Each playbook names the governing framework, the rules a memo can cite, the questions whose answers determine whether use is permissible, and the single strongest argument for that field. These summaries are a starting point for the conversation, not legal advice; the move they set up is asking your organization's counsel or compliance function the right questions, in writing, before rollout. A documented unanswered question is itself a powerful exhibit.
Legal practice
Law is the field where the case is most developed, because the profession has both binding ethics rules and a public record of AI failures. The national framework is ABA Formal Opinion 512 (July 2024), the first formal ethics guidance on generative AI, which maps existing Model Rules of Professional Conduct onto AI use rather than creating new ones. Its core message: AI doesn't change a lawyer's obligations, and those obligations attach to everyone whose work flows into a filing — including the work of paralegals and legal assistants under the supervision rules.
Beyond the Model Rules, many states have issued their own AI ethics guidance, and a number of individual judges have standing orders imposing AI disclosure or verification requirements on filings, so local rules need checking matter by matter. Questions for the memo: Which tasks involving client information would the tool touch, and does the vendor agreement prohibit training on inputs and provide for confidentiality? Has anyone checked the standing orders of the judges before whom we appear? Who is the verifying attorney of record for AI-assisted work product, and is that verification time being scheduled and billed honestly? What is our written policy if a hallucinated citation reaches a filing?
The strongest single argument: sanctions for AI-fabricated material are now routine and increasing, they attach to the signing attorney regardless of who used the tool, and the cost of one incident — monetary sanctions, removal from a case, bar referral, and the client conversation that follows — dwarfs the drafting time saved. See the incidents library for citable cases.
For a fuller plain-language walkthrough of Opinion 512 written for small firms, see ABA Opinion 512 in Plain English for Small Firms.
Sources: ABA announcement of Formal Opinion 512 · NCBE Bar Examiner analysis
Healthcare
In healthcare the confidentiality argument is not about best practice; it's federal law. Under HIPAA, protected health information (PHI) — anything that could identify a patient combined with health, treatment, or payment information — may not be disclosed to a third-party service that handles it on the organization's behalf unless that vendor has signed a business associate agreement (BAA) accepting HIPAA obligations. A clinician or staff member pasting patient notes into a consumer AI tool with no BAA is making an impermissible disclosure, regardless of intent, and breach notification duties and civil penalties can follow. Consumer-tier AI products generally do not come with BAAs; some enterprise offerings do, which is exactly the distinction a memo should force into the open.
Questions for the memo: Which tools in use or proposed touch PHI, and which have BAAs? Has compliance inventoried "shadow" AI use by staff, given how quickly that appeared at other organizations? For documentation tools, what is the review-and-signature workflow, and is the time it takes counted in the efficiency projections? What happens to recordings and transcripts — retention, location, deletion?
The strongest single argument: a single staff member pasting PHI into a non-BAA tool creates a reportable compliance event, and the Samsung incident shows three such leaks occurred within twenty days at a sophisticated company the moment access was allowed. In healthcare the equivalent leak is not source code; it's patient data with federal penalties attached.
Sources: HHS: Business Associates guidance · HHS: Minimum Necessary requirement
Financial services
Regulators have been explicit that no new rulebook is coming to the rescue: the existing one already applies. FINRA's Regulatory Notice 24-09 reminds member firms that all existing obligations — supervision, communications with the public, recordkeeping, fair dealing — apply when firms use generative AI, just as with any other technology, and FINRA's 2026 annual regulatory oversight report devotes a dedicated section to generative AI governance, testing, vendor oversight, and accurate AI-related disclosures. On the SEC side, the first "AI washing" enforcement actions (Delphia and Global Predictions, $400,000 in combined penalties) established that overstating AI capabilities in marketing is itself a violation of the Advisers Act and Marketing Rule.
Questions for the memo: Has compliance reviewed this tool against our WSPs, and were the WSPs updated? Does the vendor agreement address data use, retention, and our regulators' access expectations? Are AI-assisted client communications going through the same review channel as human-drafted ones? Who has verified that our marketing describes our AI use accurately?
The strongest single argument: regulators have said in writing that the absence of an AI-specific rule is not a shield, and they are already bringing enforcement actions. Adopting ahead of a compliance review doesn't avoid the regulatory cost; it defers it to examination time with interest.
Sources: FINRA GenAI guidance hub (incl. Notice 24-09) · SEC AI-washing press release
Education
In education the binding obligation is the Family Educational Rights and Privacy Act (FERPA), and its logic parallels HIPAA's: education records — personally identifiable information from a student's file — may not be disclosed without consent except under enumerated exceptions. The category is wider than the gradebook: grades and test scores, but also attendance, discipline, student work tied to a name, and the heightened-sensitivity records of special education, the IEPs and 504 plans that combine a child's identity with disability information. The exception that matters for AI is the school-official exception, and its conditions read like a checklist a consumer AI tool's terms of service will fail.
Questions for the memo or its staff-meeting equivalent: Which AI tools, official and unofficial, currently touch student data — including the ones individual teachers adopted on their own? For each, is there a written agreement satisfying the school-official exception: direct control, purpose limitation, no training on student inputs, deletion at contract end? What happens to the data if the vendor fails or is sold? Are any tools being used with students under thirteen, and do the tools' own terms permit it? And who answers the parent who asks what was shared?
The strongest single argument: it is the district, not the well-meaning teacher, that is the regulated party, and a single pasted IEP excerpt is a disclosure FERPA gives the institution no exception for. Many districts already have an approved-tools list and vendor agreements; the rollout email just forgot to mention them. The memo's job is often simply to surface the safeguards that already exist before colleagues start pasting records with names in them.
Sources: Future of Privacy Forum: Vetting Generative AI Tools for Use in Schools · EdSurge on the AllHere collapse · The 74: whistleblower allegations
Other fields, briefly
The same structure works anywhere there's a binding obligation to point at. In journalism and publishing, the operative obligations are editorial standards and reader trust — the documented cases of outlets publishing error-ridden or undisclosed AI content show the reputational cost arriving fast and publicly. In government work, procurement rules, records laws, and the duty not to dispense incorrect official guidance (see the NYC MyCity entry in the incidents library) carry the argument. Whatever the field, the playbook is constant: find the written obligation, ask in writing whether the tool complies, and propose that rollout wait for the answer.
A necessary caveat
These playbooks summarize rules and guidance to help you ask better questions; they are not legal, medical, or compliance advice, and rules change and vary by jurisdiction. The whole point of the playbook approach is to route the question to your organization's counsel or compliance officer in writing — that step, not this page, is what protects you and the business.