@complior/engine 0.9.0

package/data/templates/policies/healthcare-ai-policy.md

@@ -0,0 +1,197 @@
+# AI Usage Policy — Healthcare / Medical
+
+| Field | Value |
+|-------|-------|
+| Policy Title | AI Usage Policy — Healthcare / Medical |
+| Organization | [Organization] |
+| Date | [Date] |
+| Version | [Version] |
+| AI System Name | [AI System Name] |
+| Risk Class | [Risk Class] |
+
+## 1. Purpose and Scope
+<!-- GUIDANCE: Healthcare AI may be regulated as both a high-risk AI system AND
+a medical device (MDR). Scope must clearly state which regulatory framework(s)
+apply. Include ALL clinical and administrative AI systems.
+Example: "Covers: diagnostic imaging AI (MDR Class IIa + AI Act high-risk),
+patient scheduling AI (AI Act limited-risk), clinical NLP (AI Act high-risk)." -->
+
+This policy governs the use of [AI System Name] within [Organization]'s healthcare operations. It establishes requirements for safe, effective and transparent use of AI in clinical decision support, diagnostic assistance, patient monitoring, and medical data processing, in accordance with the EU AI Act (Regulation 2024/1689).
+
+This policy applies to all healthcare professionals, technical staff, and administrative personnel involved in operating, supervising, or being affected by AI-assisted medical decisions.
+
+## 2. Applicable Legislation
+<!-- GUIDANCE: Healthcare AI sits at the intersection of AI Act, MDR/IVDR, and
+GDPR Art. 9 (health data). If the AI qualifies as a medical device, MDR takes
+precedence for safety — AI Act adds transparency and monitoring requirements.
+Example: "Primary: MDR (EU 2017/745) for device classification; supplementary:
+AI Act Art. 6(1) high-risk obligations; GDPR Art. 9(2)(h) for health data." -->
+
+- **EU AI Act** — Annex III §5(a): AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity
+- **Art. 6(2)** — High-risk AI system classification
+- **Art. 9** — Risk management system requirements
+- **Art. 10** — Data governance and management practices
+- **Art. 14** — Human oversight measures
+- **Art. 26** — Obligations of deployers of high-risk AI systems
+- **Medical Devices Regulation** (EU 2017/745, MDR) — where AI qualifies as a medical device
+- **In Vitro Diagnostic Regulation** (EU 2017/746, IVDR) — where applicable
+- **GDPR** — Art. 9 (special categories of personal data), Art. 22, Art. 35
+- **EU Charter of Fundamental Rights** — Art. 3 (right to integrity), Art. 35 (health care)
+
+## 3. AI System Description
+<!-- GUIDANCE: For clinical AI, describe the intended clinical pathway and where
+the AI output fits in the decision process. Specify whether it's screening,
+diagnostic, prognostic, or therapeutic. Example: "Chest X-ray AI (screening):
+flags potential pneumothorax on emergency department X-rays, output: binary
+flag + confidence score, radiologist reviews all flagged cases within 30 minutes." -->
+
+- System name: [AI System Name]
+- Description: [Description]
+- Provider: [Provider]
+- Model ID: [Model ID]
+- Autonomy level: [Autonomy Level]
+
+## 4. Risk Classification
+<!-- GUIDANCE: Healthcare AI is typically high-risk under AI Act. If it also
+qualifies as a medical device, it has DUAL classification (MDR + AI Act).
+Document both classifications. Example: "AI Act: high-risk (medical device AI);
+MDR: Class IIa (decision support software, Rule 11); IVDR: not applicable." -->
+
+This AI system is classified as **[Risk Class]** under the EU AI Act. Healthcare AI systems that qualify as medical devices or are used in clinical decision-making are typically classified as high-risk.
