AboutBlogBusiness First AIFounder FreedomBook a conversation

SRA AI guidance: what a UK law firm actually has to do

May 19, 2026
A solicitor at a desk in a small law-firm office talking with a colleague, laptop and paper file on the desk, daylight through a window.
TL;DR

The SRA has not written an AI rulebook. It treats AI as any other technology, fully covered by the existing Principles and Codes. In practice that means COLP-level accountability, written governance, narrow rule-based use cases, human sign-off on every output, and ICO-grade care with client data. Garfield.Law and LawFairy show the shape the regulator approves.

Key takeaways

- The SRA permits AI but holds firms to the existing Principles and Codes, with the COLP carrying day-to-day accountability and the board owning purchase and ongoing use. - The two AI-only firms authorised so far, Garfield.Law in May 2025 and LawFairy in February 2026, were approved through the standard route, not a special sandbox. - Approved AI use is narrow and rule-based, small claims to £10,000 for Garfield and immigration eligibility checks for LawFairy, with a regulated solicitor accountable for every output. - ICO guidance applies in full, which means a DPIA before client data touches a model and proper controls on any international data transfer to a third-party LLM. - A practical baseline for a five to fifty person firm is an AI register, written policies, mandatory human review, updated engagement letters and CPD on model limits.

A managing partner of a fifteen-person high-street firm asked me last month whether her team could keep using ChatGPT for first-draft client letters. She had read about the SRA authorising an AI-only firm and wanted to know if that meant she was suddenly behind. Her COLP, she said, was more worried about the opposite, that the trainees were already pasting client correspondence into a consumer tool with no policy in sight. Both of them were right to be uncertain.

The Solicitors Regulation Authority has been clear about what it expects, but the answer is scattered across compliance tips, an AI risk outlook, two precedent authorisations and a handful of cross-references to other regulators rather than a single rulebook. For an owner-managed firm trying to make a sensible call before the next compliance review, that scatter is a problem. The picture below pulls the load-bearing parts together, what the regulator has said, who carries the accountability inside the firm, what the two approved AI firms actually look like, and what a five to fifty person practice should have in place to meet the standard the SRA has set.

What has the SRA actually said about AI?

The SRA’s position is that solicitors and firms may use any technology they think appropriate, including AI, so long as they comply with the existing Principles and Codes of Conduct. There is no separate AI rulebook and the regulator has said it does not intend to write one. AI has to fit inside the existing duties of competence, confidentiality, integrity and client best interests.

The compliance tips for solicitors and the AI Risk Outlook set out how the regulator reads those duties when AI is involved. That framing matters because it tells you where to look when you are deciding whether a use case is acceptable. The question is never “is this AI allowed”, it is “would a competent solicitor doing this work by hand be acting properly”. If yes, the AI version needs the governance, supervision and confidentiality controls to match. If no, AI does not rescue it.

Who is on the hook inside the firm?

The SRA expects, at minimum, the Compliance Officer for Legal Practice to take responsibility for regulatory compliance when new technology is introduced, with the board taking ownership of purchasing decisions and ongoing use. The COLP needs to know what is being deployed, what data it touches, what policies sit around it, and who signs off on each output that reaches a client. That is a governance role, not a coding role.

In practice this means three things. The board signs off on what tools the firm buys and what it allows. The COLP runs the risk and impact assessment, the written policy, the training and the monitoring. The fee-earner using the tool is accountable for the work in front of them, with a regulated solicitor reviewing and approving every output before it leaves the firm. None of that requires the COLP to write prompts or read model documentation, it requires them to own the framework.

What do the approved AI firms tell us?

Two firms have been authorised so far. Garfield.Law was approved on 6 May 2025 as the first AI-driven law firm in England and Wales, guiding users through small-debt claims up to £10,000. LawFairy was authorised in February 2026 to deliver immigration services entirely through AI, analysing visa eligibility, sponsorship and citizenship routes. Both went through the standard authorisation route, not a special sandbox.

What is striking is how narrow the permitted scope is. The SRA has been explicit that AI-led delivery is acceptable for “narrow, standardised areas of law” and should not be read as endorsing AI as a general replacement for solicitors. Garfield.Law had to put in strong confidentiality protection, conflict checks, user approval at each stage, and a technical bar preventing the model from proposing case law to control hallucination risk. Regulated solicitors remain accountable for every output. LawFairy’s system structures evidence and flags cases needing human input, particularly where Article 8 ECHR proportionality is involved, and users can invite a regulated adviser at any stage with one click. The pattern in both is the same, automate the rule-based parts, escalate the judgement parts, hold a named human accountable.

Where do the ICO, NCSC and EU rules fit?

The SRA is not the only regulator a firm has to satisfy. The ICO has confirmed that UK GDPR applies in full to AI processing of personal data, requiring a lawful basis, a Data Protection Impact Assessment before high-risk deployment, and safeguards when personal data goes to a third-party LLM. Pasting client information into a consumer chatbot without contractual controls is the fastest way to land in trouble.

