Law firms now sit at a peculiar crossroads: they advise clients on AI risk while deploying the same technology across their own operations. In March 2026, K&L Gates LLP resolved that tension in a concrete way, becoming one of the first law firms globally to earn ISO/IEC 42001:2023 certification for its Artificial Intelligence Management System. The move signals something larger than one firm’s compliance milestone. It marks the beginning of a shift in how the US legal industry thinks about AI governance not as an ethics talking point, but as a structured, auditable discipline.
What ISO/IEC 42001:2023 Actually Requires and Why Legal Services Is a Hard Test Case
ISO/IEC 42001:2023 is the international standard for AI management systems. Published by the International Organization for Standardization, it establishes requirements for organizations to build, maintain, and improve an Artificial Intelligence Management System what practitioners call an AIMS. Think of it as the AI equivalent of ISO 27001 for information security: a structured framework that an independent auditor can examine, test, and certify.
The standard covers six core domains: governance and leadership, AI risk management, data governance, operational controls, performance evaluation, and continual improvement. Certification requires an independent audit confirming that all domains are implemented, documented, and functioning not just that policies exist on paper.
For most industries, implementing an AIMS is a technical and operational exercise. For law firms, the challenge is considerably more layered. Legal practice sits at the intersection of three competing obligations: professional ethics rules enforced by state bar associations, attorney-client privilege and confidentiality requirements under Model Rules 1.6 and 5.3, and increasingly specific data protection laws that vary by jurisdiction. Adding AI into client-facing workflows research, contract review, due diligence, litigation support means every governance decision has a professional responsibility dimension attached to it.
That complexity is precisely why K&L Gates’ certification carries weight beyond a marketing announcement.
The K&L Gates Case Study: Building an AIMS From the Ground Up
K&L Gates did not arrive at ISO/IEC 42001:2023 certification overnight. The groundwork started in 2023, when the firm established a cross-disciplinary AI Solutions Group to guide its firmwide AI strategy. That group was distinct from a typical IT steering committee it included practicing lawyers, technology professionals, information security specialists, and compliance officers working in coordinated governance, not siloed functions.
The firm’s AI Forward℠ framework formalized four operating principles across all AI deployments: use only approved platforms, maintain transparency with clients about AI use, verify all AI outputs before they reach clients, and complete mandatory training. Those four requirements map almost directly onto ISO/IEC 42001’s operational control requirements.
By the time K&L Gates pursued certification, the firm had already deployed AI across research, drafting, contract review, due diligence, and discovery through a vetted set of platforms: Legora as the primary platform (deployed across all offices globally), Vincent, Westlaw Precision AI, Relativity Analytics, CoCounsel, and Microsoft 365 Copilot. Each platform passed through a formal demand process: an initial assessment, a security review, a technology evaluation, and a business case assessment before deployment approval.
“It wasn’t just about the tech. It was about ensuring you had the discipline in place in terms of a policy and constant monitoring.” Harpreet Suri, CTO, K&L Gates
The firm also created a dedicated AI Adoption Manager role and an AI Training Alliance a cross-functional group co-led by general counsel John Hagan and senior counsel Alicia Hawley to coordinate governance, tools, and use-case training firmwide. Role-specific AI training was delivered in partnership with AltaClaro and Hotshot Legal, covering AI literacy, prompt engineering, and partner supervisory oversight.
The certification K&L Gates received confirmed that the AIMS governing all of this operated with verifiable controls around accountability, risk management, ethics, transparency, data protection, and regulatory compliance. It also sat alongside the firm’s existing ISO 27001 and ISO 27701 certifications creating a package that gives clients confidence their data is handled securely when AI tools are involved.
The US Regulatory Context Driving Demand for Formal AI Governance
K&L Gates’ certification did not happen in a regulatory vacuum. The US legal environment around AI governance has grown significantly more demanding in the 18 months preceding March 2026.
State-level AI legislation has accelerated. As of early 2026, more than 40 states have introduced or passed AI-related legislation. Colorado’s SB 23-169 established algorithmic discrimination protections. Illinois, Texas, and New York have enacted or proposed AI bias audit requirements. California’s CPPA has advanced automated decision-making regulations under the CPRA that set expectations for documented governance processes.
ABA guidance on AI has sharpened. The American Bar Association’s Formal Opinion 512 (2024) addressed generative AI in legal practice, clarifying that competence under Model Rule 1.1 requires lawyers to understand the material risks and benefits of AI tools they use. Supervision obligations under Rule 5.3 extend to AI outputs. Confidentiality under Rule 1.6 applies to data shared with AI platforms. Together, these create a de facto governance requirement.
Client procurement pressure has become a real forcing function. Harpreet Suri of K&L Gates observed that once one major firm achieves ISO 42001 certification, procurement departments and RFP processes will start requiring it. That observation has already proven prescient: Fortune 500 legal departments increasingly include AI governance questions in outside counsel evaluations.
