Training Governance for Legal AI

Regulatory Framework

The professional-responsibility baseline is set by ABA Model Rule 1.1 (competence, including the 2012 Comment 8 obligation of technological competence), Model Rule 1.6 (confidentiality of client information, including in tools to which client information is submitted for processing), Model Rule 5.3 (responsibilities regarding nonlawyer assistance, which most state bars have construed to cover AI tools), and Model Rule 5.5 (unauthorized practice of law, which constrains the jurisdictional scope in which an AI system may be deployed to provide legal analysis). The 2024 ABA Formal Opinion 512 on generative AI made explicit that a lawyer's duty of competence requires understanding the benefits, risks, and limitations of any AI tool used in representation, and the duty of confidentiality requires that client information not be exposed to training corpora the lawyer does not control.

Case law has converted these abstract duties into concrete sanction risk. Mata v. Avianca, Inc., 678 F. Supp. 3d 443 (S.D.N.Y. 2023), imposed Rule 11 sanctions for the submission of fabricated case citations generated by an AI tool. The opinion's reasoning, and the approximately one hundred follow-on sanction decisions in state and federal courts through 2025, treats the use of an authority-flat model as a per se failure of the verification duty. Courts have not faulted lawyers for using AI; they have faulted lawyers for using AI whose output cannot be traced to verifiable, currently-binding authority.

State bars have begun to codify expectations. The California State Bar's Practical Guidance for the Use of Generative AI (November 2023, updated 2025) requires lawyers to verify outputs against primary authority and to disclose AI use where required by tribunal orders. The New York State Bar Association's 2024 report and subsequent court-by-court standing orders impose disclosure and verification obligations. Florida Ethics Opinion 24-1 treats AI vendors as nonlawyer assistants for Rule 4-5.3 purposes. Texas, Illinois, and a growing number of states impose analogous obligations through formal opinion or rule.

Federal procedural rules apply concurrently. FRCP Rule 26(g) requires that every discovery response be certified after a reasonable inquiry, and Rule 11(b) requires the same for all filings. Rule 37(e) governs spoliation of electronically stored information, which extends to training corpora when those corpora are reasonably anticipated to be relevant to litigation. The Sedona Conference's commentary on AI in e-discovery has framed authority-flat models as discovery-relevant artifacts whose training provenance is itself discoverable.

For systems deployed in or to the European Union, the EU AI Act (Regulation 2024/1689) classifies AI systems intended to be used by a judicial authority or on its behalf in researching and interpreting facts and the law, and in applying the law to a concrete set of facts, as high-risk under Annex III §8. High-risk obligations include data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), and accuracy, robustness and cybersecurity (Article 15). GDPR Article 22 prohibits decisions based solely on automated processing that produce legal effects, with narrow exceptions that require explicit safeguards. The NIST AI Risk Management Framework (AI RMF 1.0, 2023) and its Generative AI Profile (NIST-AI-600-1, 2024) supply the U.S. governance vocabulary that federal contracting (OMB M-24-10) and state procurement increasingly require.

Architectural Requirement

The regulatory framework converges on a single architectural property: the model's representation of legal knowledge must be authority-aware at the level of internal structure, not merely at the level of post-hoc citation filtering. A model that has learned overruled reasoning at the same depth as current law will reproduce overruled reasoning patterns even when its citation list is clean. A model that has learned out-of-jurisdiction holdings at the same depth as binding in-jurisdiction precedent will weight persuasive authority as if it were controlling. A model that cannot distinguish holding from dicta will treat the rhetoric of an opinion as if it were the rule of the case.

The architectural requirement, therefore, is depth-selective learning: gradient magnitude, layer depth, and update frequency must be conditioned on authority metadata, so that binding authority shapes the deep representational substrate while persuasive authority and overruled reasoning shape only the surface. The requirement is also governance-traceable: every gradient update must be attributable to a specific training source with specific authority status at a specific point in time, so that a downstream output can be traced back to the authorities that shaped its reasoning.

EU AI Act Article 10 data governance, Article 11 technical documentation, and Article 12 record-keeping obligations cannot be satisfied by an authority-flat training pipeline regardless of the rigor of its post-training filters. The obligations attach to the training process itself.

Why Procedural Compliance Fails

The dominant procedural compliance pattern for legal AI is post-training citation verification: generate text, extract citations, look them up in a legal research database, confirm existence, confirm not-overruled status, confirm proposition match. This pattern produces clean citation lists. It does not produce sound legal reasoning, and it does not satisfy the regulatory framework above.

