The Harvey Partner: What Law Firms Aren't Telling Clients About AI in Legal Review
Harvey AI — backed by $206M, valued at $3B, deployed at 200+ law firms — is drafting memos, reviewing contracts, running due diligence, and summarizing deposition transcripts at firms including A&O Shearman, Paul Weiss, and Cleary Gottlieb. Most clients have not been told. The ABA's Model Rules on competence, supervision, and confidentiality create obligations that most law firm AI deployment policies have not resolved. The managing partners who approved the rollout have not answered the question their general counsel clients would ask first.
Key Numbers
Background
Harvey AI was built on a simple premise: large language models trained on legal text can compress the hours a junior associate spends on research, contract review, and document drafting into minutes. The pitch is credible. The underlying model — a legal-domain fine-tune on top of GPT-4 architecture, with case law, regulatory text, and contract corpora — performs measurably better on legal tasks than general-purpose frontier models. For a senior associate billing $600 per hour to review a 300-page acquisition agreement, Harvey compresses that to a fraction of the time and cost.
The adoption numbers are real. Harvey has signed 200+ law firms, including Am Law 100 firms that have deployed it firm-wide. A&O Shearman — the merger of Allen & Overy and Shearman & Sterling — was the flagship early adopter, deploying Harvey across its global practice before most competitors had run a pilot. Paul Weiss and Cleary Gottlieb followed. The roster now includes firms across M&A, litigation, restructuring, and regulatory practice. Harvey is the fastest legal AI deployment in the industry's history, measured by time from founding to enterprise penetration at the top of the market.
What Harvey does in practice: it drafts contract summaries and issue spotting memos for due diligence; it researches case law and writes initial legal memoranda for attorney review; it reviews and redlines contract language against a firm's standard positions; it summarizes deposition transcripts and discovery documents; it generates first drafts of regulatory submissions. In each case, a partner or senior associate reviews and signs off. The attorney submits the work product. Harvey is the drafter. The attorney is the author of record.
The ABA issued Formal Opinion 512 in July 2024, specifically addressing generative AI in legal practice. The opinion does not prohibit AI use. It does impose four obligations that most law firm AI deployment policies have not fully addressed: the attorney must understand the tool sufficiently to supervise the output (Rule 1.1); the attorney must supervise the AI-generated work at a standard that constitutes competent supervision (Rule 5.1/5.3); the attorney must protect client confidential information, including data submitted to AI systems (Rule 1.6); and whether client disclosure is required depends on whether the AI use is material to the representation and whether the client would reasonably expect to be told. Opinion 512 does not say disclosure is always required. It says the existing rules determine it — and those rules have teeth.
The deployment gap is not about whether AI belongs in legal practice. It does. The gap is between the speed of Harvey's adoption and the pace at which law firms have updated their engagement letters, conflict policies, confidentiality workflows, and supervision standards to reflect what they have deployed.
Decision Required
Does your firm's current AI deployment — the tools your attorneys are using today — comply with your obligations under ABA Model Rules 1.1, 1.6, and 5.3, and have you made the disclosure decisions that Opinion 512 requires you to have made deliberately?
The confidentiality question is the most operationally urgent. Harvey's enterprise deployment uses client data submitted through the platform. The data handling agreement with Harvey covers how the company stores, processes, and protects that data. What it does not do is substitute for the attorney's obligation under Rule 1.6 to make reasonable efforts to prevent the inadvertent disclosure of client information. If an attorney submits a confidential acquisition target's financial projections to Harvey to draft a disclosure memo, that submission is governed by the firm's data handling agreement with Harvey and by the attorney's own professional obligations — not just the vendor's privacy policy.
The disclosure question is where most managing partners have not yet landed. ABA Opinion 512 says: if a client would reasonably expect to be informed that AI is being used in their representation, or if the AI use is material to the representation, disclosure may be required under the existing rules. "May be required" is not the same as "is required." But it is also not the same as "is not required." The decision needs to be made deliberately, documented, and reflected in the engagement letter — not left to each attorney's individual judgment on each matter.
