It tackles many of the questions lawyers have been asking since generative AI entered the mainstream: competence, confidentiality, client communications, billing, hallucinated citations, supervision, and judicial use of AI.
First, credit where it's due. Ohio deserves praise for stepping into a conversation that many jurisdictions have been reluctant to have. Lawyers are hungry for practical guidance on AI, and doing nothing is no longer an option. The Ohio Board of Professional Conduct deserves recognition for taking a serious run at a rapidly evolving issue.
Which is why one part of the Guide surprised me. On the question of whether lawyers can ethically disclose client information to AI platforms, the guidance seems to say both yes and no.
On one hand, the Guide acknowledges that lawyers may use AI tools in client representations and contemplates circumstances in which client-related information may be entered into an AI system. It advises lawyers to use AI products with adequate security measures and confidentiality safeguards.
"[O]nly AI tools offered with adequate security measures and other confidentiality safeguards should be used when client-related information is disclosed (or information possibly leading to the identity of a client)."
But then it says this:
"Regardless of the AI tool utilized, lawyers should always anonymize client information and refrain from inputting details that could lead to the discovery of the client's identity."
If that's the rule, then what exactly are we talking about when we discuss secure enterprise AI platforms?
Because if lawyers must always anonymize client information and avoid information that could reveal a client's identity, then the security measures, confidentiality protections, and contractual safeguards of a particular AI product become largely irrelevant. Under that reading, the answer is simple: never disclose client information to any AI platform, no matter how secure.
Yet the Guide spends considerable time discussing the use of AI tools that expressly do not store, train on, or share user data.
That discussion only makes sense if disclosure of client information is sometimes permissible when adequate safeguards exist.
Those are two very different standards.
One says: Only use secure AI tools when disclosing client information.
The other says: Never disclose identifiable client information at all.
For firms trying to develop AI governance policies, that distinction matters.
Lawyers have been sharing confidential client information with third-party vendors for decades—email providers, cloud storage companies, document management systems, e-discovery vendors, and legal research platforms. The ethical question shouldn't be whether AI is different. The question should be what safeguards are sufficient to permit its use.