AI Governance Consulting

From unsanctioned AI to a defensible record.

Cullis AI consulting is a three-tier engagement model for Montana law firms. We do not sell speed. We sell defensibility. Every recommendation maps to ABA Model Rules 1.1, 1.6, and 5.3, and produces an evidentiary record the firm can stand behind in front of a malpractice carrier, the State Bar, or opposing counsel.

"Most legal-tech consultants sell speed. Cullis sells defensibility. Efficiency asks: did this make the lawyer faster? Defensibility asks: if a tribunal challenged this work product tomorrow, could the lawyer prove competent supervision?"

- The Cullis Philosophy

Defensible vs. Vulnerable

Every Cullis recommendation pushes the firm's AI posture in one direction: from vulnerable to defensible. The question is not whether the firm is using AI. The question is whether the firm can prove, after the fact, that the use was supervised, documented, and compliant.

Vulnerable

The undocumented firm

AI in use without sanction, without supervision, and without record. The firm cannot answer basic questions from a client, an insurer, or the State Bar about what tools are touching client data, who authorized them, or what oversight is in place.

  • Free or consumer-grade AI tools touching client work without a signed Data Protection Agreement
  • No written AI Acceptable Use Policy, or one that nobody at the firm has read
  • No Human-in-the-Loop drafting log. Supervision exists in name only
  • No client disclosure. No engagement-letter language addressing AI use
  • Likely insufficient under the Rule 1.6 reasonable efforts standard
Defensible

The firm with a record

Every tool sanctioned. Every workflow supervised. Every output documented. When a tribunal, a malpractice carrier, or the State Bar asks how AI was used, the firm answers with paperwork, not memory. The evidentiary record is the product.

  • Sanctioned-tool list, written AUP, and signed DPAs for every AI vendor touching client data
  • Hardened Microsoft 365 environment with Commercial Data Protection verified
  • Documented HITL workflow with a contemporaneous Drafting Log for every matter
  • Engagement-letter language that addresses AI use and client consent
  • Stands up under the Rule 1.6 reasonable efforts standard and the Rule 5.3 supervision standard

A Good / Better / Best engagement menu

Most firms enter at Tier 1 and graduate based on what the audit uncovers. Each tier produces a discrete, defensible deliverable. You can stop at any tier; the prior tier's evidentiary record stands on its own.

Tier 1 - The Diagnostic Tier

Compliance Foundation

"We need to close the malpractice gap immediately."

What We Do

  • Perimeter and Shadow IT audit: browser extensions, account verification, data-hop interviews
  • DNS and Microsoft 365 / Google Workspace admin review
  • Vulnerability mapping: every finding mapped to a specific ABA Model Rule
  • Risk Ledger with Critical / High / Moderate / Informational grading

What You Receive

  • Final Audit Report written to expert-witness standard
  • AI Acceptable Use Policy (the AUP leave-behind), ready to sign at the next staff meeting
  • HITL Drafting Log template
  • Client disclosure language for the firm's engagement letters
Best Suited For
Firms that have never run an AI audit. Solo and small firms using free Gmail or Dropbox, with no formal IT policy, whose primary concern is malpractice exposure. Tier 1 delivers the clean bill of health and the evidentiary record of reasonable diligence under Rules 1.1 and 1.6.
Tier 2 - The Implementation Tier

Safe Implementation

"Let us train your team to use the tools you already pay for, safely and defensibly."

What We Do

  • Microsoft 365 environment hardening: licensing verification, MFA, Conditional Access, DNS filtering
  • Data purge: migrate every active client file from Shadow locations into the firm's SharePoint and OneDrive
  • OAuth cleanup and third-party app revocation
  • Sanctioned tool deployment: Copilot for Microsoft 365, CoCounsel, Lexis+ AI, or the defensible enterprise platform your firm chooses
  • Human-in-the-Loop (HITL) workflow design: the Rule 5.3 supervision mechanism translated into a daily process
  • Staff training and tactical SOPs, including the hallucination drill and redaction protocol

What You Receive

  • Hardened M365 environment with Commercial Data Protection verified
  • Working HITL drafting workflow inside the firm's practice management system
  • Drafting Log template populated with your first sanctioned-tool drafts
  • Two-week stability scan confirming no Shadow IT regression
  • Optional ongoing annual maintenance retainer
Best Suited For
Firms that have completed (or want to complete) an AI audit and are ready to actually use the tools they already pay for, safely. Tier 2 turns Microsoft 365 Business Premium into the firm's clean room, builds the supervision discipline that Rule 5.3 requires, and delivers real efficiency gains without sacrificing defensibility.
Tier 3 - The Transformation Tier

Strategic Transformation

"We will show you how to deploy AI in a way that increases firm profitability, not just productivity."

What We Do

  • Discovery and as-is analysis: stakeholder interviews, technology inventory, workflow mapping
  • Revenue map and gap analysis: profitability by matter type and practice area
  • Vendor-neutral RFP: Six Sigma procurement methodology applied to the legal AI software market
  • Bid evaluation against a 100-point scoring rubric the firm can audit at any time
  • Contract and DPA negotiation support: training-data, liability, and confidentiality provisions
  • Hybrid billing model design: practice-area-specific fixed-fee menus, subscriptions, and retainer products that turn AI gains into revenue, not revenue loss
  • Coordinated launch and knowledge transfer; clean exit at vendor go-live

What You Receive

  • Strategic transformation memo
  • Complete RFP package and scoring rubric
  • Written vendor recommendation with risk and cost-benefit analysis
  • Hybrid billing model design with client disclosure language and engagement letter updates
  • Contract negotiation support log
  • Final knowledge transfer memo and warm handoff to the chosen vendor's implementation team
Best Suited For
Firms ready to restructure their economics for the AI era. Firms that want vendor-neutral guidance on selecting legal AI software, are concerned about billable-hour collapse, and need a partner who is structurally independent from any specific vendor. Cullis owns strategy, governance, and economic transformation. The chosen vendor owns implementation and ongoing support. We exit at vendor go-live.

Three rules. One framework.

Every Cullis AI deliverable maps to one or more of these three Model Rules. These are not abstract aspirations. They are the framework a malpractice carrier, a State Bar grievance committee, or an expert witness will use when reviewing the firm's AI practices.

1.1
Competence

ABA Formal Opinion 512 made the implications for generative AI explicit: a lawyer must understand how the AI tool functions, what data it ingests, what it retains, and how its outputs may be inaccurate or biased. Technical incompetence is no longer a tenable defense.

1.6
Confidentiality

Rule 1.6(c) requires lawyers to make reasonable efforts to prevent unauthorized disclosure of client information. Pasting a client's will into a free public chatbot is the modern equivalent of leaving the firm's filing cabinet on the sidewalk.

5.3
Supervision

Rule 5.3 was written for paralegals but applies with equal force to AI agents. The lawyer who deploys an AI tool is supervising a nonlawyer. That supervision must be documented. The Human-in-the-Loop workflow is, at its core, a Rule 5.3 compliance mechanism.

Ready to start with Phase 0?

Investments at every tier are calibrated to the engagement scope and the firm's complexity. Reach out to start a conflict check and schedule your discovery call.