+
+## 5. Data Governance
+<!-- GUIDANCE: Health data is GDPR Art. 9 special category requiring explicit
+legal basis (typically Art. 9(2)(h) — healthcare provision). Training data must
+represent the target patient population to avoid clinical bias. Example: "Legal
+basis: Art. 9(2)(h); training data: 100K chest X-rays from 12 EU hospitals,
+validated for demographic representation (age, sex, ethnicity distribution
+matching EU population ±5%)." -->
+
+- All patient data must be processed in compliance with GDPR Art. 9 (special categories)
+- Data minimisation: only clinically necessary data shall be provided to the AI system
+- Training data must be representative of the target patient population
+- Data quality controls must ensure accuracy and completeness of clinical inputs
+- De-identification or pseudonymisation must be applied where full identification is not clinically required
+- Data provenance and lineage must be documented for all datasets used
+
+## 6. Human Oversight
+<!-- GUIDANCE: Clinical AI MUST be decision support only — never autonomous
+clinical decisions. The clinician must have access to the underlying data,
+not just the AI recommendation. Display confidence levels to support clinical
+judgment. Example: "AI output displayed alongside original imaging; clinician
+sees confidence score, similar historical cases, and known limitations for
+the patient's demographics." -->
+
+- Autonomy level: [Autonomy Level]
+- [Human Oversight Description]
+- The AI system must be used as a decision support tool only; final clinical decisions rest with qualified healthcare professionals
+- Clinicians must have the ability to override, modify, or disregard any AI-generated recommendation
+- AI outputs must be presented alongside confidence levels and relevant limitations
+
+## 7. Transparency and Disclosure
+<!-- GUIDANCE: Patient information must be appropriate to comprehension level
+and clinical context. In emergency settings, disclosure may be post-hoc.
+Clinical records must clearly distinguish AI-generated from clinician-generated
+content. Example: "Pre-admission: patient informed via consent form; emergency:
+post-hoc disclosure within 24 hours; clinical notes: AI outputs prefixed
+with '[AI-ASSIST]' in EHR." -->
+
+- Patients must be informed when AI is used in their care pathway
+- Information provided must be clear, accessible and appropriate to the patient's comprehension level
+- Healthcare professionals must have access to information about the AI system's intended use, limitations and performance characteristics
+- AI-generated outputs in clinical records must be clearly identified as AI-assisted
+
+## 8. Patient Safety and Clinical Validation
+<!-- GUIDANCE: Clinical validation must follow established methodologies
+(prospective studies, comparison with standard of care). Report adverse events
+through pharmacovigilance systems. Define fail-safe mechanisms for system outage.
+Example: "Validated in prospective study (n=5,000), sensitivity 94%, specificity
+89% vs. standard of care (radiologist): sensitivity 92%, specificity 91%.
+Fail-safe: automatic fallback to manual queue if system unavailable >5 min." -->
+
+- The AI system must have undergone clinical validation appropriate to its intended use
+- Clinical evidence must demonstrate safety and performance in the target patient population
+- Adverse events potentially related to AI system outputs must be reported through pharmacovigilance/medical device vigilance systems
+- Regular clinical performance reviews must assess diagnostic accuracy, sensitivity, specificity, and clinical outcome impact
+- Fail-safe mechanisms must ensure patient care is not compromised if the AI system becomes unavailable
+
+## 9. Medical Device Classification
+<!-- GUIDANCE: Use MDR classification rules (esp. Rule 11 for software) to
+determine device class. Software intended to provide diagnostic/prognostic
+information is typically Class IIa or higher. CE marking is mandatory before
+clinical use. Example: "Classified Class IIa per MDR Rule 11 (software providing
+information used to make clinical decisions). CE marked, Notified Body: BSI
+(NB 0086), Certificate: CE-2025-AI-0042." -->
+
+- If the AI system qualifies as a medical device under MDR (EU 2017/745), it must bear a valid CE marking
+- The system's risk class under MDR (Class I, IIa, IIb, or III) must be documented
+- Post-market surveillance requirements under MDR must be followed
+- Any software updates that affect the intended purpose must undergo conformity reassessment
+- Current classification: [To be determined by qualified regulatory affairs personnel]
+
+## 10. Monitoring and Logging
+<!-- GUIDANCE: Clinical AI monitoring must track both technical metrics AND
+clinical outcomes. Correlate AI recommendations with actual patient outcomes
+over time. Medical record retention typically 10+ years.
