 512 Model Rules, as a starting point you can adapt with your own counsel.
Wellforce provides managed IT, cybersecurity, and AI governance support for law firms across DC, Maryland, and Virginia. Scott Midgley leads the firm’s law firm practice.
