When attorneys begin the process of sitting down with AI vendors to assess if the tool they are being pitched would fit their firm, often times they don’t know what questions to ask. Which is a problem, because buying legal AI isn’t like buying a new billing platform or upgrading a phone system. The stakes are different. Clients’ most sensitive information, combined with an attorney’s obligations under the Rules of Professional Conduct, and malpractice exposure are all on the line based on the underlying technology.
Is it fair that an attorney has to not just be an expert in the law, but also now be proficient in data retention, lexical parity, and cyber security? No. It’s not. And yet that’s where we are.
You can’t just sit through a demo and nod along. You need to walk in with specific, pointed questions and you need to know what good answers look like versus answers that should make you nervous.
This guide breaks it down category by category, so you know exactly what to ask and how to interpret what you hear back.
1. Privilege and Confidentiality Questions
This is by far one of the biggest risks to attorneys. If a vendor does not have the right security systems in place to keep client information and confidential and maintain privilege, attorneys could be on the hook for disciplinary action from the bar, malpractice suits, and once-privileged documents now accessible to the opposing counsel. No bueno.
1. Do you offer zero data retention? Is it the default or do we have to opt in?
Zero data retention basically means that on a technological level, the tool does not store client information, and if any documents are uploaded, they are removed from the system and memory once the task is complete.
A good answer: Zero data retention is on by default, or at minimum is a clearly documented and contractually enforceable option.
A bad answer: It’s buried in an enterprise tier, requires a support request to activate, or the sales rep gives either a confusing answer, or doesn’t know what zero data retention is.
2. How is data encrypted in transit and at rest? What standards do you use?
A good answer: The data is double encrypted, so that if a primary database is hacked, the data remains encrypted by a second, independent layer. Long story short, if hackers were even able to get to the data, they couldn’t read it or use it.
A bad answer: They give you a vague assurance like “we take security seriously” with no specific standards cited, or don’t talk about encryption at all.
3. Is our data used to train or fine-tune your AI models? Any plans for doing so in the future?
A good answer: No. With language that doesn’t carve out exceptions for “anonymized” or “aggregated” data unless that’s been thoroughly explained to you. And even then, the best answer is a clear “no.”
A bad answer: Anything other than “no.”
4. What happens to our data when we terminate the agreement?
A good answer: It’s deleted at date of termination, or within a defined window with a written confirmation of its deletion.
A bad answer: Literally anything else.
Hallucinations and the Open vs. Closed Universe Problem
Hallucinations have become a common (and favorite) topic in the news when discussing the pitfalls of legal AI. The Alabama Supreme Court recently fined an attorney $17,000 for hallucinated cases. Sullivan and Cromwell had to publicly apologize for the use of hallucinated cases in a court filing. This isn’t just an embarrassment. It’s a disciplinary and malpractice risk.
5. Is your system a closed or open universe?
A good answer: Closed. A closed universe means the AI only draws from a defined, curated legal database, and when something isn’t in that database, it says so rather than improvising. It does not make up facts, math, or inferences just to give you the answer it thinks you want.
A bad answer: Open universe, or a hybrid where the system can pull from general training data without clearly flagging when it’s doing so.
6. What is your measured hallucination rate, and how was it calculated?
A quick note – legal AI reps may not have the answer to this. It may not be something that’s actively tracked. These are important things to know.
A good answer: A firm number, and an explanation on what happened with the hallucinations, how they fixed the issue, and what system they use to prevent future hallucinations.
A bad answer: No real number, no idea, and an unwillingness to find out from the development or product team.
7. Does every output include a verifiable citation? Can I check the source without leaving the platform?
A good answer: Every output links directly to the source text, and you can verify the cited passage in context without clicking away. Or at the very least, you can verify the source document easily when it presents it to you within its answer.
A bad answer: If citations are unlinked, or not provided.
Transparency
Note – I did not include a question around “what models do you use” because more often than not, most B2B legal AI software uses a combination of ChatGPT, Gemini, and Claude, each for specific tasks depending on what it’s best for. Very rarely do they use open sourced AI models or Grok. While ChatGPT is most known for using user content to train its data models, at the enterprise level (which is what all these legal AI tools use) that’s not the case, and it’s private.
8. When you update the underlying model, how do you notify customers?
A good answer: They’ll give you advance notice (30+ days is reasonable), with clear documentation of what changed and any impact on outputs.
A bad answer: No notice, and continual updates so you only find out after the fact, or through use of the tool. The idea here is that attorneys should be able to remove and limit surprise as much as possible. Clients and opposing counsel give us enough surprises, or software shouldn’t add to that stress.
9. Can the tool explain how it reached a conclusion?
A good answer: Yes, and it will provide the reasoning proactively, or upon request, including any assumptions it made and on what basis.
A bad answer: This is not something that is readily available, or in the current pipeline, but rest assured it’s super smart.
10. How does the tool decide which sources to surface?
A good answer: A plain-language explanation of the retrieval logic. Here’s an example I heard recently: “Because this is a closed universe set up, the AI only produces what is asked of it. It’ll take the plain language prompt and layer several tasks together to get you a comprehensive answer. It’ll show you the specific documents it used to arrive at its answer, and you can go in and edit or change the output if it got it wrong and it’ll update it’s record.”
A bad answer: Something that makes your brain gloss over, where they use too many technical terms, or make it seem like a blackbox.
Integrations
11. What document management systems do you support?
A document management system is something like Sharepoint (probably the most common one) or iManage. It’s how you store all client documents and work product. This question can be expanded to include client management software (like Clio or MyCase), or legal research software (like Westlaw or Lexis Nexis).
A good answer: The AI tool will integrate natively with your current document management system with. a clear support path and contact when something inevitably breaks.
A bad answer: “We can integrate via API” This usually means your IT team is doing the work, not the vendor.
12. How is security handled at the integration layer?
A good answer: Narrow, scoped permissions — the integration accesses what it needs and nothing more
A bad answer: They don’t know, or couldn’t tell you.
13. Do we need to upload documents into your platform, or does the tool work on top of our existing repository?
A good answer: The tool works natively on your repository without copying documents to the vendor’s environment. If uploads are required, there’s a clear and contractually binding zero data retention policy.
A bad answer: Documents are uploaded and stored in the vendor’s cloud with no clear deletion policy or retention limit.
User Permissions and Access Controls
14. Can access be controlled at the matter level?
A good answer: Users can be scoped to specific cases or legal matters and that’s enforced at the system level.
A bad answer: Access is all-or-nothing at the firm level, with no matter-level segmentation.
15. How does the platform support ethical walls?
A good answer: Automated ethical screen enforcement that blocks screened users from accessing restricted matters, with an audit trail showing the screen is actively working.
A bad answer: Not a feature at the moment, and not in the pipeline.
16. How granular is your role-based access control?
A good answer: You can define roles by practice group, office, seniority level, or matter team, with flexibility to customize.
A bad answer: A handful of fixed, pre-set roles with no ability to tailor them to how your firm actually operates.
Usage Caps
17. Are there usage caps, and what happens when we hit them?
A good answer: No hard caps, or caps generous enough to be a non-issue in practice with clear advance notice before you approach a limit.
A bad answer: Hard caps with no soft limit.
Beyond any specific question, pay attention to how the vendor responds. Do they have clear, confident answers or do they hedge, redirect, and get visibly uncomfortable? If they don’t know an answer, do they offer to ask their product or development team and circle back? The goal with these questions are really to help attorneys feel more confident in their legal AI partners, and also help resolve any ethical and operational concerns.