+Example: "Track: AI sensitivity/specificity monthly, patient outcomes at 30/90/365
+days, false negative rate with clinical impact. Logs retained 15 years per
+national medical records legislation." -->
+
+- All AI-assisted clinical recommendations must be logged with timestamps, inputs, and outputs
+- System performance must be monitored for clinical accuracy and safety signals
+- Key metrics: diagnostic accuracy, sensitivity, specificity, positive/negative predictive values
+- Monitoring frequency: [continuous/weekly/monthly] with clinical review committee oversight
+- Logs must be retained in compliance with medical record retention requirements
+
+## 11. Incident Response
+<!-- GUIDANCE: Clinical AI incidents may be medical device vigilance events
+requiring reporting to competent authority (e.g., under MDR Art. 87). 24-hour
+reporting for death/serious health deterioration. Define clear suspension criteria.
+Example: "Immediate suspension if: false negative leads to missed critical
+diagnosis, or >3 clinician overrides in 24 hours for same error type.
+MDR vigilance report within 24 hours for serious incidents." -->
+
+- Any adverse event potentially related to AI system outputs must be reported within 24 hours
+- The AI system must be immediately suspended if a patient safety concern is identified
+- Affected patients must be identified, assessed, and managed according to clinical protocols
+- Serious incidents must be reported to the competent authority for medical devices and market surveillance
+- Root cause analysis must be conducted for all AI-related clinical incidents
+
+## 12. Training and Awareness
+<!-- GUIDANCE: Healthcare professionals need clinical application training,
+not just generic AI training. Include when to trust vs. question AI output,
+and how to document AI-assisted decisions in clinical records.
+Example: "4-hour clinical training: AI output interpretation, override
+procedure, adverse event reporting, EHR documentation standards.
+Competency test required before independent use." -->
+
+- All healthcare professionals using the AI system must receive clinical application training
+- Training must cover: intended use, limitations, override procedures, adverse event reporting, and data protection
+- Competency assessment must be completed before independent use of the system
+- Refresher training must be provided at least annually and upon significant system updates
+
+## 13. Review Schedule
+<!-- GUIDANCE: Align with clinical governance review cycles. Consider patient
+outcome data availability (30/90/365 day endpoints). Update when clinical
+guidelines change or new evidence emerges. Example: "Quarterly Clinical
+Governance Committee review; annual full re-validation with updated patient
+outcome data; immediate review if clinical guidelines change." -->
+
+- This policy shall be reviewed at least annually and upon any significant change to the AI system
+- Review must incorporate clinical performance data, incident reports, and regulatory updates
+- Updates must be approved by the Clinical Governance Committee
+
+## 14. Approval and Sign-off
+<!-- GUIDANCE: Clinical AI policy requires sign-off from clinical leadership.
+CMO or equivalent takes clinical responsibility. Clinical Governance Lead
+confirms alignment with clinical governance framework.
+Example: "CMO sign-off confirms clinical safety; DPO confirms GDPR Art. 9
+compliance; Clinical Governance Lead confirms alignment with Trust clinical
+governance framework." -->
+
+| Role | Name | Date |
+|------|------|------|
+| Policy Owner | [Approver Name] | [Date] |
+| Chief Medical Officer | _________________ | _________ |
+| DPO | _________________ | _________ |
+| Clinical Governance Lead | _________________ | _________ |

package/data/templates/policies/hr-ai-policy.md

@@ -0,0 +1,178 @@
+# AI Usage Policy — HR / Employment
+
+| Field | Value |
+|-------|-------|
+| Policy Title | AI Usage Policy — HR / Employment |
+| Organization | [Organization] |
+| Date | [Date] |
+| Version | [Version] |
+| AI System Name | [AI System Name] |
+| Risk Class | [Risk Class] |
+
+## 1. Purpose and Scope
+<!-- GUIDANCE: Define the exact AI systems covered and their HR use cases.
+Art. 26(1) requires deployers to use systems per provider instructions.
+Scope must include ALL personnel affected — operators, subjects of decisions,
+and supervisors. Example: "HireVue video interviews (recruitment), Workday
+Peakon (engagement surveys), internal ML pipeline (attrition prediction)." -->
+
+This policy governs the use of [AI System Name] within [Organization]'s human resources and employment processes. It establishes requirements for lawful, transparent and non-discriminatory use of AI in recruitment, performance evaluation, and workforce management, in accordance with the EU AI Act (Regulation 2024/1689).