First, citation verification is downstream of reasoning. The model has already shaped its argument using whatever it learned during training. If the training corpus encoded overruled reasoning at full depth, the argument's structure will reflect that reasoning even after the citation to the overruled case is stripped. Courts that have analyzed post-Mata sanction motions have looked at the structure of the argument, not only the citation list, and have found that authority-flat training produces arguments that are themselves unsound regardless of citation hygiene.

Second, citation verification cannot solve the jurisdictional problem. A New York attorney's brief that reproduces Ninth Circuit reasoning as if it were binding has not been saved by a citation list that correctly identifies the Ninth Circuit case. The Rule 11 inquiry is whether the position is warranted by existing law in the relevant jurisdiction. Authority-flat training cannot produce jurisdiction-aware reasoning; it can only produce text that happens to cite jurisdiction-appropriate cases.

Third, procedural compliance fails the EU AI Act high-risk obligations. Article 10's data governance requirement, that training data be relevant, representative, free of errors and complete in view of the intended purpose, cannot be satisfied by a training pipeline that treats overruled and current law as equivalent. Article 14's human oversight requirement is undermined when the lawyer's review is presented with reasoning whose authority structure is opaque. Article 13's transparency obligation requires that users understand the system's capabilities and limitations, which include the authority structure of its training data.

Fourth, procedural compliance fails Model Rule 1.6. When a citation-verification pipeline submits client facts to a third-party legal research API for verification, the client information is exposed to a processor that is not within the lawyer's confidentiality envelope. The procedural fix has created a confidentiality breach.

What AQ Primitive Provides

Training governance, as instantiated in the Adaptive Query primitive, conditions the gradient itself on authority metadata. Each training source is annotated with its authority profile: court level (Supreme Court, federal circuit, federal district, state supreme, state intermediate, state trial, administrative tribunal, secondary authority), jurisdictional scope (federal, state-by-state, foreign), current status (good law, criticized, distinguished, overruled, superseded by statute), holding-versus-dicta classification at the passage level, and temporal validity window. The training pipeline routes gradients through depth-selective channels conditioned on this metadata.

Supreme Court holdings on currently-good law route to deep representational layers with full gradient magnitude. Circuit court holdings on currently-good law route to intermediate layers with full magnitude within the circuit and reduced magnitude outside. State supreme court holdings route to deep layers within the state's deployment profile and to surface layers outside. Persuasive authority routes to surface layers with reduced gradient depth, sufficient for the model to recognize the reasoning but insufficient for the reasoning to dominate the deep representation. Overruled reasoning routes with negative or near-zero gradients, preserving historical awareness while preventing deep encoding. Dicta route at reduced depth relative to holdings within the same opinion.

Jurisdictional scoping enables a single training corpus to produce different deployment profiles. The same annotated corpus, processed through the training governance primitive with a New York deployment profile, produces a model whose deep representation reflects New York Court of Appeals and Second Circuit binding authority; processed with a California deployment profile, it produces a model whose deep representation reflects California Supreme Court and Ninth Circuit binding authority. The deployment profile is a parameter of the gradient routing function, not a post-training filter.

Temporal governance handles the ongoing law-making process. When a decision is overruled, the primitive can selectively reduce the influence of the overruled reasoning in the deep layers, using knowledge-retention mechanisms that preserve the doctrinal context (so the model can still discuss the overruled case competently) while reducing the authority weight of its reasoning (so the model does not generate arguments that echo it). The same mechanism handles statutory supersession, regulatory amendment, and intervening Supreme Court guidance.

Provenance tracing connects every output to the training sources whose gradients shaped it. When the model generates a legal analysis, the provenance trace identifies the cases, statutes, and secondary sources whose deep-layer contributions most influenced the reasoning, along with their authority level and current status. The trace is the audit substrate that EU AI Act Article 12 requires and that NIST AI RMF Manage-2 contemplates, and it is the verification substrate that Model Rule 1.1 competence and Rule 11 reasonable inquiry require.

Confidentiality boundaries are enforced at the primitive layer. Client information submitted to the deployed model is processed in a manner that does not contribute to the training gradient and does not leak across tenants. The primitive's gradient-routing architecture enforces this boundary structurally, satisfying Model Rule 1.6 without reliance on contractual representations from a verification vendor.

