Is It an AI System? Borderline Tool Classification for Law Firms
In many law firms, the most difficult compliance question is not "how to govern AI" but "is this even in scope?" Misclassifying borderline software can create blind spots in policy, vendor diligence, and client disclosures under the AI Act (1).
Why this question became urgent
The Commission published guidance in February 2025 on the AI system definition to help organizations apply first-phase AI Act rules (2). That guidance remains central in 2026 because real-world legal tooling often combines deterministic automation with model-based features.
If firms classify too narrowly, they may skip needed controls. If they classify too broadly, they can create costly governance overhead with little risk value. The Commission's broader AI Act policy page is useful context for keeping scope decisions tied to the Act's risk-based structure (3).
Where law firms face borderline decisions
- Document extraction workflows mixing rules engines and ML-based inference.
- Contract analytics pipelines with configurable scoring outputs.
- Search and knowledge systems that combine retrieval and generative summaries.
- Internal triage assistants that influence staffing or legal priority decisions.
A practical classification method
Use a repeatable four-step method for every new tool or major feature:
- Describe the intended purpose in plain legal-workflow terms.
- Map output behavior: deterministic transformation, statistical prediction, or mixed mode.
- Assess decision influence: informational aid or materially outcome-shaping.
- Document the conclusion with reviewer sign-off and re-review triggers.
What good evidence looks like
- Versioned feature descriptions from the vendor.
- Clear notes on what configuration options are enabled in your tenant.
- Real usage examples from legal teams, not only vendor demo scenarios.
- A dated memo capturing why the classification conclusion was reached.
Top mistakes to avoid
- Marketing-label reliance: accepting vendor labels without independent review.
- No reclassification trigger: missing reassessment after feature updates.
- Tool-level only analysis: ignoring how the tool is actually used in matters.
How to align with the rest of your governance stack
Classification should connect directly to controls:
- privacy impact requirements,
- human review thresholds,
- client disclosure playbooks,
- incident-reporting criteria.
Without this linkage, classification becomes paperwork instead of risk management.
For law firms, the AI system definition is not a theoretical exercise. It is the gateway decision that determines whether governance is substantive or merely nominal.
Classification conclusion
By treating AI-system-definition decisions as workflow evidence, not one-time labels, legal teams can maintain proportional governance while staying ready for evolving guidance and enforcement expectations.