This post is the fifth in a series about how to implement legal AI that knows your law firm. In the series, we cover the differences between LLMs and search, the elements that make a good search engine, the building blocks of agentic systems (e.g. RAG), and how to implement a system that is fully scalable, secure, and respects your firm’s unique policies and practices.
Integrating security and compliance by design
Securing client data and respecting confidentiality are cornerstones of a law firm’s ethical and regulatory obligations, as well as its value to clients.
One challenge with how data is distributed across multiple firm systems is that each system has its own authentication and permission protocol. It is critical that users of any system can access only the data they are authorized to, depending on their role in the firm or their relationships with clients.
Search is the foundation of any firmwide AI system, so the retrieval layer needs to handle security and permissions intelligently. That means mirroring access controls from source systems or ethical wall solutions. A strong retrieval layer enforces these boundaries, making sure AI only sees data it’s allowed to access. It also protects privacy, blocks unauthorized third-party access, and respects existing security protocols, whether on-premise or in the cloud.
A security-conscious retrieval layer also puts firms’ needs ahead of vendors' wishes to lock data into one system. One “solution” to the security issue, often suggested by vendors, is to require that all data be housed in their system to keep it secure, and to only use the AI built into their system. This approach is misguided and often self-serving, because it locks customers into a specific platform, limiting their options. Frustrated users then tend to download data to work with it outside the system, which defeats the security. In addition to requiring a lot of unnecessary copying of data—which exacerbates rather than mitigates the security and compliance risks—it has the disadvantage of forcing users to disrupt their natural workflows, which might prompt them to work outside the system. The better approach is to ensure that the search index surfaces the right information wherever it sits, while maintaining applicable access rights.
The best approach avoids any data migration, respects existing permissions in real time, and doesn’t encourage your users to download and upload data. Look for a solution that seamlessly integrates with all your data systems through a secure single sign-on and maintains all native ethical walls and access permissions.
Explore the blog series “Legal AI That Knows Your Firm”
Posts in this series:
- The Allure (and Danger) of Using Standalone LLMs for Search
- Why Retrieval Augmented Generation (RAG) Matters
- All Search Engines Are Not Created Equal
- Why good legal search is informed by the entire context of your institutional knowledge—not siloed or “federated”
- How can your AI securely use all of your firm’s data? (this post)
- Coming soon
This post was adapted from our forthcoming 24-page white paper entitled "Implementing AI That Knows Your Firm: A Practical Guide." Sign up for our email list to be notified when the guide is available for download.