+
+This policy applies to all personnel involved in operating, supervising, or being affected by AI-assisted HR decisions.
+
+## 2. Applicable Legislation
+<!-- GUIDANCE: Annex III §6(a) makes HR AI high-risk. Cross-reference GDPR Art. 22
+(automated decisions) and national employment law. Identify which national
+transposition laws apply to your jurisdiction. Example: In Germany, also reference
+§26 BDSG (employee data processing) and BetrVG §87(1)(6) (works council rights). -->
+
+- **EU AI Act** — Annex III §6(a): AI systems intended to be used for recruitment or selection of natural persons, for making decisions affecting terms of work-related relationships
+- **Art. 6(2)** — High-risk AI system classification
+- **Art. 9** — Risk management system requirements
+- **Art. 10** — Data governance and management practices
+- **Art. 13** — Transparency and provision of information to deployers
+- **Art. 14** — Human oversight measures
+- **Art. 26** — Obligations of deployers of high-risk AI systems
+- **Art. 27** — Fundamental rights impact assessment for high-risk AI
+- **GDPR** — Art. 22 (automated individual decision-making), Art. 35 (DPIA)
+- **EU Charter of Fundamental Rights** — Art. 21 (non-discrimination), Art. 31 (fair working conditions)
+
+## 3. AI System Description
+<!-- GUIDANCE: Be specific about what the AI system does — "assists with hiring"
+is too vague. Describe the exact decision points where AI is involved and what
+data it processes. Example: "Scores CVs on 12 criteria, generates shortlist of
+top 20% candidates, provides interview question suggestions based on role profile." -->
+
+- System name: [AI System Name]
+- Description: [Description]
+- Provider: [Provider]
+- Model ID: [Model ID]
+- Autonomy level: [Autonomy Level]
+
+## 4. Risk Classification
+<!-- GUIDANCE: All HR AI for recruitment/selection is high-risk under Annex III §6(a).
+If your system falls outside §6(a), document the exact reasoning. Consider whether
+the system could be used for purposes that would make it high-risk even if the
+primary use is not. Example: "High-risk per Annex III §6(a) — used for candidate
+screening affecting access to employment." -->
+
+This AI system is classified as **[Risk Class]** under the EU AI Act. HR/employment AI systems used for recruitment, selection, or decisions affecting terms of work-related relationships are classified as high-risk under Annex III §6(a).
+
+## 5. Data Governance
+<!-- GUIDANCE: Art. 10 requires data governance for high-risk AI. Identify bias
+risks in training data — historical hiring data often encodes past discrimination.
+Prohibit use of protected characteristics as inputs, including proxy variables
+(e.g., postcode correlating with ethnicity). Example: "Training data audited for
+gender balance — 48% female representation vs. 52% in applicant pool." -->
+
+- All training and input data must be assessed for bias and representativeness before use
+- Personal data processing must comply with GDPR, with a lawful basis identified for each processing activity
+- Data used for candidate screening or employee evaluation must be relevant, adequate, and not excessive
+- Special category data (Art. 9 GDPR) must not be processed unless a specific exemption applies
+- Data retention periods must be defined and enforced for all AI-processed HR data
+
+## 6. Human Oversight
+<!-- GUIDANCE: Art. 14 requires meaningful human oversight, not rubber-stamping.
+The reviewer must have authority AND competence to override AI outputs. GDPR Art. 22
+prohibits fully automated decisions with legal effects without safeguards.
+Example: "HR manager reviews all AI-generated shortlists before candidate contact;
+minimum 15-minute review per shortlist, documented in ATS." -->
+
+- Autonomy level: [Autonomy Level]
+- [Human Oversight Description]
+- No fully automated decisions shall be made that produce legal effects or similarly significantly affect natural persons without meaningful human review
+- All AI-generated shortlists, scores, or recommendations must be reviewed by qualified HR personnel before action
+- Human reviewers must have the authority and ability to override or disregard AI outputs
+
+## 7. Transparency and Disclosure
+<!-- GUIDANCE: Art. 26(7) requires informing workers. GDPR Art. 13-14 requires
+informing candidates about automated processing. Provide disclosure BEFORE the
+AI-assisted process begins, not after. Example: "Candidate portal displays AI
+disclosure at application start: 'Your application will be screened using AI.