The competence question runs in both directions. Rule 1.1 requires attorneys to understand the tools they use well enough to supervise the output. A partner who approves a Harvey-drafted memo without understanding what Harvey does — what it hallucinates, how it handles jurisdiction-specific nuance, where its training distribution underperforms — has not met the competence standard the rule describes. At the same time, a firm that prohibits AI use without providing attorneys a compliant path is creating shadow deployment risk: attorneys using personal accounts or unapproved tools to stay competitive, without any of the firm's data handling protections in place.
Options
Make Harvey available to all attorneys with standard onboarding training. Treat AI output review as an extension of existing supervision obligations — partners supervise associates, and AI-generated work is treated like associate work product. Do not update engagement letters or add AI disclosure language. This is the fastest path and the current posture at most firms that have deployed Harvey. It defers the disclosure decision, relies on existing supervision standards that were not designed for AI output, and creates confidentiality exposure to the extent attorney-by-attorney data submission decisions are not covered by a firm-level data handling framework.
Add AI disclosure language to engagement letters for all new matters — not requiring client consent, but informing clients that the firm uses AI tools in legal work and describing the supervision framework. Update the firm's data handling policy to define which client data categories may be submitted to which AI platforms, with specific restrictions for regulated data (MNPI, PHI, classified government matters). Create a firm-level Harvey data agreement that governs all attorney use rather than leaving it to individual attorneys. More overhead than the current posture; addresses the most material compliance gaps without requiring per-matter client consent.
Require affirmative client disclosure and consent before using AI tools on any matter. Build per-matter consent into the engagement process. Restrict Harvey use to matters where consent has been obtained. This is the most conservative posture and the most compliant in contested regulatory environments. It also slows deployment substantially and may put the firm at a competitive disadvantage relative to firms that have adopted a disclosure-without-consent approach. Appropriate for matters with particularly sensitive data — government investigations, M&A with MNPI, regulated financial services clients.
Recommendation
Update the engagement letter before the next billing cycle. The disclosure language does not need to require client consent — it needs to be deliberate. A sentence in the engagement letter that says the firm uses AI tools in legal work, that all AI-generated work product is reviewed and supervised by the responsible attorney, and that client confidential information is handled pursuant to the firm's data protection policies is not a liability admission. It is evidence that the disclosure decision was made intentionally. The absence of that language, after Opinion 512, is evidence that the decision was not made at all.
Define what attorney supervision means for AI-generated work product — in writing, at the firm level. "Review it like associate work" is not sufficient. An associate's work product comes from a human who can explain their reasoning, identify the sources they relied on, and flag the cases they were uncertain about. Harvey cannot do any of those things on demand. A supervision standard for AI output should specify: the attorney must verify all cited authorities exist and stand for the proposition cited; the attorney must assess whether the jurisdiction-specific analysis reflects the applicable law in the relevant jurisdiction; the attorney must identify the sections of the output they are relying on and are prepared to defend. This is not a higher bar than supervising an associate. It is a different bar, and firms that have not made it explicit are leaving the definition to each partner's individual practice.
Create a restricted data category list before deploying Harvey on regulated matters. Matters involving material non-public information, matters with government or regulatory clients, matters with PHI under HIPAA — these require a specific assessment of what can and cannot be submitted. Harvey's enterprise agreement governs data handling at the platform level. It does not substitute for the attorney's judgment about what should go in. The restricted category list is a compliance artifact that demonstrates the firm made this determination before the first submission, not after the first regulator inquiry.
Enjoying this brief? The next one ships Tuesday.
One enterprise AI deployment, dissected weekly. Free during beta · No credit card · Unsubscribe anytime
Risks
In 2023, a New York attorney submitted a brief containing AI-generated citations to cases that did not exist. The Mata v. Avianca sanctions ruling has been cited in every law school AI ethics discussion since. Harvey's legal-domain training significantly reduces — but does not eliminate — citation hallucination. A partner who approves a Harvey-drafted memo without independently verifying every cited authority is betting that the model's reduced hallucination rate is zero. It is not. At 200+ firms deploying Harvey at scale, the expected number of hallucinated citations reaching a filing or client deliverable in any given quarter is not zero. The risk is not theoretical. The supervision standard needs to treat citation verification as mandatory, not discretionary.
