AI Audit for law firms
The JurisIT AI Readiness Index (JARI) measures your firm's readiness to adopt AI safely and effectively. Six domains. Five readiness bands. One clear picture of where your firm stands and what to do next.
Developed by Frank Downes, practising solicitor and Clio Certified Partner.
Free · 10 minutes · Instant result · Developed by a practising solicitor · Australia & UK
What is the JARI?
The JurisIT AI Readiness Index (JARI) is a structured assessment framework developed specifically for small law firms. It measures your firm's readiness to adopt, govern, and benefit from AI tools — not as a technology audit, but as a practice readiness assessment.
JARI scores your firm across six domains, each weighted to reflect its significance to a law firm's actual AI risk exposure. The result is a readiness band — from Critical Risk to Advanced — and a domain-level breakdown that shows exactly where your firm's governance gaps are and how to address them.
Why law firms specifically?
AI readiness frameworks designed for general business apply poorly to legal practice. Law firms carry confidentiality obligations that most businesses do not. They handle categories of personal information that attract specific regulatory obligations. Their staff work under professional conduct rules that AI use can breach silently. JARI is built around the actual risk profile of a small law firm — not adapted from a corporate IT checklist.
The Six Domains
JARI measures readiness across six domains. Each domain is scored 1–5 by the assessing consultant. The overall JARI score is a weighted average across domains.
Domain 1 — Technology Infrastructure
What AI-capable tools exist in your firm's technology environment, and are they configured securely? This domain assesses your Microsoft 365 tenant configuration, device management, data residency settings, and the baseline security posture that underpins everything else.
| Technology Infrastructure | Score 1 | Score 5 |
|---|---|---|
| No cloud-based systems. No MFA. Devices unmanaged. | M365 fully configured. MFA enforced. Devices managed. Data residency set. | |
| Why it mattersUnsecured infrastructure means AI tool output and data inputs have no secure perimeter. | ||
Domain 2 — Data Governance
What data does your firm hold, how is it classified, and how is it protected? This domain assesses your firm's approach to data classification, retention, access controls, and cross-border transfer — all directly relevant to how AI tools process client information.
| Data Governance | Score 1 | Score 5 |
|---|---|---|
| No data classification. No retention policy. No access controls beyond passwords. | Data classified, labelled, and retained per obligations. Access controlled by role. Cross-border transfers documented. | |
| Why it mattersAI tools process data. If your data governance is weak, AI makes weak data governance faster. | ||
Domain 3 — AI Tool Exposure
What AI tools are staff actually using, and what data do those tools access? This domain surfaces Shadow AI — the gap between what management knows is in use and what staff are actually using. It is typically the most revealing domain in any JARI assessment.
| AI Tool Exposure | Score 1 | Score 5 |
|---|---|---|
| No awareness of staff AI tool use. No inventory. No controls. | Full AI tool inventory. Approved tool list. Staff survey completed. Shadow AI gap quantified. | |
| Why it mattersMost law firm AI risk is already in flight — it is not a future problem. Staff are using AI tools now. | ||
Domain 4 — Regulatory & Compliance
Does your firm meet the regulatory obligations that AI use triggers? This domain assesses your Privacy Act (AU) / UK GDPR compliance posture, AML/CTF obligations where AI tools touch client data, and professional conduct obligations under your relevant law society or bar association guidance.
| Regulatory & Compliance | Score 1 | Score 5 |
|---|---|---|
| No privacy policy covering AI. No review of AI tool DPAs. No awareness of conduct guidance. | AI tool use covered in privacy policy. DPAs reviewed. Staff trained on conduct obligations. Jurisdiction-specific guidance reviewed and documented. | |
| Why it mattersRegulatory obligations do not pause because a tool is new. Gaps become exposure the moment a breach or complaint occurs. | ||
Domain 5 — People & Culture
Do your staff understand AI risks in the context of legal practice? This domain assesses AI literacy, awareness of confidentiality obligations in AI tool use, and the cultural conditions that determine whether governance policies will actually be followed.
| People & Culture | Score 1 | Score 5 |
|---|---|---|
| No AI training. Staff unaware of confidentiality implications. No reporting culture. | Staff trained on AI risks in legal context. Reporting channel for AI concerns exists and is used. Culture of responsible use embedded. | |
| Why it mattersPolicy without culture is wallpaper. AI governance that staff do not understand will not be followed. | ||
Domain 6 — Governance & Policy
Does your firm have documented AI governance that can be evidenced to clients, regulators, and insurers? This domain assesses whether your AI use policies exist, are current, are known to staff, and whether they cover the specific obligations that apply to a law firm.
| Governance & Policy | Score 1 | Score 5 |
|---|---|---|
| No AI policy. No acceptable use documentation. No oversight process. | AI governance policy current, approved by principals, and communicated to staff. Acceptable use documented. Review cycle in place. | |
| Why it mattersAI governance is increasingly a client-facing expectation and an insurer requirement — not just an internal housekeeping matter. | ||
Five Readiness Bands
Your overall JARI score places your firm in one of five readiness bands. The band is the starting point for a conversation about what to prioritise — not a pass/fail result.
| Score | Band | What it means |
|---|---|---|
| 1.0–1.4 | Critical Risk | Significant AI exposure with no governance in place. Immediate action required. |
| 1.5–2.4 | Developing | Some awareness but limited governance. AI use is happening without appropriate controls. |
| 2.5–3.4 | Established | Basic governance in place. Most firms in this band have a policy but limited evidence of implementation. |
| 3.5–4.4 | Proficient | Governance implemented and evidenced. AI use is controlled and documented. |
| 4.5–5.0 | Advanced | Comprehensive governance with ongoing review. AI use is deliberate, documented, and demonstrable. |
Most small law firms score between 1.5 and 2.5 on their first JARI assessment. That is not a criticism — it reflects the current state of the profession. The value of JARI is not the score. It is the domain-level breakdown that shows exactly where to focus first.