+You may request human-only review.'" -->
+
+- Candidates and employees must be informed before any AI-assisted decision-making process begins
+- Information provided must include: the fact that AI is used, its purpose, the logic involved, and potential consequences
+- Worker representatives and works councils must be consulted where required by national law
+- All AI-generated assessments must be clearly marked as AI-assisted
+
+## 8. Anti-Discrimination and Worker Rights
+<!-- GUIDANCE: Charter Art. 21 (non-discrimination) is paramount. Conduct bias
+audits disaggregated by gender, ethnicity, age, and disability. Set quantitative
+thresholds for acceptable differential impact. Example: "Quarterly bias audit:
+selection rate ratio between demographic groups must exceed 0.8 (four-fifths rule).
+If below, system suspended pending investigation." -->
+
+- Regular bias audits must be conducted on AI system outputs, disaggregated by protected characteristics
+- The system must not use proxy variables that correlate with protected characteristics (gender, ethnicity, age, disability)
+- Impact assessments must evaluate differential treatment across demographic groups
+- Remediation procedures must be in place for identified discriminatory outcomes
+- Workers retain the right to contest AI-assisted decisions through established grievance procedures
+
+## 9. Works Council and Employee Representation
+<!-- GUIDANCE: Check national transposition of European Works Council Directive.
+In many EU member states, AI deployment requires formal consultation or co-determination
+with employee representatives. Document consultation process and outcomes.
+Example: In France, CSE consultation required under Art. L2312-38 Code du travail. -->
+
+- Works councils or employee representatives must be informed and consulted before AI system deployment, as required by national transposition of the European Works Council Directive
+- Employee representatives must have access to relevant system documentation and audit results
+- Consultation processes must be documented and their outcomes incorporated into deployment decisions
+
+## 10. Monitoring and Logging
+<!-- GUIDANCE: Art. 26(6) requires log retention for at least 6 months. HR-specific
+retention should align with employment law (often 3+ years for discrimination claims).
+Track both system metrics (accuracy, speed) and fairness metrics (demographic parity).
+Example: "Logs retained 5 years per employment tribunal limitation period." -->
+
+- All AI-assisted decisions must be logged with sufficient detail for auditability
+- System performance must be monitored for accuracy, fairness, and bias on a [quarterly/monthly] basis
+- Key performance indicators must include: accuracy, false positive/negative rates, demographic parity metrics
+- Logs must be retained for the period required by applicable employment law (minimum 3 years)
+
+## 11. Incident Response
+<!-- GUIDANCE: Define what constitutes an "incident" in HR context: pattern of
+discriminatory outcomes, candidate complaint of unfair treatment, system making
+decisions outside its intended scope. Suspension criteria must be specific.
+Example: "System suspended if: (a) bias audit fails four-fifths rule, (b) >3
+candidate complaints in 30 days, (c) system scores >100 candidates without
+human review." -->
+
+- Any suspected discriminatory outcome or system malfunction must be reported immediately
+- The AI system must be suspended if a pattern of discriminatory outcomes is detected
+- Affected candidates or employees must be notified and offered alternative assessment
+- Incidents must be reported to the relevant market surveillance authority where required
+
+## 12. Training and Awareness
+<!-- GUIDANCE: Art. 4 requires AI literacy. HR staff using AI need Level 2 training
+(operator level) covering bias recognition and override procedures. Training must
+be role-specific, not generic AI awareness. Example: "Recruiters complete 4-hour
+Level 2 training including: interpreting AI scores, override procedure, bias
+indicators, complaint handling. Annual refresh required." -->
+
+- All HR personnel using the AI system must receive training on its operation, limitations, and oversight responsibilities
+- Training must cover: bias recognition, override procedures, data protection obligations, and complaint handling
+- Refresher training must be provided at least annually and when significant system updates occur
+
+## 13. Review Schedule
+<!-- GUIDANCE: Annual minimum review, but trigger-based review is equally important.
