AI Permissioning for Law Firms: The Technical Question Every IT Lead Asks
March 8, 2027 · 5 min read · LeadLex Editorial
Every serious conversation with a law-firm IT lead about AI starts in the same place. Not pricing, not features, not model choice — permissions. Who can see what, who can act on whose behalf, what gets logged, and what can be undone. These questions are not new. Firms have spent two decades building matter-level access controls, ethical walls, and audit trails into their document management and practice management systems. The mistake most AI vendors make is treating those controls as someone else's problem.
AI permissions must mirror human permissions
The first principle is the simplest one. If a paralegal cannot see a matter, the AI agent acting on the paralegal's behalf cannot see that matter either. If a partner is walled off from a client because of a conflict, no agent operating in that partner's context may surface data from the walled-off side. This sounds obvious. It is routinely violated by AI tools that index a firm's data into a single vector store and then rely on prompt-level filtering to enforce access. Prompt-level filtering is not access control. It is a request to the model to please not mention something, which is the security posture of asking a toddler to ignore a biscuit.
Real permissioning happens at the data layer. Each query, each retrieval, each action must be evaluated against the acting user's actual entitlements at the moment of execution. Inside LeadLex, Lexi inherits the permission set of the partner she is acting for. She cannot retrieve a contact, see a matter, or act on a relationship the partner is not entitled to act on himself. The agent has no privileged superuser mode that bypasses the firm's existing model.
Delegation ladders
Partners delegate. They always have. A partner may want his BD coordinator to act on his behalf for certain categories of outreach, his trainee to draft conference summaries, and nobody to touch his confidential cross-border matters. The AI layer needs to express the same ladder. Lexi can be configured per-partner with explicit delegation rules — who else can ask her to act on this partner's behalf, for what categories of action, and with what review requirements before anything leaves the firm. The default posture is restrictive. Delegation is an explicit choice, not an inherited side effect.
Ethical walls
Ethical walls in a law firm are not a soft preference. They are a regulatory obligation, and an AI system that cannot enforce them is unusable in a serious practice. The architecture has to support hard walls — partner A and partner B cannot, under any circumstances, see each other's data on a walled matter, and no agent operating for either of them may bridge the wall. The wall has to be enforced at the storage and retrieval layer, not at the application layer. In practice this means matter-level encryption boundaries and query-time entitlement checks that have no fallback path.
Audit
Every action an AI agent takes on behalf of a user must be logged with the same fidelity a human action would be. Who initiated the action, what data was retrieved, what was generated, what was sent, when, and to whom. This is not just a compliance requirement — it is what makes the agent trustworthy. A partner reviewing Lexi's activity for the week should be able to see exactly what she did in his name, click into any item, and understand the chain of inputs that produced it. Black-box agents have no place in regulated practice.
Undo windows
The newest and most under-discussed control. AI agents act faster than humans. A drafting agent that auto-sends emails creates a class of mistake the firm has never had to manage at scale before — confident, well-written, wrong outreach that has already arrived in the prospect's inbox. The mitigation is a deliberate undo window. Outbound actions are queued for a configurable interval before execution, visible to the acting partner, cancellable with one click. For some categories of action — anything touching a client of record, anything to a regulator, anything cross-border with conflict implications — the window is replaced by an explicit human approval gate.
Explicit AI-action policies
Beyond mirroring human permissions, firms need a layer that does not exist in the human model — explicit policies about what AI agents may do at all. Categories of outreach Lexi is permitted to draft autonomously, categories she may queue for review, categories she may not touch. Jurisdictions where she may operate. Data she may store in her working memory versus data that must be retrieved fresh on each query. These policies are firm-level, configurable, and visible to every partner. They are also auditable — the firm can prove, at any point, what its agent was and was not permitted to do.
The architecture choice underneath
None of this works on shared multi-tenant infrastructure with model-level filtering. It requires per-firm siloed deployment, hosted in jurisdiction (Frankfurt, in LeadLex's case), with the firm's data never leaving its dedicated environment and never being used to train any model. The DPA is signed firm-by-firm, the data is encrypted with firm-controlled keys, and the audit log is the firm's property. That is the floor. Anything below it is not a serious offering for an IP practice.
Related: AI Procurement for Law Firms. The Model Context Protocol Explained for Legal-Tech Buyers. Best CRM for IP Law Firms in 2026.