Shadow AI
Shadow AI is AI tool use by staff that has not been approved or inventoried by the firm. It is not malicious. It is almost always the result of staff finding genuinely useful tools and using them without realising the professional and regulatory implications.
In a law firm, Shadow AI creates three categories of risk:
Confidentiality risk
A staff member copies a client letter into an AI tool to help draft a response. The tool processes that text on external servers under terms of service the firm has not reviewed. The client's information — potentially including matters in dispute, financial details, or personal data — has left the firm's control.
That is a potential breach of the solicitor's duty of confidentiality. The staff member did not intend to create a breach. There is no policy that covers it.
Professional conduct risk
Using an unsanctioned AI tool with client data is a potential breach of professional conduct obligations — regardless of whether any harm results. Law societies and bar associations in both Australia and the United Kingdom have issued guidance on AI use in legal practice. Ignorance of that guidance is not a defence.
Regulatory risk
The Privacy Act (AU) and UK GDPR impose obligations on how personal data is processed. Using an AI tool that processes personal data is a processing activity that must be covered by your privacy policy and data processing agreements. Most consumer AI tools do not provide the Data Processing Agreements required for regulated entities.
How JARI surfaces Shadow AI
JARI assesses Shadow AI exposure primarily through Domain 3 (AI Tool Exposure) and Domain 6 (Governance & Policy). It combines two data sources:
- Technical discovery — what AI-capable tools are visible on the firm's network and Microsoft 365 environment.
- Staff disclosure — what AI tools staff report using, in response to a structured survey or interview.
The gap between those two answers — tools visible on the network that staff do not disclose, and tools staff disclose that do not appear on the network — is the Shadow AI picture. It is almost always larger than management expects.
"Do you know what AI tools your staff are already using?" Almost every managing partner pauses. The honest answer is no. That pause is the beginning of a governance conversation your firm needs to have.
Take the AI Audit
The AI Audit is a free, 10-minute self-assessment covering all six JARI domains. It produces an instant readiness band and a summary of your firm's priority governance gaps.
It is designed for managing partners and practice managers. No technical knowledge is required. Your results are confidential — they are not shared with anyone without your permission.
What happens after the AI Audit?
Your diagnostic result places you in one of five readiness bands. For most firms, the diagnostic raises questions the self-assessment alone cannot answer — about specific tools, specific risks, and specific steps to take.
The full JARI Review is a two-week consultant-led assessment that goes deeper across all six domains, producing a domain-by-domain findings report, a priority action list, a draft AI governance policy for your firm, and a debrief with Frank Downes, practising solicitor and Clio Certified Partner.
Full JARI Review — what you receive:
- → Complete JARI Scorecard with domain scores and band placement
- → Shadow AI Exposure Report — what tools are in use and what risk they carry
- → 12-Month AI Governance Roadmap aligned to Practice Resilience® stages
- → AI Acceptable Use Policy starter document (firm-specific)
- → 60-minute debrief
Frequently Asked Questions
-
JARI measures a law firm's readiness to use AI safely across six domains: Technology Infrastructure, Data Governance, AI Tool Exposure, Regulatory & Compliance, People & Culture, and Governance & Policy. Each domain is scored 1–5 and the result is a readiness band from Critical Risk to Advanced.
-
Shadow AI is the use of AI tools by staff without firm approval. In law firms it creates confidentiality, professional conduct, and regulatory risks. JARI is specifically designed to surface Shadow AI exposure.
-
The free online AI Audit takes approximately 10 minutes and produces an instant readiness band result. The full JARI Review takes one to two weeks from instruction to delivery.
-
A score of 3 (Established) means basic governance is in place. Most small law firms score between 1.5 and 2.5 on their first assessment, which reflects the current state of the profession.
-
Yes. The JARI framework applies to both jurisdictions. The Regulatory & Compliance domain accounts for jurisdiction-specific obligations — including the Privacy Act and AML/CTF obligations in Australia, and UK GDPR and SRA guidance in the United Kingdom. JurisIT operates across both markets and Frank Downes brings legal-practice domain knowledge from his NSW practising solicitor background to the assessment design.
-
Yes — we walk the talk. Every AI tool or workflow we recommend to clients has been used, tested, and iterated internally first. We have made the mistakes, learned from them, and adjusted our approach — so when we implement something for your firm, you are getting the benefit of that tested practice rather than theory. We push the boundaries of what AI can do in a legal technology context deliberately, and we bring that direct experience into every engagement.
-
Your result places you in one of five readiness bands. For most firms, the diagnostic raises questions the self-assessment alone cannot answer. The full JARI Review goes deeper across all six domains and produces a findings report, a priority action list, a draft AI governance policy, and a debrief. Book a full JARI Review →
-
Yes, though the picture looks different. If you answered 'just me' in the diagnostic, see Practice Resilience® Solo — a version of the programme designed specifically for sole practitioners.