The SRA has published its findings on AI adoption across UK law firms. The risks it identifies are real. Here's what they mean for smaller practices, and how on-premise AI addresses them directly.
The Solicitors Regulation Authority recently published its research into artificial intelligence across the UK legal market. It makes for interesting reading — not because it’s alarmist, but because it’s measured. The SRA isn’t saying don’t use AI. It’s saying use it carefully, and understand what you’re taking on when you do.
For smaller solicitor firms, the report raises questions that are harder to answer than they are for large practices with dedicated IT departments and compliance teams. This piece looks at what the SRA actually found, and how the architecture of on-premise AI changes the risk picture for firms that want to adopt it responsibly.
Adoption is accelerating. Three-quarters of the largest firms now use AI — roughly double the rate from three years ago. Among small firms, it’s around a third exploring generative AI. The gap is significant, and the report notes it’s partly driven by cost and partly by uncertainty.
The concerns the SRA identifies fall into five areas.
Hallucination. AI language models produce plausible but sometimes incorrect results. The report cites documented cases of fabricated case citations being submitted to courts — a serious professional failure that originated with a solicitor trusting AI output without verification.
Confidentiality. Staff inputting client data into cloud-based tools creates a genuine risk. The report flags that confidential information can be leaked through AI provider training processes, and that AI outputs can inadvertently replicate prior case details in new matters.
Accountability. The SRA is unambiguous: “You will remain responsible and accountable for the outputs from AI you are using.” That accountability doesn’t transfer to a software provider. It sits with the fee earner, and with the firm.
Cost barriers. Sophisticated AI products are largely built for large corporate practices. The economics don’t currently work for a sole practitioner or a three-person firm — which is part of why adoption is lower in smaller practices.
Skills gap. Prompt engineering, data handling, and understanding what AI can and can’t do reliably require training that many firms haven’t had yet.
The confidentiality problem isn’t a matter of trusting a provider’s security. The issue is structural. When client data passes through an external server — even a secure one — it has left your control. For firms operating under SRA Principle 6 (confidentiality) and GDPR, that creates a compliance question that is genuinely hard to resolve cleanly.
Large firms can manage this through enterprise agreements, DPIAs, and legal counsel. Most small firms can’t — and shouldn’t have to.
The core premise of Berynex LegalAI is that the AI runs entirely on hardware inside the firm. There is no external server. No cloud API. No data leaving the building. The confidentiality risk the SRA identifies simply doesn’t apply in the same way, because the processing never leaves the firm’s infrastructure.
That’s not a marketing position — it’s an architectural one. The data residency question has a clean answer.
On hallucination: LegalAI uses a retrieval-augmented generation pipeline. That means every response is generated from documents that have been retrieved from a local knowledge base — legislation, practice guides, the firm’s own precedents — not from the model’s training memory. Every factual claim must cite its source document. If no relevant source is found, the model says so rather than speculating. Fabricated citations are structurally prevented.
On confidentiality: All processing is local. The firm’s data stays on the firm’s hardware. Ollama runs the language model on-site. ChromaDB, the vector database, is a local Docker container with no external connectivity. Nothing is sent to a third party.
On accountability: Every query, every retrieved source, every response, and every action is logged to a local audit database with 7-year retention. The SRA requires firms to be able to account for their use of AI. That log is how you do it. Every output is presented as a draft — watermarked, requiring fee earner review before use. The AI assists. The solicitor remains responsible.
On cost: The Entry tier is designed specifically for sole practitioners and small firms — hardware in the £3,500–£5,000 range, with a flat annual licence rather than per-query pricing. No cloud subscription. No usage fees. The economics work for a firm of one.
On the skills gap: The interface is plain English. There is no prompt engineering required. A fee earner asks a question the same way they would ask a colleague. The system handles the retrieval and the grounding.
The report recommends firms organise their AI governance around five principles: safety and robustness, transparency, fairness, accountability, and contestability. Each of them has a direct architectural counterpart in how LegalAI is built — local processing, mandatory citation, auditable sources, full logging, and rollback capability.
The SRA isn’t telling firms not to adopt AI. Its concluding observation is that “the risk to firms might not come from adopting AI, but from failing to do so.” The question is how to adopt it in a way that meets professional obligations rather than creating new ones.
LegalAI is in early development. We’re looking to work with a small number of UK solicitor firms as early pilot partners — to build this around how practices actually work, not how we assume they do.
If you work in legal and want to be involved in shaping that, get in touch.
The SRA report is worth reading in full — you can find it at sra.org.uk.