Harvey's enterprise deployment uses a data handling agreement that covers how Harvey stores and processes firm data. Attorneys who submit client documents — acquisition targets' financial models, ongoing litigation strategy memos, regulatory investigation materials — are governed by both Harvey's agreement and their own Rule 1.6 obligations. The distinction matters: Harvey's agreement is a contract between the firm and Harvey. Rule 1.6 is a professional obligation between the attorney and the client. A data breach at Harvey that exposes client confidential information creates both contractual claims against Harvey and professional responsibility exposure for the attorneys who submitted the data. The firm's AI deployment policy needs to define data submission limits — not leave it to each attorney's judgment on each matter.
Law firms that prohibit or restrict AI use without providing a compliant, firm-sanctioned path are creating shadow deployment risk. Attorneys — especially junior associates under billing pressure — are using ChatGPT, Claude, and other general-purpose AI tools through personal accounts to stay competitive with peers at AI-enabled firms. General-purpose AI models do not have legal-domain training, do not have a law firm data handling agreement in place, and are being used without any of the firm's supervision infrastructure. A blanket restriction that ignores this dynamic is not a conservative compliance posture. It is a policy that creates the compliance exposure it was designed to prevent.
Harvey can compress a task that would take a junior associate four hours to forty minutes. The billable hour model has not caught up. An attorney who bills four hours for work Harvey produced in forty minutes — without disclosing the AI assistance — is potentially overbilling. An attorney who bills forty minutes for work Harvey produced in forty minutes may be discounting a service the client values at four hours. Neither answer is obvious. The ABA has not issued guidance on AI and fee disclosure. State bars are beginning to. Law firms that have not established an internal policy on how to bill matters where AI substantially reduces attorney time are accumulating an exposure that will be material when the first state bar opinion addresses it.
Questions Your Team Should Be Answering
These are the questions that distinguish organizations that get this right from those that do not. If your team cannot answer them, that is your first deliverable.
- 1.
Do your current engagement letters for new matters contain any AI disclosure language — and if not, has the firm made a deliberate decision that disclosure is not required, documented that decision, and identified the ABA Opinion 512 analysis that supports it?
- 2.
What data categories are attorneys permitted to submit to Harvey — and where is that restriction documented? Who enforces it, and what is the review process for matters involving MNPI, PHI, or ongoing government investigations?
- 3.
What is the firm's supervision standard for AI-generated work product — specifically, what must a reviewing attorney verify before a Harvey-drafted memo is submitted to a client or filed with a court?
- 4.
Have you audited which AI tools attorneys are actually using — firm-sanctioned and otherwise? If attorneys are using general-purpose AI through personal accounts to avoid firm restrictions, the compliance exposure is worse than a Harvey deployment with proper data handling.
- 5.
How does the firm currently bill matters where Harvey substantially compresses attorney time? Is there a billing policy, or is it left to each partner's discretion?
- 6.
Which practice groups carry the highest risk exposure from AI use — and have those groups received specific guidance on the data submission and supervision standards that apply to their matter types?
If this memo belongs in your next executive meeting or board pack, send it along. One click opens a pre-drafted email — edit or send as-is.
The ATO Bottleneck: What Federal Agencies Discover When AI Procurement Meets the Authorization Process
Federal agencies are deploying AI tools across procurement, benefits processing, and workforce operations — but the ATO process was written for static systems. FedRAMP authorizes cloud infrastructure, not AI behavior. Most frontier AI APIs lack FedRAMP authorization, and most federal ATOs are stale by the time the model updates.
Read memo →The Algorithmic Underwriting Audit: What NAIC AI Requirements Mean for Every Insurer Using AI in Pricing and Claims
State insurance regulators have moved. The NAIC Model Bulletin on AI has been adopted in 38+ states. Colorado mandates external algorithmic audits for life insurance AI. California CDI has challenged AI-generated property risk scores. Most carriers have deployed AI in claims and underwriting without building the governance documentation regulators are now requiring.
Read memo →The SR 11-7 Blind Spot: What Banks Discover When AI Hits Model Risk Management
Banks are deploying AI in credit underwriting, fraud detection, compliance monitoring, and customer service — but SR 11-7, the OCC/Fed model risk framework, was written in 2011 for statistical models. The validation gap for third-party LLM APIs, the model version change management problem, and what bank examiners are beginning to ask.
Read memo →