Democratisation of AI in the legal sector

Articles21 May 2026
The headlines about bespoke platforms based on large language models (LLMs) trained for corporate environments leave a certain sense of discomfort: if your company cannot afford to spend six-figure sums on technology, you are out of the race.

The reality is quite different. Most law firms are small or medium-sized and cannot afford —nor are they interested, considering the return on investment— highly specialized licenses. But this does not leave them behind. The real change is not happening in the labs of high-end LegalTech companies, but in what lawyers do every day, using general-purpose tools (ChatGPT, Claude, Microsoft Copilot) to save time.


The challenge for a small or medium-sized firm is not technological. It is a matter of governance and risk management. Using generalist AI for legal tasks works, and works well, if the rules are known. The following explains how to do this without jeopardising the one thing that a firm cannot afford to lose: the trust of the client and the security of their information.


Context: Generalist AI vs. Specialized AI

Legal-specific tools have clear advantages: closed environments that protect professional secrecy, integration with jurisprudence databases, and models trained in legal language.


General-purpose AI is something quite different: a Swiss army knife. It does not know what the Supreme Court said yesterday unless told, and its default terms of use can pose a serious confidentiality issue. In exchange, it has two main advantages: it costs little or nothing, and when it comes to drafting, analysing, and structuring information, it often works better than its specialized counterparts.


For a law firm, the answer is not to prohibit them out of fear. It is to prepare the team to know how to filter and control what comes out of it. The question is not which tool you use, but how you manage it.


Ten-Point Good Practice Guide for Small and Medium Law Firms

To ensure safe and efficient use, here is a guide designed for small and medium firms working with mass-market tools.


1. The secret lies in the configuration (and the contract)

The greatest danger of free or consumer versions is that what you input ends up training the model. This completely undermines professional confidentiality, without exception. To avoid this, you must switch to corporate paid versions (Team or Enterprise from OpenAI or Anthropic) or work with Microsoft Copilot within a Microsoft 365 business subscription. In these environments, the contract guarantees that the data does not leave the organization nor is used for training. If the tool is free, what you are paying for is your client's confidentiality.


2. Systematic and mandatory anonymization

Even if you work in secure paid environments, follow the basic rule: caution. Before inputting text into general-purpose AI for analysis, summarisation, or translation, remove personal data (names, identification numbers, addresses) and identifiable corporate data (company names, specific business figures). Replacing them with generic labels (“Company A”, “Employee X”) does not affect the model's analytical capabilities and eliminates regulatory risk from the outset.


3. The lawyer as a critical filter (human in the loop)

A general AI is not a lawyer. It is a powerful assistant for drafting and analysing texts, but it hallucinates complacently (it makes up data that seem true) and makes fundamental legal errors. No document generated, corrected, or analysed by an AI can leave the office without thorough human review. The professional who signs the document assumes ethical and legal responsibility before the client. Period.


4. Stay within what you know: Define useful use cases

Asking a general AI to conduct complex jurisprudence research is like walking straight towards a cliff. Where they do work very well is in:

  • Drafting standard clauses from clear instructions.
  • Simplifying the technical language of a report to make it understandable for the client (Legal Design).
  • Analysing structure and checking contradictions in long contracts provided by the other party.
  • Translating and adapting legal texts into other languages (as a preliminary step for review).

The idea is to use them to enhance operational efficiency, not to replace legal judgment. This is the difference.


5. Investment in legal prompt engineering

General-purpose AIs do not understand the context of your business. What you get depends almost entirely on how you ask. Training is not about learning to code, but about learning to ask the right questions: assigning a role (“Act as an expert in Spanish commercial law”), explaining the context, setting the tone, and specifying the format of the response you want. Knowing how to ask questions has become another legal skill.


6. Creation of a Minimally Viable Internal Policy (MVIP)

It does not matter if there are three or thirty lawyers: the rules for using AI must be established in writing. The internal policy must be clear, concise, and mandatory. It should specify which tools are authorised, what information should never be inputted, and how to report errors. Information security begins when the team understands what is at stake.


7. Mandatory verification of sources and citations

When a general-use AI cannot find the answer, it makes it up: legal articles, European directives, court rulings. It does this to 'impress' the user. For this reason, no legal or jurisprudence citation provided by the model is accepted at face value. Each reference is manually verified with official sources (BOE, Cendoj, etc.) before being included in a document or legal opinion. There are already lawyers affected by this.


8. Transparency and honesty with the client

Effectively managing client expectations is key. You do not need to inform the client that you use a word processor to draft a claim, but intensive use of AI to analyse large volumes of data or prepare complex strategies must align with the ethical standards of the firm. Being honest builds trust. Presenting the use of AI as a way to work faster and reduce costs, rather than hiding it, can play in favour of clients who focus on results.


9. Risk-based approach

Not all matters are equally sensitive. Tasks should be classified according to risk. Automating debt collection or reviewing standard rental contracts using AI has low impact. Delegating the summarizing of a complex criminal case or a high-level tax restructuring is a critical risk. The more sensitive the matter, the less one should rely on the tool, and the more human judgment is required.


10. Constant evolution and technological curiosity

Technology is advancing rapidly. What today requires complex instruction in a general-purpose tool, tomorrow will be integrated and secure within your own word processor. Partners in small and medium enterprises must keep an eye on this evolution: occasionally checking whether the time saved justifies paying for new modular solutions. Standing still is not free either.


Conclusion: size is no longer an excuse

AI has had a paradoxical effect on the legal sector: it has levelled the playing field. A lawyer in a boutique firm with a premium subscription to a well-configured general-purpose AI —and who understands the risks— can process information, draft communications, and structure contracts at a speed that was previously only within the reach of large international firms' associate teams.


For small and medium enterprises, success in this phase will not depend on the money they can allocate to technology. It will depend on the discipline, ethical rigor, and common sense with which they adopt these tools. AI will not replace lawyers. But the lawyers who use it well, sensibly and within the rules, will end up replacing those who prefer to look the other way.


Article by Manuel Asenjo, CIO and CISO at ECIJA Madrid. Access the full content here.

La imagen muestra a dos personas observando una instalación artística iluminada con luces azules y rojas en una sala oscura.

LATEST FROM #ECIJA