The NIST AI Risk Management Framework (AI RMF 1.0), FTC guidance on AI, and SEC focus on AI in investment advice round out the picture. For US law firms advising clients on these exact compliance challenges, operating without a structured AIMS creates a visible credibility problem.
Corporate legal teams are not asking these governance questions in isolation. The same pressure is already visible in regulated financial services, where banks are applying model risk controls, validation, and fair lending expectations to AI systems. Law firms advising banks, insurers, and fintech clients should also understand how AI governance in banking and financial services is becoming a board-level compliance issue.
What an AIMS Looks Like Inside a Law Firm: The Operational Reality
Understanding what K&L Gates actually built helps clarify what AI governance in legal services requires in practice and what distinguishes structured governance from policy theater.
AI risk assessment embedded in procurement. Every AI tool request at K&L Gates goes through a formal four-stage review before approval. This prevents the ad-hoc adoption of consumer AI tools that create confidentiality and data sovereignty risks. For law firms, a generative AI platform that sends input data to third-party model training creates a potential Rule 1.6 violation without a proper data processing agreement and governance review.
Documented controls across the AI lifecycle. ISO/IEC 42001 requires controls that span from initial AI system evaluation through deployment, monitoring, and decommissioning. In a law firm context, this means maintaining records of which AI tools are approved, what data they can access, what outputs require human verification, and how errors or hallucinations are caught and documented.
Training as a governance control. The AI Training Alliance K&L Gates established was not just an HR initiative. Role-specific training is a documented governance control under ISO/IEC 42001 evidence that the people operating within the AIMS understand their obligations. The firm’s partnership with AltaClaro covered prompt engineering and partner supervisory oversight, mapping directly onto the standard’s competence requirements.
Continuous improvement mechanisms. ISO/IEC 42001 requires nonconformity management a process for identifying when controls fail, documenting what happened, and improving the system. For law firms, this creates a structured mechanism for learning from AI incidents in a way that reduces recurrence.
Client transparency as a governance output. K&L Gates’ AI Forward℠ framework mandates transparency with clients about AI use. This is simultaneously a governance control, an ethics compliance measure under ABA guidance, and a trust-building mechanism that differentiates the firm in client relationships.
Why This Matters for Mid-Size and Regional US Law Firms
K&L Gates is a global firm with 45+ offices and significant technology infrastructure. The natural response from mid-size and regional US firms is: this doesn’t apply to us. That response is understandable, but it underestimates how quickly market expectations shift once a credibility benchmark exists.
Consider the parallel with information security. ISO 27001 certification was once a specialty concern for technology companies. By 2020, large corporate legal departments routinely required outside counsel to complete security questionnaires, and firms that could point to ISO 27001 had a clear procurement advantage. AI governance is following the same arc, on a compressed timeline.
Three signals indicate the timeline is shorter than most regional firms assume. First, the AmLaw 100 firms are not standing still several are understood to be pursuing ISO/IEC 42001 certification. Once four or five prominent firms have certification, it will appear in client RFP boilerplate within 12-18 months. Second, smaller firms face the same underlying ABA obligations regardless of size. Third, the NIST AI RMF provides a US-native governance framework that maps closely to ISO/IEC 42001, giving firms a structured starting point without committing to full certification immediately.
The practical starting point for most firms is an AI inventory: a documented list of every AI tool used across the firm, what data each tool processes, what client-facing outputs it contributes to, and what oversight exists. That inventory is the foundation on which structured governance is built.
AI Governance and Attorney-Client Privilege: The Confidentiality Dimension
No treatment of AI governance in legal services is complete without addressing the privilege and confidentiality implications the issues that generate the most concern among practicing attorneys.
Model training data. Some AI platforms use input data to train or fine-tune their models. A firm that feeds client documents into such a platform without a data processing agreement explicitly prohibiting training use has potentially disclosed confidential information to a third party. ABA Formal Opinion 512 requires lawyers to understand how AI tools handle data before using them on client matters.
Metadata and output traceability. AI-generated work product may contain metadata revealing the tools used, the prompts submitted, or intermediate outputs. In litigation, opposing counsel may seek discovery of AI use in document production processes. Firms without documented AI governance policies face uncertainty about how to respond to such requests.
Privilege over AI governance processes. A firm’s AI risk assessments, incident reports, and governance documentation may themselves be subject to discovery in malpractice or professional responsibility proceedings. Firms that treat AI governance as a compliance exercise rather than a privileged legal process may inadvertently waive protections.
K&L Gates’ AIMS addresses these concerns structurally. The formal procurement review process ensures data handling terms are reviewed before tool adoption. The verification requirement creates a documented human checkpoint. The governance structure establishes clear accountability for how AI-related issues are supposed to be handled.
The Broader Industry Shift: AI Governance as Competitive Differentiation
Stacy Ackermann, Global Managing Partner of K&L Gates, framed the certification in terms that go beyond compliance: ‘Clients are embracing AI to transform their businesses, and they expect their law firms to responsibly do the same.’
