Enterprise Governance & Risk

AI Usage Guidelines for Legal Teams

Legal teams have to answer two questions before anyone else's addendum even gets started: does sending this material to an AI service affect privilege, and can we trust what comes back? Both deserve written answers from your GC, not habits.

Claude 3P 101 · Updated July 2026 · Unofficial guide

In-house legal teams use Claude for the same reasons everyone else does — summarizing long documents, first drafts of routine agreements, organizing facts across a matter file. But legal work adds constraints no other department has: privilege, duties of confidentiality, and professional responsibility for what goes out under a lawyer's name. This article describes the rules general counsel typically put in place, framed as recommended practice to adapt. It is emphatically not legal advice; your GC decides the actual rules.

Privilege and confidentiality

Whether routing privileged or client-confidential material through an AI vendor affects privilege — and what your engagement terms and professional rules permit — is a legal judgment your GC must make per jurisdiction and per matter type. What a guide like this can do is lay out the documented data-handling facts that judgment will rest on:

Processor relationship. For commercial customers, Anthropic states it acts as a data Processor on behalf of the customer and only processes data as instructed by the customer.

Training. By default, inputs and outputs from Anthropic's commercial products are not used to train models; the documented exception is explicit opt-in, such as submitting feedback.

Retention. Anthropic's stated default for the Claude API is automatic deletion of inputs and outputs on its backend within 30 days. Zero data retention (ZDR) — where customer data is not stored at rest after the API response returns, except where needed to comply with law or combat misuse — is available as a contractual arrangement, not a self-serve toggle. Two documented exceptions survive even ZDR review: content flagged as a Usage Policy violation may be retained up to 2 years, and explicit feedback submissions may be retained up to 5 years.

Cloud platforms. On Amazon Bedrock and Google Cloud, the cloud provider — not Anthropic — is the data processor; equivalent retention and confidentiality terms come from your cloud agreements, so verify them with the provider.

Two operational rules that follow directly: legal staff should never use feedback/thumbs buttons on matter content (it creates a 5-year retention path and a training opt-in), and the approved-deployment list for privileged material should be decided by the GC in writing, not inherited from IT's general list.

Output-reliance rules

The failure mode that has embarrassed lawyers in public is well known: citing authorities that do not exist. A legal addendum should make verification non-negotiable:

No unverified citations, ever. Every case, statute, or regulation reference in AI-assisted work product gets checked against a primary source or trusted legal database before it leaves the team. Drafting is assistance, judgment is not. Claude can produce a first draft of a routine NDA from your template; deciding what protection the client needs remains the lawyer's. The signing lawyer owns the output. AI assistance never dilutes professional responsibility — anything filed, sent, or advised on is the responsible lawyer's work product in full.

Matter hygiene

Beyond the headline rules, a few habits keep AI use auditable inside a legal team. Keep AI-assisted work traceable: note in the matter file when a document began as a model draft, consistent with your audit-trail practice. Segregate legal usage operationally — on the Claude API and Claude Platform on AWS, a dedicated workspace with its own API keys keeps legal traffic and spend separate from the rest of the organization. And fold AI use into existing conflicts and confidentiality screens: if a matter is behind an ethical wall, its material does not go into a shared AI tool that walled-off staff can access.

Where to go next

The department-layering article shows where a legal addendum sits in the policy stack, and vendor risk assessment for AI providers covers the due-diligence questions your GC will want answered about any deployment path.

Sources