How Should Law Firms Vet AI Vendors? A Compliance Attorney's Guide to Due Diligence That Actually Protects You
Lawyers need to WAKE up and learn about vetting their AI tools before falling for typical vendor demo sales pitches!
5/26/20265 min read
How Should Law Firms Vet AI Vendors? A Compliance Attorney's Guide to Due Diligence That Actually Protects You
By Angeli Fitch, AI Compliance & Ethics Attorney | 20+ Years of Trial Experience | Creator of the State Bar-Approved CLE Course "AI Ethics for Attorneys"
What is the biggest AI compliance mistake law firms are making right now?
They are deploying AI tools without vetting them first.
A partner hears about a tool at a conference. A vendor gives a compelling demo. Someone signs a contract. IT deploys the software. And then everyone assumes — without asking, without verifying, without reviewing a single data processing term — that someone else handled the hard questions.
No one handled the hard questions.
AI tools are not staplers. They are high-risk technology systems that process confidential client information, make or influence substantive legal decisions, and create regulatory and ethical obligations for every firm that uses them. Buying one without due diligence is not a technology decision. It is a professional responsibility decision — and right now, most firms are getting it wrong.
Why is AI vendor vetting a legal ethics obligation, not just an IT concern?
Because the consequences of getting it wrong fall on the attorney, not the vendor.
If an AI tool your firm deployed leaks client data, your duty of confidentiality under Rule 1.6 was violated. If it produces biased or inaccurate results that affect client matters, your duty of competence under Rule 1.1 is implicated. If your attorneys or staff are using it without adequate supervision or understanding, Rules 5.1 and 5.3 apply.
The vendor contract's indemnification clause does not change this analysis. By the time you are pursuing indemnification, you have already faced the disciplinary complaint, the malpractice claim, and the client who no longer trusts you.
Vendor vetting is how you prevent that sequence from starting.
What regulations do law firms need to consider when evaluating AI tools?
The regulatory landscape has shifted materially and is still moving.
California's AI regulations took effect October 1, 2025. Colorado's comprehensive AI law takes effect June 30, 2026. The EU AI Act is already in force and applies to firms with international clients or data flows touching EU residents. Several other states have AI-related legislation either enacted or advancing.
What this means practically: if an AI tool your firm uses creates discriminatory outcomes, fails to meet transparency requirements, or violates applicable data privacy laws, the firm that deployed it bears liability. Not the vendor. The firm — because the firm made the decision to use it on client matters without adequate due diligence.
"We didn't know" is not a defense when the regulatory requirements were published, the bar ethics opinions were issued, and the CLE programs were available.
What does real AI vendor due diligence look like?
Meaningful vendor vetting is not a twenty-minute call. It covers four areas:
Data security and confidentiality. You need to know where client data goes, who can access it, whether it is encrypted in transit and at rest, and — critically — whether the vendor uses client data to train its AI models. You need documented answers, not assurances. Ask for SOC 2 Type II or ISO 27001 certifications. Ask what happens to your data when the contract terminates. If a vendor cannot answer these questions clearly, that is your answer.
Regulatory compliance. Does the tool comply with California, Colorado, and applicable state AI regulations? Can the vendor provide bias audits or algorithmic impact assessments for high-risk AI systems? Does the tool log decisions in a way that supports your disclosure obligations? A vendor who says they are "monitoring regulatory developments" is telling you they are not yet compliant.
AI model transparency. What was the model trained on? What are its known error rates and limitations? How does it make decisions, and can those decisions be explained? A vendor who describes their system only as a "proprietary black box" is not giving you what you need to supervise its use responsibly.
Contract terms. Standard vendor contracts are written to protect the vendor. Before signing, your agreement should include a data processing agreement, explicit prohibitions on using client data for model training, audit rights, IP ownership provisions for AI outputs, indemnification for AI-related claims, and termination clauses that require certified data deletion. An indemnification clause that limits vendor liability to zero is not a protection — it is a disclosure of how the vendor expects disputes to go.
Who at a law firm is responsible for AI vendor vetting?
This is where firms consistently fail. IT says the legal compliance piece is not their job. Legal says the technical evaluation is not their job. Practice group leaders assume someone else is handling it.
The result is that no one is handling it.
Effective AI governance requires a cross-functional approach. Legal counsel assesses compliance, ethics, and contractual risk. IT and security evaluate technical infrastructure and data protection. Compliance and risk management track regulatory obligations and audit vendor performance. Practice group leaders understand the specific use cases and client impact. No single department has the full picture. All of them together do.
If your firm does not have a cross-functional AI governance structure, building one is more urgent than adopting the next AI tool.
What is the cost of skipping AI vendor due diligence?
The direct costs are a malpractice lawsuit when an AI tool mishandles client data, regulatory fines for deploying non-compliant systems, sanctions for using AI outputs without adequate verification, and the loss of clients who discover their confidential information was not handled with the care they were owed.
The indirect costs are harder to quantify and harder to recover from. Reputational damage in a profession built on trust does not resolve on the same timeline as a malpractice claim.
The argument that proper vetting is too expensive or time-consuming answers itself. If a firm cannot afford to vet AI tools responsibly, it cannot afford the consequences of deploying them irresponsibly. The cost of due diligence is the cost of using these tools at all.
Where should a law firm start if it has never formally vetted its AI vendors?
Start with an inventory. List every AI tool the firm currently uses — document review platforms, legal research tools, contract analysis software, case management systems, billing software, email filtering. If it uses automation, machine learning, or "intelligent" features, it belongs on the list.
Then identify which tools carry the highest risk: those that process confidential client data, influence substantive legal decisions, or operate with limited human oversight. Those get prioritized for immediate review.
Then start asking your vendors the questions above. Document the answers. Where contracts need to be renegotiated to include appropriate protections, renegotiate them. Where vendors cannot meet basic security or compliance standards, that is information you need before the next client matter runs through their system.
Finally, build the internal governance structure — a written AI use policy, a cross-functional oversight committee, standard contract language for AI vendors, and training for attorneys and staff on what tools are approved, how to use them, and what to do when something goes wrong.
This is not a one-time exercise. AI regulations are evolving, vendors change their practices, and new tools enter the market regularly. The firms that get this right treat AI governance as an ongoing institutional responsibility, not a box to check.
How can a law firm get help building an AI vendor vetting process?
This is precisely the work I do with law firms. Whether the immediate need is a vendor vetting framework, an AI use policy, or attorney training that maps AI tools to existing ethical obligations, I can help you build a compliance structure that protects the firm and the clients it serves.
I also teach AI Ethics for Attorneys, a State Bar-approved CLE course that addresses the intersection of AI tools and professional responsibility in practical, applicable terms. [Contact me] to discuss what your firm needs.
Angeli Fitch is an AI Compliance & Ethics Attorney and trial lawyer with more than 20 years of experience. She is the creator of the California State Bar-approved CLE course "AI Ethics for Attorneys" and advises law firms and legal professionals on ethical AI adoption, compliance, and governance. She is Of Counsel at Infinity Law Group and available for speaking engagements, CLE instruction, and advisory work.