A Workplace Field Guide

Industry playbooks

"May violate privilege under Rule 1.6" beats "seems risky." In regulated fields, the strongest objection cites the specific rule. These playbooks supply the rules and the questions to put in your memo.

Law Healthcare Financial services Last reviewed: June 2026
How to use these

Each playbook names the governing framework, the rules a memo can cite, the questions whose answers determine whether use is permissible, and the single strongest argument for that field. These summaries are a starting point for the conversation, not legal advice; the move they set up is asking your organization's counsel or compliance function the right questions, in writing, before rollout. A documented unanswered question is itself a powerful exhibit.

Legal practice

Law is the field where the case is most developed, because the profession has both binding ethics rules and a public record of AI failures. The national framework is ABA Formal Opinion 512 (July 2024), the first formal ethics guidance on generative AI, which maps existing Model Rules of Professional Conduct onto AI use rather than creating new ones. Its core message: AI doesn't change a lawyer's obligations, and those obligations attach to everyone whose work flows into a filing — including the work of paralegals and legal assistants under the supervision rules.

Model Rule 1.1 — CompetenceLawyers must understand the capabilities and limitations of any AI tool they use, and update that understanding as tools change. Uncritical reliance on output is itself a competence failure.
Model Rule 1.6 — ConfidentialityProtects all information relating to a representation, regardless of source. Putting client information into a tool whose vendor may retain, log, or train on inputs raises a disclosure problem unless informed consent or adequate safeguards exist. This is frequently the dispositive rule.
Model Rules 3.1 / 3.3 — Candor toward the tribunalThe rules behind the sanctions wave. Fabricated citations filed with a court are treated as the signing lawyer's misrepresentation, however they were generated.
Model Rules 5.1 / 5.3 — SupervisionFirms must supervise both lawyers and nonlawyer staff in their AI use, and evaluate the confidentiality and security practices of third-party AI vendors. Smith v. Farwell shows a supervisor sanctioned for AI use he didn't know about.
Fees and client communication (Rules 1.4, 1.5)Opinion 512 also addresses when clients should be told AI is being used and how AI efficiency interacts with reasonable billing.

Beyond the Model Rules, many states have issued their own AI ethics guidance, and a number of individual judges have standing orders imposing AI disclosure or verification requirements on filings, so local rules need checking matter by matter. Questions for the memo: Which tasks involving client information would the tool touch, and does the vendor agreement prohibit training on inputs and provide for confidentiality? Has anyone checked the standing orders of the judges before whom we appear? Who is the verifying attorney of record for AI-assisted work product, and is that verification time being scheduled and billed honestly? What is our written policy if a hallucinated citation reaches a filing?

The strongest single argument: sanctions for AI-fabricated material are now routine and increasing, they attach to the signing attorney regardless of who used the tool, and the cost of one incident — monetary sanctions, removal from a case, bar referral, and the client conversation that follows — dwarfs the drafting time saved. See the incidents library for citable cases.

Sources: ABA announcement of Formal Opinion 512 · NCBE Bar Examiner analysis

Healthcare

In healthcare the confidentiality argument is not about best practice; it's federal law. Under HIPAA, protected health information (PHI) — anything that could identify a patient combined with health, treatment, or payment information — may not be disclosed to a third-party service that handles it on the organization's behalf unless that vendor has signed a business associate agreement (BAA) accepting HIPAA obligations. A clinician or staff member pasting patient notes into a consumer AI tool with no BAA is making an impermissible disclosure, regardless of intent, and breach notification duties and civil penalties can follow. Consumer-tier AI products generally do not come with BAAs; some enterprise offerings do, which is exactly the distinction a memo should force into the open.

