Jamie Judd speaks to K&L Gates’ chief technology officer, Harpreet Suri
K&L Gates has become one of the first major law firms to achieve ISO/IEC 42001:2023 certification, the international standard for AI management systems, following an independent audit of its firm wide AI governance programme.
The certification, which covers accountability, risk management, transparency, and data protection, sits on top of the firm’s existing certifications relating to information security and privacy management (ISO 27001 and 27701). For the firm’s chief technology officer, Harpreet Suri, the three certifications together form a package that helps demonstrate to clients that their data will be handled securely and confidentially when AI tools are involved.
In practice, the AI Management System (AIMS) establishes how decisions related to AI are made. For example, when deciding on business tools, the demand process goes through an assessment, followed by a security review, a technology evaluation and a business case assessment. AIMS also determines who makes AI related decisions, with decisions on legal tool procurement made by the AI Solutions Group, headed by senior partner Brendan Gutierrez.
AIMS also governs a central inventory of approved tools (currently including Legora, Vincent AI, CoCounsel, and Microsoft Copilot, with smaller pilots of Claude and ChatGPT) and runs a strict onboarding and continuous monitoring process to each. Vendors are assessed not just at procurement, but throughout the tool’s lifecycle, particularly as they release new features or expand into jurisdictions with specific data residency requirements.
These requirements also shape how tools can be deployed globally. Suri told Legal IT Insider that data localisation rules, which control how data can be stored or processed in certain countries, mean some tools cannot be used across all jurisdictions. The firm therefore needs to understand where each vendor processes data and in some cases, vendors may need to adapt their systems to meet those requirements.
Suri said that the decision to implement AIMS “was about client trust. To demonstrate to our clients that we are following this standard and we can be trusted with your data when it comes to using AI tools.” This is reflected in client behaviour, with corporate, government, and financial services clients increasingly raising AI governance questions in RFPs and panel reviews. The certification acts as shorthand for the firm to point to, reducing the need for repeated follow up. Or, in some cases, this scrutiny leads to detailed discussions, with the firm’s security team walking clients through its controls.
Perhaps the most striking takeaway from the process, Suri said, is that “it wasn’t just about the tech. It was about ensuring you had the discipline in place in terms of a policy and constant monitoring”. That discipline is evident in clear governance structures, regularly updated policies, and a continuous cycle of oversight.
The process also led to a shift in approaches to training. The firm created a dedicated AI Adoption Manager role and an AI Training Alliance – a cross-functional group of lawyers and professional staff co-led by the firm’s general counsel John Hagan and senior counsel Alicia Hawley – to coordinate governance, tools, and use-case training centrally. This shows a more coordinated approach to training, bringing lawyers and professional staff together to build confidence in using AI.
The post K&L Gates achieves ISO 42001 certification for AI governance – Interview appeared first on Legal IT Insider.