+Triggers include: new AI system adoption, bias audit findings, regulatory updates,
+significant system updates from provider. Example: "Annual review in Q1; ad-hoc
+review triggered by provider updates, bias audit alerts, or >2 incidents." -->
+
+- This policy shall be reviewed at least annually and upon any significant change to the AI system
+- Review must include analysis of monitoring data, incident reports, and bias audit results
+- Updates must be communicated to all affected personnel and worker representatives
+
+## 14. Approval and Sign-off
+<!-- GUIDANCE: Minimum sign-offs: Policy Owner, HR Director, DPO, and Works Council
+Representative (where applicable). In jurisdictions with co-determination rights,
+Works Council sign-off may be legally required. Example: "Works Council representative
+signs to confirm Art. L2312-38 consultation was completed and outcomes incorporated." -->
+
+| Role | Name | Date |
+|------|------|------|
+| Policy Owner | [Approver Name] | [Date] |
+| HR Director | _________________ | _________ |
+| DPO | _________________ | _________ |
+| Works Council Representative | _________________ | _________ |

package/data/templates/policies/legal-ai-policy.md

@@ -0,0 +1,189 @@
+# AI Usage Policy — Legal / Justice
+
+| Field | Value |
+|-------|-------|
+| Policy Title | AI Usage Policy — Legal / Justice |
+| Organization | [Organization] |
+| Date | [Date] |
+| Version | [Version] |
+| AI System Name | [AI System Name] |
+| Risk Class | [Risk Class] |
+
+## 1. Purpose and Scope
+<!-- GUIDANCE: Annex III §8(a) makes judicial/legal AI high-risk. Scope must
+address professional privilege implications — use of AI in legal work creates
+novel confidentiality risks. Include ALL AI tools used by legal staff.
+Example: "Covers: Harvey (contract review), Lexis+ AI (legal research),
+in-house NLP (case analysis), Copilot (general drafting)." -->
+
+This policy governs the use of [AI System Name] within [Organization]'s legal operations. It establishes requirements for ethical, confidential and accountable use of AI in legal research, case analysis, contract review, and legal decision support, in accordance with the EU AI Act (Regulation 2024/1689).
+
+This policy applies to all legal professionals, support staff, and personnel involved in operating, supervising, or relying on AI-assisted legal analysis and decisions.
+
+## 2. Applicable Legislation
+<!-- GUIDANCE: Legal AI intersects EU AI Act with professional conduct rules
+(bar association regulations, solicitor regulation). ECHR Art. 6 (fair trial)
+is relevant when AI assists judicial decisions. Check national bar rules on
+AI use. Example: In Germany, reference BRAO §43a (duty of care) and BDSG
+§22 (processing of special categories). -->
+
+- **EU AI Act** — Annex III §8(a): AI systems intended to be used by a judicial authority or on their behalf to assist in researching and interpreting facts and the law and in applying the law to a concrete set of facts
+- **Art. 6(2)** — High-risk AI system classification
+- **Art. 9** — Risk management system requirements
+- **Art. 10** — Data governance and management practices
+- **Art. 14** — Human oversight measures
+- **Art. 26** — Obligations of deployers of high-risk AI systems
+- **GDPR** — Art. 22 (automated individual decision-making), Art. 35 (DPIA)
+- **EU Charter of Fundamental Rights** — Art. 47 (right to effective remedy and fair trial), Art. 48 (presumption of innocence)
+- **European Convention on Human Rights** — Art. 6 (right to a fair trial)
+- **Professional conduct rules** — applicable bar association and law society regulations
+
+## 3. AI System Description
+<!-- GUIDANCE: Describe the specific legal tasks the AI performs. Distinguish
+between research assistance (finding cases) and analytical assistance (predicting
+outcomes, drafting arguments). Example: "AI legal research: searches case law
+database, returns relevant cases with relevance scores. Does NOT provide legal
+analysis or outcome prediction. All results verified by qualified lawyer." -->
+
+- System name: [AI System Name]
+- Description: [Description]
+- Provider: [Provider]
+- Model ID: [Model ID]
+- Autonomy level: [Autonomy Level]
+
+## 4. Risk Classification
+<!-- GUIDANCE: AI assisting judicial authorities is high-risk per Annex III §8(a).