The BAA questionIs there a signed business associate agreement with the AI vendor covering this specific product and tier? If the answer is no or unknown, no workflow touching PHI should proceed.
Minimum necessaryHIPAA's minimum-necessary principle cuts against bulk workflows that feed entire records into a tool when a narrow excerpt would do.
Clinical accuracy and documentationAI scribes and summarizers introduce a new error channel into the medical record. Who reviews and signs each AI-assisted note, and how are discrepancies between what was said and what was documented caught? Errors in records propagate into treatment decisions, coding, and litigation.
State law and consentSeveral states layer stricter medical privacy, recording-consent, or AI-specific rules on top of HIPAA; ambient scribes that record visits raise consent questions independent of HIPAA.

Questions for the memo: Which tools in use or proposed touch PHI, and which have BAAs? Has compliance inventoried "shadow" AI use by staff, given how quickly that appeared at other organizations? For documentation tools, what is the review-and-signature workflow, and is the time it takes counted in the efficiency projections? What happens to recordings and transcripts — retention, location, deletion?

The strongest single argument: a single staff member pasting PHI into a non-BAA tool creates a reportable compliance event, and the Samsung incident shows three such leaks occurred within twenty days at a sophisticated company the moment access was allowed. In healthcare the equivalent leak is not source code; it's patient data with federal penalties attached.

Sources: HHS: Business Associates guidance · HHS: Minimum Necessary requirement

Financial services

Regulators have been explicit that no new rulebook is coming to the rescue: the existing one already applies. FINRA's Regulatory Notice 24-09 reminds member firms that all existing obligations — supervision, communications with the public, recordkeeping, fair dealing — apply when firms use generative AI, just as with any other technology, and FINRA's 2026 annual regulatory oversight report devotes a dedicated section to generative AI governance, testing, vendor oversight, and accurate AI-related disclosures. On the SEC side, the first "AI washing" enforcement actions (Delphia and Global Predictions, $400,000 in combined penalties) established that overstating AI capabilities in marketing is itself a violation of the Advisers Act and Marketing Rule.

Supervision & WSPsIf AI is used in any supervised function, written supervisory procedures must account for it: testing, monitoring of outputs, and human oversight. "We adopted a tool" without updated WSPs is an examination finding waiting to happen.
Communications (FINRA Rule 2210)Client communications must be fair, balanced, and not misleading — including AI-drafted emails, summaries, and marketing. An AI-generated misstatement to a client is the firm's misstatement.
Recordkeeping & data safeguards (Reg S-P)Customer records and information require written safeguards; feeding client data to an unvetted external tool implicates those safeguards directly, and AI interactions about client business may themselves be records.
Marketing claimsAfter the AI-washing actions, every "AI-powered" claim in client-facing material needs to be literally true and substantiated.

Questions for the memo: Has compliance reviewed this tool against our WSPs, and were the WSPs updated? Does the vendor agreement address data use, retention, and our regulators' access expectations? Are AI-assisted client communications going through the same review channel as human-drafted ones? Who has verified that our marketing describes our AI use accurately?

The strongest single argument: regulators have said in writing that the absence of an AI-specific rule is not a shield, and they are already bringing enforcement actions. Adopting ahead of a compliance review doesn't avoid the regulatory cost; it defers it to examination time with interest.

Sources: FINRA GenAI guidance hub (incl. Notice 24-09) · SEC AI-washing press release

Other fields, briefly

The same structure works anywhere there's a binding obligation to point at. In education, FERPA restricts disclosure of student records to third parties, which reaches AI tools fed student work or data. In journalism and publishing, the operative obligations are editorial standards and reader trust — the documented cases of outlets publishing error-ridden or undisclosed AI content show the reputational cost arriving fast and publicly. In government work, procurement rules, records laws, and the duty not to dispense incorrect official guidance (see the NYC MyCity entry in the incidents library) carry the argument. Whatever the field, the playbook is constant: find the written obligation, ask in writing whether the tool complies, and propose that rollout wait for the answer.

Disclaimer

A necessary caveat

These playbooks summarize rules and guidance to help you ask better questions; they are not legal, medical, or compliance advice, and rules change and vary by jurisdiction. The whole point of the playbook approach is to route the question to your organization's counsel or compliance officer in writing — that step, not this page, is what protects you and the business.