Which SRA principles apply when using AI tools in a law firm?

The key SRA principles that apply to AI use are: Principle 2 (act with integrity), Principle 4 (act with honesty), Principle 5 (act with independence), Principle 7 (protect client confidentiality), and Principle 8 (run your business with proper governance and risk management). Outcome 7.10 on outsourcing also applies whenever client data is processed by an AI vendor.

SRA Compliance and AI Tools — What UK Law Firms Need to Know in 2026

SRA compliance for AI tools means ensuring that any artificial intelligence software used in a law firm's practice meets the obligations set out in the SRA Standards and Regulations — specifically around client confidentiality (Principle 7), competence (Principle 5), integrity (Principle 2), and proper governance of outsourced data processing (Outcome 7.10). The SRA has confirmed that use of AI does not reduce or transfer a solicitor's professional responsibility for legal work quality.

The Solicitors Regulation Authority has been monitoring AI adoption in legal practice since 2023 and significantly expanded its guidance in 2025. As of 2026, the SRA's position is clear: AI is permitted, but the solicitor remains fully responsible for every piece of work that leaves the firm — regardless of how it was produced.

For most UK law firms, the question is no longer whether to use AI, but how to use it without creating regulatory exposure. This guide maps the SRA's current framework onto practical AI tool choices.

The SRA's Current Position on AI (2026)

The SRA published updated AI guidance in late 2025. The key positions are:

AI use in legal practice is permissible and not inherently non-compliant
Firms must conduct due diligence on AI vendors before using them with client data
AI-generated legal work must be supervised by a qualified solicitor before being sent to clients
Client confidentiality obligations apply in full to any AI tool that processes client data
Firms must have a written AI policy that addresses governance, oversight, and data protection
The SRA will treat inadequate AI oversight as professional misconduct where client harm results

Which SRA Principles Apply to AI Use

SRA Principle	What It Requires	AI Implication
Principle 2 — Integrity	Act with integrity in all dealings	You cannot pass off AI output as your own work if it contains errors you didn't check
Principle 4 — Honesty	Act honestly with clients and others	If clients ask whether AI was used, you must answer truthfully
Principle 5 — Competence	Provide a competent service	AI tools must be supervised; incompetent output that reaches clients is your responsibility
Principle 7 — Confidentiality	Protect client confidential information	Client data entered into AI tools must not be accessible to third parties without consent and appropriate safeguards
Principle 8 — Governance	Run your practice properly	A written AI policy, vendor due diligence, and oversight procedures are required
Outcome 7.10 — Outsourcing	Proper oversight when outsourcing work involving client data	Any cloud AI vendor processing client data is a data processor — proper contracts and due diligence are mandatory

The Confidentiality Risk: Where Most Firms Get It Wrong

The most common SRA compliance failure with AI tools is not oversight of output quality — it is client data confidentiality. Specifically:

Inputting client data into public AI tools

Entering client names, matter details, or case facts into a general-purpose AI chatbot (ChatGPT, Gemini, Claude) via their consumer interfaces sends that data to the AI vendor's servers. The AI vendor may use this input data for model training. This is a direct breach of Principle 7 unless the client has consented and you have a DPA with the vendor. Most firms using these tools have neither.

Using cloud legal AI without a DPA

Every cloud-based AI legal tool that processes client data is a data processor under the UK GDPR. Using such a tool without a formal Data Processing Agreement in place is a UK GDPR breach that the SRA would likely treat as a Principle 7 and Principle 8 failure.

No clear audit trail on AI-generated work

If a client complaint or negligence claim arises, the firm needs to demonstrate that AI output was reviewed and approved by a qualified solicitor. Without an audit trail, this becomes very difficult to prove.

What a Compliant Law Firm AI Policy Must Cover

✓
Approved tools list — a named list of AI tools the firm has approved for use with client data, with the due diligence conducted on each
✓
Prohibited uses — explicitly prohibited activities: sending unreviewed AI output to clients, entering client data into consumer AI tools, using AI for final legal advice without supervision
✓
Data handling rules — which client data may be entered into which AI tools, and under what contractual framework
✓
Supervision requirements — every AI-generated document, advice, or communication must be reviewed and approved by a named qualified solicitor before reaching clients
✓
Client disclosure approach — firm's position on disclosing AI use in client care letters (the Law Society recommends proactive disclosure)
✓
Review cycle — the policy must be reviewed at least annually, or when SRA guidance is updated or a new AI tool is introduced

How On-Premises AI Tools Simplify SRA Compliance

One of the practical challenges of cloud AI compliance is the ongoing due diligence burden. Every time your cloud vendor updates their sub-processors, changes their AI infrastructure, or updates their terms of service, your compliance position potentially changes. Managing this actively requires legal resource most small and medium UK firms don't have.

On-premises AI tools — software that runs on your own servers and processes all AI tasks locally — sidestep the bulk of this compliance burden:

No client data leaves your premises, so Principle 7 confidentiality concerns are dramatically reduced
No third-party data processor, so no DPA needed for the AI system itself
No overseas data transfer, so no international transfer mechanism required under UK GDPR
No sub-processor changes to monitor
Audit trails are held on your own systems, under your direct control

This doesn't eliminate the need for an AI policy — you still need supervision procedures and staff training — but it removes the most complex and legally uncertain layer of cloud AI compliance.

Frequently Asked Questions

What is the SRA's position on AI use in legal practice in 2026?

The SRA permits AI use in legal practice but places the responsibility for the quality and accuracy of legal work firmly on the qualified solicitor. In 2026, the SRA expects firms to have a clear AI policy, to conduct due diligence on AI vendors, to protect client confidentiality when using AI tools, and to supervise AI-generated output before it reaches clients. The SRA has stated it will treat AI-related failures as professional misconduct where the firm lacked adequate oversight.

Do I need to tell clients when I use AI in their matter?

The SRA has not (as of May 2026) issued a blanket requirement to disclose AI use to clients. However, Principle 4 (honesty) means that if a client asks directly whether AI was used, you must answer honestly. Many firms are proactively disclosing AI use in client care letters as good practice, and the Law Society increasingly recommends this approach.

Can AI-generated legal documents be sent to clients without review?

No. AI-generated legal documents must be reviewed and approved by a qualified solicitor before being sent to clients. The SRA holds the supervising solicitor responsible for the accuracy and appropriateness of all legal work, regardless of whether AI was used. Sending unreviewed AI output to clients would likely breach Principle 2 (integrity) and Principle 5 (competence).

Is it a problem to use ChatGPT with client data?

Yes, unless you have a formal enterprise agreement with OpenAI that includes a Data Processing Agreement and data residency guarantees. Consumer-facing ChatGPT inputs may be used to train models and are processed on overseas servers. Entering confidential client data into the consumer interface without adequate contractual protections would likely breach Principle 7 of the SRA Standards and Regulations and UK GDPR obligations.

What should be in a law firm's AI policy for SRA compliance?

An SRA-compliant law firm AI policy should cover: approved AI tools and the due diligence conducted on each, prohibited uses of AI, data handling requirements for client data, supervision requirements for AI-generated work, client disclosure approach, and a review cycle tied to SRA guidance updates.

AI That's Built for SRA Compliance

Susan processes all AI tasks on your own servers. No cloud, no overseas processing, no third-party data access. Built specifically for the SRA compliance requirements of UK law firms.

Book a Free Demo →