Compliance Mapping

ABA Model Rule 1.1 competence is supported because the model's outputs carry provenance traces that allow the lawyer to verify the authority structure of the reasoning, not merely the citation list. Model Rule 1.6 confidentiality is satisfied because client information does not enter the training gradient or cross tenant boundaries. Model Rule 5.3 supervisory obligations over nonlawyer assistants are supported by the audit substrate that records every gradient contribution and every inference. Model Rule 5.5 unauthorized practice limits are supported by jurisdictional deployment profiles that scope the model's deep authority structure to the jurisdictions in which the lawyer is licensed.

FRCP Rule 11(b) reasonable inquiry is satisfied because the lawyer can verify that the reasoning is grounded in currently-binding authority in the relevant jurisdiction, not only that the citations exist. Rule 26(g) discovery certification is supported by the same provenance substrate. Rule 37(e) ESI obligations regarding training corpora are addressed by the corpus annotation and audit trail. Rule 11 sanctions exposure of the kind imposed in Mata and its progeny is structurally bounded because the model's reasoning structure reflects authority hierarchy; an authority-flat reasoning failure cannot occur because authority-flat reasoning is not what the gradient produces.

EU AI Act Article 10 data governance is satisfied because training data is annotated, profiled, and routed according to its authority status, satisfying the relevance, representativeness, and currency requirements. Article 11 technical documentation is generated from the corpus annotation and routing configuration. Article 12 record-keeping is the provenance substrate. Article 13 transparency is supported by exposing the authority profile of the deployment to users. Article 14 human oversight is meaningful because the lawyer reviews reasoning whose authority structure is exposed, not opaque. Article 15 accuracy and robustness are supported by the structural separation of binding and persuasive authority. Annex III §8 high-risk classification is met with the corresponding obligations rather than evaded.

GDPR Article 22 automated decision-making constraints are satisfied because the primitive emits reasoned analysis to a supervising lawyer, not automated legal decisions affecting a data subject. Article 5 minimization is supported by the structural prevention of client-data ingestion into training gradients. NIST AI RMF Govern, Map, Measure, and Manage functions are operationalized through the corpus annotation, deployment profiles, provenance substrate, and overrule-handling mechanisms respectively.

Adoption Pathway

Legal AI vendors and law-firm internal AI programs adopt training governance through a staged pathway. The first stage is corpus annotation: the case-law, statutory, regulatory, and secondary-source corpus is profiled with court level, jurisdictional scope, current status, holding-versus-dicta classification, and temporal validity. Annotation is performed against authoritative sources (the official reporters for case status, the codifying jurisdiction's official publication for statutes, the issuing agency for regulations) and is itself subject to audit. For most vendors, existing editorial workflows already produce a substantial fraction of this metadata; the primitive consumes it through a defined interface rather than requiring a parallel pipeline.

The second stage is deployment-profile configuration. A vendor selling to a multi-jurisdiction practice configures profiles for each jurisdiction in which deployment is anticipated. The deployment profile is the routing parameterization; the same annotated corpus serves all profiles, with depth-selective gradient routing producing the jurisdiction-appropriate deep representation for each. Internal firm deployments configure profiles aligned with the firm's bar admissions and practice areas.

The third stage is governance integration. Provenance traces are surfaced into the lawyer's review interface so that Rule 1.1 competence and Rule 11 inquiry are supported by tooling rather than asserted. EU AI Act Article 11 documentation, Article 12 records, and Article 14 oversight workflows are configured against the primitive's audit substrate. NIST AI RMF profile alignment is documented from the same substrate. Confidentiality boundaries are configured at the primitive layer so that Model Rule 1.6 obligations do not rely on third-party verification vendors.

The fourth stage is ongoing law-currency maintenance. As decisions are overruled, statutes amended, and regulations superseded, the corpus annotation is updated and the affected gradients are selectively attenuated through the temporal-governance mechanism. The model's deep representation tracks the law as it evolves, without retraining from scratch. The audit substrate records each currency update, supplying the regulator and the supervising lawyer with a continuous record of how the model's authority structure has been maintained.

The result is a legal AI system whose internal representation of law mirrors the structure that courts, bars, and regulators expect. Reasoning is grounded in binding authority; persuasive authority informs without dominating; overruled reasoning is recognized historically without being reproduced doctrinally; jurisdictional scope is respected; client confidentiality is structural; and the audit substrate that the EU AI Act, NIST AI RMF, federal procedural rules, and state bars increasingly require is produced as a byproduct of the architecture rather than assembled retrospectively from logs.