.png?width=3170&height=795&name=noBgBlack%20(2).png)
What Small and Mid-Sized Law Firms Should Do Right Now After the Rakoff Ruling
Most firms met AI informally. An associate with a browser tab open beside Westlaw. A partner pasting client text into a public tool to clean up tone. None of that felt like policy. The Rakoff ruling is the moment that informal experimentation stopped being harmless and became a discoverable, documented liability for your firm.
The ruling did not create a new problem. It simply put a spotlight on practices that already existed in most firms. The question for managing partners now is not whether AI will be used. It is whether that usage will sit on top of a controlled environment or on years of unexamined workarounds.
Why the Sequence Matters
The order in which you adopt AI in your firm is not a technical detail. It is the difference between finding hidden risk early and amplifying it across every practice group.
Picture one specific scenario. A mid-sized firm decides to move quickly and deploys an AI agent to index SharePoint so attorneys can query the firm's knowledge in natural language. The agent does exactly what it is told. It reads everything it can see.
Buried in that content is a three-year-old internal discrimination memo. It sits in the wrong folder. No sensitivity label. No restricted access. No clear matter number. The agent surfaces that memo as a helpful reference to an associate who should never see it.
This is not an AI failure. It is the predictable result of skipping the foundation. The agent only exposed the lack of basic identity, access, and labeling controls that were already there. Rakoff did not invent that risk. He made it much harder to ignore.
If you move straight to agents without cleaning up identity, access, and data handling, you are asking a fast system to operate inside structural confusion. The right sequence flips that. It uses AI to accelerate a controlled environment, not to explore a chaotic one.
Phase 1: Security, Operations and AI Audit
Typical engagement: $1,500 to $3,500
Your first move is not to install anything. It is to understand where AI and manual work already intersect in your firm.
A focused AI and operations audit is short, specific, and aimed at giving you a prioritized roadmap with concrete next steps, not an abstract scorecard. In practice, that audit looks at three layers.
Current AI usage. Which tools are attorneys and staff actually using today, including personal accounts and browser-based services outside the office?
Operational workflows. Where do manual handoffs, email threads, and spreadsheets still carry key processes like intake, conflicts, deadline tracking, and client updates?
Microsoft 365 configuration. How are you using SharePoint, Teams, and Exchange now, and where are the gaps?
The output should be a written document with specific findings. For example: "Three practice groups rely on untracked shared inboxes for intake." Or: "Privileged documents are stored in general-purpose SharePoint libraries without standardized matter structure." Each finding should be tied to recommended steps, effort level, and risk impact.
Outside perspective matters here. The people who know your firm best are also the ones who built its workarounds over years of tight deadlines. They have adapted so fully that many of those workarounds are now invisible. An external operator can name them plainly and connect them to concrete risk in a way that feels constructive, not personal.
Phase 2: Microsoft 365 Legal Security Foundation
Once you can see the workarounds, the next step is to build a legal-specific security foundation inside Microsoft 365. This is the layer that will be examined if AI usage ever enters the record.
You can think about this foundation in three tiers. Each tier answers a different question a court, regulator, or client might ask.
Tier 1: Identity and Access Controls
Can you defend who had access to what, and under what conditions?
Tier 1 is about who can see what and from where. At a minimum, this means enforcing multifactor authentication for all accounts, including partners and shared mailboxes. Legacy authentication protocols that bypass modern controls should be disabled. Global administrator roles should be reduced and, where possible, limited to break-glass accounts.
You also want a baseline of Conditional Access policies. For many firms, that starts with blocking sign-ins from countries where you have no operations and requiring compliant devices for administrative tasks.
External sharing should be tightened around SharePoint and OneDrive. That usually means disabling anonymous links, restricting who can invite guests, and setting sensible defaults for new sites. From there, standardize a SharePoint matter structure so every matter lives in a known location with consistent permissions, not ad hoc folders spread across sites. Running a Secure Score review and remediating high-impact items rounds out this first tier.
Tier 2: Data Protection and Sharing Controls
Can privileged information leave controlled channels without the firm noticing?
Tier 2 assumes that people will make mistakes. Its goal is to keep privileged information from leaving controlled channels without your knowledge.
This starts with sensitivity labels designed for legal work. At a minimum, create labels such as Confidential, Attorney-Client Privileged, and Work Product. Configure them so that labeled content carries encryption and usage restrictions wherever it travels.
Auto-labeling helps when human discipline slips. For example, emails mentioning a client matter number combined with certain phrases can be labeled Attorney-Client Privileged automatically. Documents stored in specific matter libraries can inherit appropriate labels without manual steps.
Email data loss prevention policies should monitor for privileged labels and sensitive patterns. You can block sending when someone tries to email a protected document to an external recipient who is not a known client contact. Blocking automatic forwarding of protected documents and governing guest access in Teams and SharePoint rounds out this tier.
Tier 3: Audit, Logging, and Defensible Records
Can you reconstruct what happened in a matter when someone asks?
Tier 3 assumes something will be questioned. A client challenge, a regulatory inquiry, or discovery in a matter. The test is whether you can reconstruct what happened inside your systems.
Start with retention policies for email and SharePoint that match your firm's recordkeeping obligations. Configure eDiscovery so you can search across Exchange, SharePoint, Teams, and OneDrive in a way that matches how your attorneys actually work. Run test holds on sample matters to confirm that content is captured as expected.