+AI used for internal law firm operations (billing, scheduling) may be lower risk.
+Document classification per system. Example: "Case analysis AI: high-risk
+(Annex III §8(a)); time recording AI: minimal risk (administrative)." -->
+
+This AI system is classified as **[Risk Class]** under the EU AI Act. AI systems intended for use by judicial authorities or in legal proceedings are classified as high-risk under Annex III §8(a).
+
+## 5. Data Governance
+<!-- GUIDANCE: Legal privilege creates unique data governance challenges. Client
+data must NEVER be used for AI model training or shared with providers. Verify
+provider's data handling (does the model learn from inputs?). Example: "Provider
+contractual guarantee: zero data retention, no model training on inputs.
+Client matters segregated by matter ID. No cross-matter data leakage possible." -->
+
+- Client data must be processed in compliance with professional privilege and confidentiality obligations
+- Data minimisation: only legally relevant information shall be provided to the AI system
+- Case data must be segregated to prevent cross-contamination between client matters
+- Third-party AI providers must not retain or use client data for training or other purposes
+- Data residency requirements must comply with applicable legal professional regulations
+- Document retention and destruction policies must account for AI-processed materials
+
+## 6. Human Oversight
+<!-- GUIDANCE: Professional duty of competence requires lawyers to understand
+AI limitations. AI outputs are tools, not substitutes for professional judgment.
+Every AI-generated citation must be independently verified — LLMs hallucinate
+legal citations. Example: "Mandatory verification checklist before any
+AI-assisted document is filed: (1) all citations verified in primary source,
+(2) all statutory references current, (3) jurisdictional applicability confirmed." -->
+
+- Autonomy level: [Autonomy Level]
+- [Human Oversight Description]
+- The AI system must be used as a research and analysis tool only; legal judgments and advice must be provided by qualified legal professionals
+- Legal professionals must independently verify all AI-generated legal citations, case references, and statutory interpretations
+- AI outputs must not be presented to clients or courts without professional review and validation
+
+## 7. Transparency and Disclosure
+<!-- GUIDANCE: Professional conduct rules may require disclosure of AI use to
+clients and courts. Check applicable bar rules. Some jurisdictions require
+informing opposing counsel. Example: "Client engagement letter updated to
+include: 'We may use AI tools to assist with legal research and document
+review. All AI-assisted work is reviewed by qualified lawyers.'" -->
+
+- Clients must be informed when AI tools are used in the handling of their matter
+- The extent and nature of AI involvement must be disclosed as required by professional conduct rules
+- Courts and tribunals must be informed of AI assistance where required by procedural rules
+- AI-assisted legal documents must be reviewed and adopted as the professional's own work product
+
+## 8. Professional Confidentiality and Ethics
+<!-- GUIDANCE: Attorney-client privilege may be waived if confidential data is
+shared with third-party AI providers without adequate safeguards. Conduct privilege
+impact assessment for each AI tool. Example: "Privilege risk assessment: Harvey
+(API deployment, no data retention — LOW risk); ChatGPT (shared model —
+HIGH risk, restricted to non-privileged research only)." -->
+
+- Attorney-client privilege and legal professional privilege must be maintained when using AI systems
+- Data processed by the AI system must not be accessible to third parties, including the AI provider, in a manner that could waive privilege
+- Conflict of interest checks must account for information processed by the AI system
+- AI use must comply with the professional duty of competence — lawyers must understand the AI tool's capabilities and limitations
+- The duty of independent professional judgment must not be delegated to AI systems
+
+## 9. Unauthorized Practice Prevention
+<!-- GUIDANCE: AI outputs that reach clients without lawyer review may constitute
+unauthorized practice of law. Implement technical controls (access restrictions)
+and procedural controls (review requirements). Example: "AI legal research tool
+restricted to lawyer login only. Output watermarked: 'AI-generated — requires
+lawyer review. Not legal advice.' Client portal has no AI-direct access." -->
+
+- AI system outputs must not constitute legal advice to the public without professional intermediation
+- Access controls must ensure that only qualified legal professionals can generate and interpret AI legal analysis
+- AI-generated legal documents must not be filed or distributed without professional review and approval
+- The system must include appropriate disclaimers indicating that AI outputs do not constitute legal advice
+- Procedures must be in place to prevent clients or unqualified staff from directly relying on raw AI outputs
+
+## 10. Monitoring and Logging
+<!-- GUIDANCE: Track hallucination rate (fabricated citations) as a critical KPI.