The NCSC’s guidance frames AI tools as new attack surfaces, prompt injection, data exfiltration through model outputs, weak access controls, and recommends treating AI deployments as additions to the cyber-risk register rather than just another app. The EU AI Act sits behind all of this for firms with EU-facing work. It classifies certain AI used in legal decision-making as high-risk and imposes risk management, data governance and human oversight obligations that reach UK firms serving EU clients or using EU-provided AI tools. A firm that ignores any of these three undermines the SRA’s expectation that the firm understands the legal framework around its AI use.

What does a sensible baseline look like for a small firm?

For a five to fifty person practice the practical baseline is organisational rather than technical. Maintain an AI register that lists every tool the firm uses, what it does, what data it touches and who owns it. Carry out and document a DPIA where client data is involved. Write a short AI use policy that names which tools are approved and the mandatory human review step.

That covers the foundations. On top of those, update engagement letters to describe significant AI use and obtain client consent where appropriate. Allocate CPD hours to AI literacy so fee-earners understand when a model is likely to hallucinate and how to verify outputs. Brief the COLP on the register at the same cadence as conflict checks.

None of this requires a separate AI strategy document or a six-figure consulting engagement. It is the same governance discipline a well-run firm already applies to client money, conflicts and confidentiality, extended to cover AI tools. If the firm cannot answer “what AI are we using, on what data, with what supervision, approved by whom”, it is not yet meeting the standard the SRA has set. If it can answer those questions in writing, it is broadly where the regulator expects it to be. Book a conversation if you want a second pair of eyes on the policy and the register before your next compliance review.

Sources

- Solicitors Regulation Authority (2024). Compliance tips for solicitors using technology. Confirms firms may use any technology including AI, subject to Principles and Codes, with COLP-level accountability and board oversight. https://www.sra.org.uk/solicitors/resources/innovate/compliance-tips-for-solicitors/ - Solicitors Regulation Authority (2024). Artificial intelligence in the legal services market, risk outlook. Sets out the SRA's mapping of AI risk to UK regulatory principles and ICO data-protection expectations. https://www.sra.org.uk/sra/research-publications/artificial-intelligence-legal-market/ - Dechert LLP (2025). Solicitors Regulation Authority authorises UK's first AI-based law firm. Details the safeguards imposed on Garfield.Law including the prohibition on the model proposing case law. https://www.dechert.com/knowledge/re-torts/2025/6/solicitors-regulation-authority-authorizes-uk-s-first-ai-based-l.html - International Bar Association (2026). UK SRA takes unprecedented approach in authorising AI-enabled law firms. Covers both Garfield.Law and LawFairy authorisations and the SRA's narrow-use-case position. https://www.ibanet.org/UK-SRA-takes-unprecedented-approach-in-authorising-AI-enabled-law-firms - Law Society of England and Wales (2024). Compliance and the use of AI in law firms. Sets out how SRA Principles apply to AI use, with practical advice on DPIAs, engagement letters and supervision. https://communities.lawsociety.org.uk/risk-and-compliance/compliance-and-the-use-of-ai-in-law-firms/6003325.article - Information Commissioner's Office (2024). Guidance on AI and data protection. Confirms UK GDPR applies in full to AI processing of personal data, with DPIA expectations and transfer safeguards. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/ - National Cyber Security Centre (2024). Guidelines for secure AI system development. Sets out cyber-risk expectations for organisations deploying AI, including access controls and monitoring. https://www.ncsc.gov.uk/collection/ai - UK Government (2023). A pro-innovation approach to AI regulation, white paper. The five cross-sector principles the SRA references in its AI risk guidance. https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach/white-paper - European Union (2024). Regulation (EU) 2024/1689, the AI Act. Sets the high-risk classification rules that affect UK firms with EU-facing work or EU-provided AI tools. https://eur-lex.europa.eu/eli/reg/2024/1689/oj - Solicitors Regulation Authority (2024). Innovate programme. Describes waivers, ethics guidance and proof-of-concept routes used in authorising novel AI-enabled firms. https://www.sra.org.uk/solicitors/resources/innovate/innovate/

Frequently asked questions

Does the SRA have a separate AI rulebook for law firms?

No. The SRA has stated firms may use any technology they think appropriate, including AI, provided they comply with the existing SRA Principles and Codes of Conduct. The regulator has published compliance tips and an AI Risk Outlook that map AI use onto the existing duties of competence, confidentiality and client best interests, rather than creating a parallel framework.

What did the SRA require of Garfield.Law when it authorised the first AI-driven firm?

Specific safeguards rather than a blanket permission. Garfield.Law must protect client confidentiality, avoid conflicts of interest, obtain user approval at each stage, and prevent hallucinations by barring the model from proposing case law. Regulated solicitors remain accountable for every output. The authorisation went through the standard route, not a sandbox.

Can a small firm use ChatGPT for client work without breaching SRA rules?

Only with care. The SRA expects confidentiality, competence and proper governance, and the ICO treats personal data sent to a third-party LLM as a processing activity that often needs a DPIA and transfer safeguards. A small firm can use AI for triage, summarisation or drafting, provided it anonymises inputs where possible, has written policies, and a qualified person reviews every output before it reaches a client.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd