Normis AI is the framework law firms use to meet their duties under ABA Model Rules 1.6, 5.1, and 5.3 — an enforceable AI policy, behaviour-changing training, and a lightweight tool that surfaces unapproved AI use across the firm.
When a lawyer pastes privileged material into a consumer AI tool, the firm's exposure is not theoretical. It is distributed across six risks every US-practising firm is already bound by.
Consumer AI platforms offer no confidentiality guarantees. Client PII, case strategy, and settlement figures fed into unauthorized tools can be ingested for training — and privilege can be deemed waived. One careless prompt can trigger malpractice claims, bar complaints, and client termination.
Partners face direct liability for AI misuse by associates and non-lawyer staff — even if they never touched the tool. No AI policy means no protection. Disciplinary authorities will hold the institution accountable, not just the individual.
AI hallucinates — and courts are sanctioning lawyers who file what it invents. Competence under Rule 1.1 now includes understanding AI's risks. When an unauthorized tool produces a fabricated brief, the supervising partner and the firm are liable. Not the vendor.
Federal courts already require AI disclosure certifications. Where formal rules don't exist, Rule 11 and Rule 3.3 fill the gap. Shadow AI use leaves no audit trail — making sanctions nearly impossible to defend against.
Submitting an AI-fabricated citation may constitute misrepresentation to a tribunal. Failing to disclose material AI use to a client implicates Rule 1.4. California, Florida, and New York are actively developing mandatory disclosure rules. Being caught behind them is a disciplinary risk.
Most malpractice policies predate AI — and insurers are beginning to exclude AI-related claims. Client engagement letters often contain AI restrictions that shadow AI quietly violates, triggering indemnification obligations and potential breach of contract.
of firms have a written, actively enforced AI policy.
43% have no policy at all and no plans to create one.
SOURCE · LLAMALAB
of employees use unapproved AI tools.
75% of them share sensitive data with those tools.
SOURCE · LLAMALAB
of legal professionals have used unapproved AI tools at least once.
Fewer than 20% of firms have a formal policy to manage the exposure.
SOURCE · NIDISH
Policy without training is ignored. Training without visibility is forgotten. Tooling without policy is an IT project that never lands. Normis AI is designed to ship all three together.
Outcome: a defensible position and lawyers who know where the lines are.
Outcome: lawyers who understand the exposure in context — and faster adoption of approved tools.
Outcome: you know what the firm is doing — not just what the policy says.
The Normis AI tool runs at the network and endpoint edge. It does not read the contents of files or communications. It detects interaction with known AI services, fingerprints likely data categories by pattern, and produces an evidenced view the firm can act on.
A user initiated an outbound request to a consumer chatbot domain not present on the firm’s approved services list. The source practice group and destination are recorded. The request body is not captured.
{
"user_hash": "u_9a3f4c…",
"practice_group": "Litigation",
"destination": "claude.ai",
"policy_rule_matched": "POL-017",
"captured_content": null,
"recorded_at": "2026-04-23T14:07:12Z",
"review_status": "OPEN"
}Normis AI does not capture message contents, does not surveil individual lawyers, and does not replace the firm’s existing DMS, MDM, or DLP stack. It operates alongside them and produces the one artefact none of them does: a firm-level AI usage record mapped to the ABA Model Rules.
Policy-only engagements produce documents lawyers never read. Training-only programmes decay inside a quarter. Tool-only deployments become IT projects that never map to bar rules. Normis AI ships the three together because the three fail apart.
Policy without enforcement is ignored.
Training without visibility is forgotten.
Tools without legal framing never land.
Designed Deloitte's audit and assurance framework for the Digital Services Act, now running against Very Large Online Platforms across Europe. Advises the continent's largest platforms on the AI Act, NYC Local Law 144, and Colorado SB 21-169. Chairs the NYC Bar Association's Subcommittee on International Regulation of AI. Qualified New York attorney. MSc, Oxford Internet Institute.
Ships an autonomous agentic system at Google that tracks cryptographic key propagation across an 86-terabyte monolithic codebase. Published at ACM SIGMOD/PODS on regex engine internals. First place in Programmable Cryptography at ETHOxford 2025. MSc, Advanced Computer Science, University of Oxford.
A single malpractice claim costs hundreds of thousands to defend — before settlements, lost clients, or bar proceedings. Our solution provides a complete protection layer for a fraction of that exposure.
No. The tool detects interactions with AI services and data-category patterns. It does not capture message contents, does not read email or DMS files, and does not produce individual surveillance records. Dashboards default to practice-group cohort views; individual-level detail requires an explicit privileged-access workflow.
Yes — that requirement drove the architecture. Normis AI operates on pattern fingerprints rather than content. Retention and access controls are configured to match the firm's obligations under its most stringent client engagement terms.
Normis AI is complementary and integrates at the event level. It consumes the firm's existing access logs where available and produces AI-specific signal the DMS and DLP stack do not generate natively. No rip-and-replace is ever required or recommended.
Covered, and easy. Approved tools are added to the policy allow-list and generate routine usage records rather than flags. The tool's job is specifically to surface the gap between policy and practice.
Yes. The engagement output includes a client-facing attestation template that maps Normis AI's evidence to common outside counsel guidelines and AI use provisions.
No. Normis AI is a framework and a software product operated under the direction of the firm's general counsel, ethics counsel, or risk committee. Nothing on this site and nothing in the product constitutes legal advice.
The framework is grounded in the ABA Model Rules and maps to the state bar adoptions that diverge (California, New York, Florida explicitly). It extends to GDPR and NY SHIELD Act processing obligations and to the UK SRA Code of Conduct for firms with UK practice. Additional jurisdictions are added as state bars finalise their AI disclosure rules.
Thirty-minute scoping call, followed by a fixed-fee AI exposure assessment. The assessment output is the firm's alone — we do not keep it, and proceeding to the full framework is not a condition.