Skip to content
← All examples
Legal Services · Advice autonomy

Client Communication Drafting

An assistant that drafts client communications for a professional to review and send, with drafting-only authority enforced in code, because the defining risk at this band is authority creep.

29 HAL Score / 40 Governed
See the worked example

Workflow

  1. 1 Professional requests a draft, or the assistant proposes one
  2. 2 Assistant drafts the communication, citing sources for factual claims
  3. 3 Draft is tagged as AI-generated in the workflow
  4. 4 Professional reviews, edits, and sends
  5. 5 Sent communication retained alongside its draft history

Governance design

  • Authority is drafting only. Send capability is removed at the integration, not by policy.
  • Hard limit: the assistant never communicates externally.
  • Every AI draft tagged and retained as evidence.
  • Permissions re-verified against the approved scope after every tool update.

Escalation paths

  • Draft contains legal advice or undertakings → supervising lawyer.
  • Any change to the tool’s permissions → owner re-approval before rollout.
  • Recipient is a regulator or court → mandatory senior review.

Ownership model

A named partner, with the innovation lead as deputy.

Lessons learned

  • The decisive control is enforcing “draft only” in code. A policy-only boundary quietly erodes under time pressure.
  • Authority creep is the defining risk for advice systems: after every update, re-verify what the tool can do, not what it was meant to do.
Worked example

Client Email Drafting Assistant

Advice

A team adopted an assistant to draft client emails, intending lawyers to review before sending.

Initial workflow

The assistant drafted emails in the inbox. Under time pressure, lawyers began sending drafts unchanged, and the tool had quietly gained "send" permission during a later update.

Risks identified

  • !Scope crept from "draft" to "send" without re-approval.
  • !No limit prevented external communication.
  • !No record of which emails were AI-drafted.
  • !Liability for an erroneous client email was unexamined.

HAL assessment

As an advice system the bar is modest, but the undetected scope creep to "send" pushed it into Execution without any of the matching controls.

Improvements made

  • Revoked send authority in code: drafting only, enforced at the integration.
  • Required explicit human send for every external email.
  • Tagged AI-drafted content for evidence and later review.
  • Documented liability and added a client-facing disclosure.
Domain Before After Change
Ownership 2 4 +2
Authority 1 5 +4
Limits 1 5 +4
Escalation 2 3 +1
Evidence 1 4 +3
Monitoring 1 3 +2
Review 1 3 +2
Liability 1 3 +2

Deployment recommendation

Approved as an advice system only, with send authority removed in code. This example is the canonical case of authority creep: the gap between what a system was meant to do and what it could do.

Assess your version of this More examples