Defender for Office 365 handles anti-phishing, safe links, and safe attachments so that obvious threats are filtered before they reach busy attorneys. Intune device compliance policies make sure firm data only lands on devices that meet your standards. Close Tier 3 with a security posture documentation packet that describes your identity controls, labeling model, retention policies, and monitoring in plain language.
The Rakoff connection. The opinion in US v. Heppner turned heavily on reasonable expectation of confidentiality. Sensitivity labels, applied consistently to privileged and work product materials, are one of the clearest technical steps you can take. They show that you treat confidentiality as an active, defined standard, not an informal assumption.
Phase 3: Microsoft 365 Workflow Automation
Once your foundation is in place, you can start removing manual friction from everyday workflows using the tools you already pay for. None of this requires a new platform. You are orchestrating capabilities already present in Outlook, SharePoint, Power Automate, and Teams.
Client Intake
Today, many firms run intake from a shared inbox. Messages sit until someone has time. Conflict checks happen later, if at all. There is often no single record that follows the inquiry from first contact through conflict resolution and engagement.
A structured intake flow inside Microsoft 365 changes that. An email to the intake address can automatically create a structured record in a list or matter management tool, route the request to the right practice group, trigger conflict check tasks, and make status visible without anyone asking for an update.
Deadline Tracking
In many firms, deadlines live in individual Outlook calendars, sometimes duplicated in a spreadsheet maintained by a practice assistant. Reminders depend on people remembering to set them.
With Microsoft 365 automation, a single deadline entry can drive a cascade of reminders. When a critical date is entered once, the system schedules reminders at 30 days, 14 days, 7 days, and 48 hours to the responsible attorney, the team channel, and any designated backup. If the date changes, all downstream reminders update automatically.
Document Drafting
In most small firms, drafting starts with someone saying "I think we did something like this for a client two years ago" and then spending twenty minutes hunting through email attachments and old matter folders to find it. Template libraries exist in theory. In practice they are outdated, hard to locate, and ignored in favor of whatever someone remembers saving.
You can consolidate vetted template libraries and clause sets, then surface them directly in Word. When an attorney starts a draft, they can pick from approved templates by matter type and quickly insert standard clauses. Prior work product can be searchable by practice area, jurisdiction, or matter category, with controls that respect sensitivity labels and permissions.
Matter Close and Retention
Matter close is one of the most neglected workflows in small and mid-sized firms. Work stops, bills are sent, and everyone moves on. Someone updates the status. Someone else emails billing. Archiving might happen months later, if at all. Access often remains broader than it should.
A single matter status change can trigger a coordinated closeout. When a matter is marked complete, billing notifications go out, archiving tasks are created, retention tags apply, and permissions tighten automatically. Attorneys do not need to remember a checklist. The workflow runs quietly in the background inside Microsoft 365.
Phase 4: OpenClaw AI Agents Inside a Controlled Environment
With security and workflows in place, AI agents stop being experiments and start becoming defined tools. OpenClaw agents operate inside your structured, labeled, permission-controlled Microsoft 365 environment. That makes them fundamentally different from a general-purpose tool pointed at a loose collection of files.
Intake triage agent. Reads structured intake records, flags potential conflicts based on parties and issues, and routes to the right practice group with tasks created for human review.
Deadline monitoring agent. Scans matter records and calendars, then sends a daily digest of approaching deadlines to the managing partner or practice leads. It aggregates what already exists and keeps the firm aligned.
Research support agent. Queries internal knowledge while respecting permissions and labels. An associate asking a question about a particular issue only sees memos, filings, and work product they are authorized to access.
Drafting support agent. Assembles first-pass documents from your own prior work and template libraries. Proposes clause options that match the firm's preferences, not generic language from unknown sources. Attorneys remain responsible for review and judgment.
Client communications agent. Drafts routine status updates based on matter milestones and recent activity. Attorneys receive proposed messages and decide what to send. Every agent action is logged.
In this model, agents sit inside your own infrastructure. They operate against labeled content, with identity and access controls already enforced. When a regulator, court, or client asks how AI is used, you can point to specific workflows, controls, and audit trails.
Where to Start This Quarter
You do not need to complete all four phases this quarter. You do need to start.
Begin by asking every attorney and staff member a simple question: "What AI tools are you using today, including any you access from a personal device or browser at home?" Capture those answers without judgment. You are building an inventory, not policing curiosity.
Next, commission a focused Phase 1 AI and operations audit before taking any other action. That audit should give you a clear, prioritized view of where your current practices intersect with the risks exposed by Rakoff. Everything else follows from knowing what you are actually working with.
Then pick one or two Tier 1 security steps in Microsoft 365 that you can complete quickly. For most firms, that means firmwide multifactor enforcement and a first pass at standardizing SharePoint matter structure. Both are achievable in a matter of days.
Finally, choose a single workflow for early automation in Phase 3, such as intake or deadline tracking. Prove to partners and staff that structured change is possible and helpful before expanding.
The firms that navigate the Rakoff era well will not be the ones that raced into agents first. They will be the firms that put security, structure, and clear workflows in place, then added AI inside that environment. Moving in the right sequence turns AI from a hidden liability into a controlled extension of how your operations already run.
Next Core Flow helps small and mid-sized law firms move through this roadmap without turning it into a multi-year internal project. If you want to learn more about the the Phase 1: Security, Operations and AI Audit, schedule a time to meet here or email jfeldman@nextcoreflow.com.
This article is for informational purposes only and does not constitute legal advice. The content reflects general operational and technology considerations and should not be relied upon as legal guidance specific to your firm or matter. Consult qualified legal counsel regarding your firm's specific obligations, privilege considerations, and compliance requirements.