That framing captures a competitive reality that extends well beyond risk management. Corporate clients building their own AI governance programs under pressure from regulators, boards, and their own procurement departments increasingly want outside counsel who can speak from experience. A law firm with a certified AIMS is not just a safer choice from a data protection standpoint; it is a more credible advisor on AI governance because it has navigated the same challenges its clients face.
This creates a feedback loop. K&L Gates advises clients on AI compliance, data governance, and regulatory risk. Having built and certified its own AIMS, the firm’s lawyers can speak with the authority of practitioners who have implemented what they recommend. That kind of experiential credibility is difficult to replicate from policy analysis alone.
The K&L Gates Endowment for Ethics and Computational Technologies at Carnegie Mellon University established in 2016, well before generative AI entered mainstream conversation reflects a long-standing institutional commitment to this space. The ISO 42001 certification is the operational expression of that commitment.
For US law firms watching this development, the question is not whether AI governance standards will reach their practices. The question is whether they will be positioned to lead that conversation or respond to it.
Frequently Asked Questions
What is ISO/IEC 42001:2023 and why does it matter for law firms?
ISO/IEC 42001:2023 is the international standard for Artificial Intelligence Management Systems. It provides a structured framework covering AI risk assessment, data governance, operational controls, and continual improvement that organizations can implement and have independently audited. For law firms, it creates verifiable evidence of responsible AI governance at a time when clients, regulators, and bar associations are all asking how firms manage AI risk.
Is K&L Gates the first law firm to achieve ISO/IEC 42001 certification?
K&L Gates is among the first law firms globally to earn ISO/IEC 42001:2023 certification, achieved in March 2026. The firm’s announcement described it as one of the first globally, confirmed by multiple legal industry publications. Other AmLaw firms are expected to pursue certification following this milestone.
Do ABA ethics rules require law firms to have formal AI governance?
ABA Formal Opinion 512 (2024) does not mandate certification, but it establishes that competent representation under Model Rule 1.1 requires understanding AI tools’ material risks and benefits. Supervision obligations under Rule 5.3 extend to AI outputs, and confidentiality requirements under Rule 1.6 apply to client data processed by AI platforms. A structured AIMS is well-suited to satisfy these governance expectations.
What is an Artificial Intelligence Management System (AIMS)?
An AIMS is a documented, operational framework for governing how an organization develops, deploys, monitors, and improves its use of AI systems. Under ISO/IEC 42001, it covers governance structures, risk assessment processes, data quality controls, operational procedures, and audit mechanisms analogous to an Information Security Management System under ISO 27001, but focused specifically on AI.
How does AI governance in law firms differ from other industries?
Law firms face governance challenges most industries do not: attorney-client privilege means AI data processing decisions carry professional responsibility implications; state bar confidentiality rules require specific contractual protections with AI vendors; and the supervised practice of law means AI outputs cannot be accepted without attorney verification. These obligations add layers beyond typical enterprise AI risk management.
What US regulations are driving AI governance requirements for law firms?
Key drivers include ABA Formal Opinion 512 on generative AI, state AI legislation (Colorado SB 23-169, California CPRA automated decision-making rules, and 40+ state AI bills), the NIST AI Risk Management Framework, FTC guidance on AI, and client procurement requirements from sophisticated corporate legal departments.
What AI tools does K&L Gates use under its certified AIMS?
K&L Gates has deployed AI across research, drafting, contract review, due diligence, and discovery through several vetted platforms: Legora (the primary platform, deployed firmwide), Vincent, Westlaw Precision AI, Relativity Analytics, CoCounsel, and Microsoft 365 Copilot. Each platform underwent formal procurement review before approval.
How should mid-size US law firms start building AI governance?
Start with an AI inventory: document every AI tool currently used across the firm, identify what client data each tool processes, map what outputs each tool contributes to, and assess what oversight exists. That inventory forms the foundation for structured governance. Aligning with the NIST AI RMF provides a US-native framework that maps closely to ISO/IEC 42001 requirements.
Conclusion
K&L Gates’ ISO/IEC 42001:2023 certification is significant not because certification programs are inherently transformative, but because of what it signals about where the US legal industry is heading. The combination of sharpening professional responsibility guidance, client procurement pressure, and a growing US state regulatory environment creates conditions where structured AI governance will shift from competitive differentiator to baseline expectation probably faster than most firms are planning for.
The firms best positioned for that shift are those treating AI governance as an operational discipline rather than a policy document exercise: AI inventories, formal procurement reviews, training as a governance control, and mechanisms for catching and learning from AI errors.
GAICC’s ISO/IEC 42001 certification programs give governance professionals the framework to build, lead, and audit exactly these kinds of systems. Explore GAICC’s Lead Implementer and Lead Auditor certifications purpose-built for professionals leading AI governance programs in regulated industries.
