Claude for Law Firms
We stand up Claude for law firms and in-house teams, wired into the systems you already run, governed against privilege and confidentiality rules, and adopted by the people who actually have to use it. Not a browser tab the firm forgets about by month two.
Most firms already have someone using Claude. The question in 2026 is no longer whether to adopt it, but whether the firm is adopting it in a way that is safe, integrated, and actually used. Anthropic’s Claude for Legal launch, with more than twenty connectors into the software firms already run and a set of practice-area plugins, moved Claude from a clever browser tab to something that can sit inside the practice. Freshfields, Quinn Emanuel, and Holland & Knight are on it. The firms that get value are the ones that put governance and integration in place first. This page is how we do that, end to end.
The first decision is the account tier, and most firms get it wrong
The single most common mistake is pasting client information into a consumer Claude account. Claude’s Free, Pro, and Team plans run under consumer terms and, by default, can use your inputs to improve the model unless you opt out. “We pay for Pro” is not a confidentiality posture. The posture is set by which account you are on and what data path sits behind it.
| Account | Trains on your data | Zero data retention | BAA / DPA | Fit for client work |
|---|---|---|---|---|
| Claude Free / Pro / Max | Yes, unless opted out | No | No | No |
| Claude Team | Yes (consumer terms) | No | Limited | No |
| Claude Enterprise / API | No | Available | Yes | Yes |
| Via AWS Bedrock / Google Vertex | No | Yes | Yes | Yes |
Privileged and client-identifying work belongs on the bottom two rows: Claude’s Enterprise and API terms, or a deployment through Amazon Bedrock or Google Vertex AI, where you inherit the cloud provider’s enterprise terms, a data processing agreement, and zero data retention, so inputs are never stored beyond the moment of processing. This is not a pricing choice. It is the difference between meeting the duty of confidentiality and breaching it.
What the ethics rules actually require
ABA Formal Opinion 512 (July 2024) was the first national ethics framework for generative AI in legal practice, and its message is plain: the tools are permitted, but your obligations do not change. Three duties carry the weight.
- Competence (Rule 1.1). A working understanding of how the tool handles data and where it can be wrong.
- Confidentiality (Rule 1.6). Reasonable measures against unauthorized disclosure, which is why the account tier and data path matter. For self-learning tools the opinion expects informed client consent before confidential inputs go in, and notes that boilerplate engagement-letter language is not enough.
- Supervision (Rules 5.1 and 5.3). Managing lawyers set the policy, everyone including staff follows it, and every output is verified before it reaches a client or a court.
We turn those duties into concrete, followable rules as part of the deployment. The full framework, including input restrictions and a vendor register, is the subject of our AI governance work.
Where Claude earns its keep
The highest-return uses compress the time to a good first draft while keeping a human as the reviewer of record:
- Litigation and disputes. Summarising long records, drafting chronologies, first-pass review of disclosure, and turning research into a structured memo.
- Corporate and transactional. Diligence triage, clause comparison against a playbook, and drafting routine ancillary documents from a precedent.
- In-house teams. Triaging the legal inbox, first-draft NDAs and routine contracts, and answering policy questions grounded in the company handbook.
- Knowledge and BD. Turning closed matters into reusable know-how, and drafting pitch and capability statements from the firm’s own precedents.
Claude does not replace the judgment that follows. A firm that forgets this is one hallucinated citation away from a sanctions hearing, which is why verification is built into the workflow rather than left to good intentions. The pilots that fail tend to fail for the same few reasons, which we wrote up in the three failure modes of legal AI pilots.
A deployment that gets used, not abandoned
The graveyard of legal AI is full of pilots that stalled at two seats. Adoption is an engineering and change-management problem, and we run it on a 30-60-90 cadence rather than a launch event. Our field notes on why that window matters are in the 30-60-90 adoption curve.
| Phase | Window | Focus | What good looks like |
|---|---|---|---|
| Foundation | Days 0 to 30 | Account posture, SSO, logging, governance sign-off, connectors | Live for a pilot group, on the right terms |
| Habit | Days 30 to 60 | Role prompts, saved workflows, office hours, weekly use review | Daily use by the pilot group, not just champions |
| Scale | Days 60 to 90 | Firm-wide rollout, measurement, retire shadow tools | Most matters touch it; usage is rising, not flat |
Underneath the cadence sit three durable pieces: integration through MCP so Claude works inside Microsoft 365, iManage or NetDocuments, and your matter system; a maintained, version-controlled prompt and workflow library; and training plus usage tracking so adoption compounds instead of plateauing once the novelty fades.
Common pitfalls we are brought in to fix
- Consumer tier for client work. The confidentiality breach hiding in plain sight. Fixed by the account posture above.
- Rollout before governance. Tools reach matters before anyone has written what is allowed. The policy comes first.
- Treating it as procurement. A licence is bought, a town hall is held, and nothing changes. Adoption is the work, not the purchase.
- No verification discipline. Output is trusted because it reads well. Every citation and figure is checked.
- Prompts as folklore. Good prompts live in one person’s head instead of a maintained library.
- No integration. If it lives in a separate tab, it gets forgotten.
What good looks like, six months in
A firm that has done this well has a written, signed AI policy mapped to a data-classification scheme; Claude reachable from inside Word, Outlook, and the document store; a prompt library owned by a named person; and a usage trend that is climbing rather than flat. Partners reach for it on the work it is good at and leave it alone on the work it is not, because they understand the line. The measure is not seats purchased. It is matters touched and hours returned to higher-value work, tracked and reported, not assumed.
Where the data actually goes
Confidentiality is decided by the data path, so we make it explicit. On an enterprise or cloud deployment a prompt and its attachments travel to the model, are processed, and are discarded under zero data retention. Nothing is stored for abuse monitoring, nothing trains the model, and nothing is shared. Where a firm needs stronger guarantees we deploy in a specific cloud region for data residency, and route through the firm’s own cloud tenancy on Bedrock or Vertex so the traffic never leaves infrastructure the firm already trusts. We document the path in one diagram a general counsel can read, because a posture you cannot explain is a posture you cannot defend.
What it realistically costs
The licence is the cheap part. Enterprise Claude or metered API access is a small line next to a dedicated legal AI platform, and far smaller than the cost of the hours it returns. The real budget is the setup and the change management: the governance framework, the connectors, the prompt library, and the weeks of training and office hours that turn a tool into a habit. Firms that under-fund that second part are the ones whose pilots stall, which is why we scope it as the substance of the engagement rather than an afterthought. The honest comparison is not Claude versus a free chatbot. It is a governed, adopted deployment versus a shadow one that creates risk and delivers little.
How we set it up
A typical engagement runs in four phases. Assessment: audit current tools and cloud readiness, and map the data paths that matter. Secure foundation: provision the right account posture, connect identity and single sign-on, and switch on audit logging and cost controls. Governance: an acceptable-use policy, input restrictions tied to a data-classification scheme, and output-review standards proportionate to risk. Integration and adoption: MCP connectors, the prompt library, training, and the 30-60-90 rollout. We can operate the platform on retainer afterwards, or hand it over documented and owned. It sits alongside our document review and integration work, and the wider Legaltech & AI practice.