| Competence (Model Rule 1.1 + tech competence) | Tools that reduce hallucinations and make outputs explainable and reviewable | Document-grounded answers (RAG) so responses cite the firm’s approved materials instead of “model memory”; configurable retrieval + source snippets to support attorney review | RAG answer format with citations/snippets; admin guide on retrieval settings; user training quickstart |
| Confidentiality (Rule 1.6; “reasonable efforts”) | Keep client data from being used to train public models; strong boundaries | No customer data used for model training (per Imbrulo security position); dedicated environment per firm with U.S. data residency options; on-prem deployment available; no passing private data to third-party model providers in private mode | Security overview / data handling statement; deployment architecture diagram; data flow diagram |
| Secure transmission + storage (Rule 1.6(c)) | Encryption in transit/at rest; controlled retention | TLS 1.3 in transit, AES-256 (or equivalent) at rest; configurable retention policies (deployment dependent) | Security architecture overview; encryption statement; retention configuration excerpt |
| Access controls (Rule 1.6(c), Rule 5.1/5.3 supervision) | Prevent unauthorized use; enforce least privilege | SSO/MFA options, VPN / IP allow-listing, role-based access patterns (deployment dependent) to limit who can access the system and from where | Access control configuration summary; network boundary diagram |
| Supervision (Rules 5.1, 5.3) | Govern AI use with policy + technical guardrails | Centralized admin controls for features (e.g., web-augmented mode on/off), knowledge sources, and user access; supports standardized workflows that require attorney review of sources | Admin settings documentation; policy template (Imbrulo-provided) mapping to controls |
| Avoiding hallucinated law/citations (Rule 3.3 candor; Rule 1.1 competence) | Outputs should be traceable to authoritative sources; attorneys can verify quickly | Grounding to firm-approved knowledge (uploaded docs, matter materials, internal playbooks); shows which passages were retrieved so attorneys can validate; reduces “made up” citations vs model-only prompting | Example outputs showing citations/snippets; RAG vs model-only comparison infographic |
| Client communication (Rule 1.4) | Ability to describe how AI is used, boundaries, and review steps | Clear “trust boundaries” model: firm boundary (optional VPN/IP allow-list), dedicated environment boundary, optional external web sources only when enabled; makes it easy to explain “where data goes” | Data flow + trust boundary diagram; client-facing security one-pager |
| Data minimization + matter separation (Rule 1.6; best practice) | Reduce exposure by limiting what is ingested and who can see it | Knowledge store scoped to the firm environment; allows curating “approved sources” and limiting what documents are indexed/available (implementation dependent) | Knowledge base governance guide; indexing/scope configuration |
| Auditability (Rule 1.6(c); 5.1/5.3 governance) | Ability to investigate incidents and prove controls | Audit log store for access/activity; supports secure export to SIEM/compliance archives so firms can meet internal retention and monitoring requirements | Sample audit log schema; SIEM export instructions; compliance mapping |
| Vendor / tool due diligence (ABA 512 emphasis) | Transparent architecture + documented controls | Imbrulo provides deployment options (dedicated cloud / on-prem), data handling boundaries, encryption posture, and access control options that streamline due diligence packages | Security architecture overview (2–4 pages); standard security Q&A |
| Web browsing risk control (confidentiality + accuracy) | Prevent accidental disclosure to external sites; separate “web mode” from private mode | Web-augmented mode is optional and explicitly bounded; when off, answers are confined to internal knowledge + model runtime in Imbrulo infrastructure | Feature toggle documentation; trust boundary diagram |
| Reasonable fees / efficiency (Rule 1.5) | Improve productivity without compromising review obligations | RAG shortens time spent searching internal precedents and policies while keeping attorneys in control of final work product; supports faster review by linking outputs to sources | Workflow examples; time-saved case study template (if available) |