+Legal AI accuracy has direct professional liability implications. Jurisdictional
+correctness is essential for multi-jurisdiction practices. Example: "Monthly
+audit: 50 random AI citations verified. Current hallucination rate: 2.3%
+(target <1%). Jurisdictional accuracy: 97.5% (target >99%)." -->
+
+- All AI-assisted legal analyses must be logged with sufficient detail for professional accountability
+- System performance must be monitored for accuracy of legal citations, case law currency, and analytical reliability
+- Key metrics: citation accuracy, hallucination rate, jurisdictional correctness, analytical consistency
+- Monitoring frequency: [monthly/quarterly] with professional oversight committee review
+- Logs must be retained in compliance with legal record-keeping and professional indemnity requirements
+
+## 11. Incident Response
+<!-- GUIDANCE: Legal AI incidents may trigger professional indemnity insurance
+notification, regulatory reporting, and duties to the court. If inaccurate
+AI analysis was relied upon in filed documents, the duty of candor may require
+correction. Example: "If AI-hallucinated citation is discovered after filing:
+(1) correct with court immediately, (2) notify client, (3) notify PI insurer
+within policy terms (typically 48 hours)." -->
+
+- Any discovered inaccuracy in AI-generated legal analysis that was relied upon must be reported immediately
+- If inaccurate AI analysis was submitted to a court or relied upon in advice, corrective action must be taken promptly
+- Professional indemnity insurers must be notified as required by policy terms
+- Affected clients must be informed if AI-related errors materially affect their matter
+- Root cause analysis must be conducted and remediation measures implemented
+
+## 12. Training and Awareness
+<!-- GUIDANCE: Legal professionals need training specific to AI verification —
+LLM-generated legal text can be highly convincing but factually wrong. Include
+practical exercises with known AI errors. Example: "Training exercise: review
+AI-generated memo containing 3 deliberate errors (hallucinated case, wrong
+jurisdiction, outdated statute). Trainees must identify all 3 to pass." -->
+
+- All legal professionals using the AI system must receive training on its operation, limitations, and ethical obligations
+- Training must cover: verification procedures, confidentiality safeguards, professional responsibility, and error reporting
+- Competency assessment must be completed before independent use for client matters
+- Refresher training must be provided at least annually and upon significant system updates
+
+## 13. Review Schedule
+<!-- GUIDANCE: Legal AI policy must be updated when professional conduct rules
+change. Bar associations are actively developing AI guidance — monitor updates.
+Example: "Review triggers: new SRA/BSB guidance on AI, bar association updates,
+new AI tool adoption, incident requiring corrective action." -->
+
+- This policy shall be reviewed at least annually and upon relevant changes to professional conduct rules or legislation
+- Review must incorporate accuracy monitoring data, incident reports, and regulatory guidance updates
+- Updates must be approved by the firm's Managing Partner / General Counsel and Ethics Committee
+
+## 14. Approval and Sign-off
+<!-- GUIDANCE: Managing Partner/General Counsel sign-off represents the firm's
+commitment to responsible AI use. Ethics Committee ensures professional conduct
+compliance. Consider external review by professional indemnity insurer.
+Example: "Ethics Committee confirms compliance with SRA Principles (UK) /
+CCBE guidance. PI insurer notified of AI tool adoption." -->
+
+| Role | Name | Date |
+|------|------|------|
+| Policy Owner | [Approver Name] | [Date] |
+| Managing Partner / General Counsel | _________________ | _________ |
+| DPO | _________________ | _________ |
+| Ethics Committee Chair | _________________ | _________ |