Sterling Solutions LLC
success.build/risk › solo and small-firm attorneys
Sovereignty Maturity Assessment for Solo and Small-Firm Attorneys

Your client trusted you
with what they could not say
anywhere else.

Then you opened the AI tab.

The practice of law rests on one load-bearing commitment older than every other rule in the code. A client can tell their lawyer what they cannot tell anyone else, because the lawyer is bound to hold it. Model Rule 1.6 names the obligation. The attorney-client privilege protects the channel. The work-product doctrine protects the lawyer's thinking around it. Every other professional norm in the practice sits downstream of that single commitment. The reason a client is willing to be honest with you, and the reason an adversary cannot reach what was said, is the same reason.

Then the generative AI tab opened on your second monitor. The drafting prompt. The summarize-this-deposition prompt. The help-me-think-through-this-cross prompt. Inside that prompt are paraphrases of what your client said, the names of the people on the other side, the strategic theory you have not yet shared with co-counsel. The default Terms of Service for OpenAI, Anthropic, Google, and the rest contemplate retention and, depending on the account tier, processing or training. Most solo and small-firm attorneys never signed a paid enterprise contract; they are using the consumer-grade tier where opt-outs are limited and uncertain. The American Bar Association named this in Formal Opinion 512 in July 2024. State bars have begun publishing parallel opinions. The conclusion is consistent: Model Rule 1.6 does not change because the technology is new.

Layer the rest of the stack on top. Your practice management vendor holds the matter file, the calendar, the conflict-check database, and the billing record. Your document management vendor holds every draft, every redline, every comment thread between you and your associate. Your e-filing vendor holds the courtesy copy with the metadata your local rules require. Your IOLTA bank and your trust-accounting software hold client funds, with a state bar audit waiting in the wings if the reconciliation falls behind. Each one of these vendors has Terms of Service. Whether any of them still match what they were when you signed up, with the AI features they have quietly activated since, is a separate question.

And the client is not in the room with the vendor's lawyers. The client is in the room with you. The privilege belongs to them, not the firm. Your obligation under Model Rule 1.6 does not have an exception for "the vendor was supposed to handle it."

This page exists to give you a written, sourced, ethics-aware evaluation of where your firm's sovereignty posture stands today. Free. Scope-selectable on the discovery call: a short cycle for narrow questions, a longer cycle for a full Model Rule 1.6 plus state-ethics plus vendor stack review. Built around the matters on your desk this morning, not around our sales calendar.

Skip ahead, book the call now → What's in the assessment ↓

What the assessment actually delivers.

A written sovereignty-posture document, organized the way a state bar disciplinary counsel or a malpractice carrier underwriter would organize a review. Three to six pages on the short cycle, six to twelve pages on the long cycle. Named observations, sourced to your firm's actual vendor stack and practice areas, with a remediation order written for a small firm's reality (the partner who reads vendor contracts at night, the associate who has the AI tab open, the office manager who actually reconciles the IOLTA) and not a sales-cycle reality.

Lens 1: Model Rule 1.6 and state ethics posture.

What can your firm produce on demand to show that the AI tools, cloud vendors, and outsourced services in active use are consistent with Model Rule 1.6, with your state's Rules of Professional Conduct, and with any state bar ethics opinion or advisory your jurisdiction has published in the last 24 months? Where are the gaps a disciplinary inquiry would find? For litigation practices, what does the firm's posture look like under the work-product doctrine and any applicable court-rule obligations on confidentiality of client information and privileged material?

This lens reads your firm's environment the way a thoughtful ethics opinion would: starting from the obligation, working outward to the vendor relationships and tool choices, naming the gaps with specificity and the remediation paths with proportion.

Lens 2: AI vendor, practice-management, and IOLTA-adjacent vendor sovereignty.

What do your practice management vendor, document management vendor, e-filing vendor, IOLTA bank and trust-accounting software, e-discovery vendor (if any), legal research provider, and AI drafting or summarization tools actually claim in their current Terms of Service, data processing addenda, and AI feature activation defaults? Where does your firm's data live, who has subpoena authority over it, and can you produce a clean export of every matter file, every trust ledger, and every billing record without the vendor's active cooperation? Which AI features have been activated since you signed up, and were those changes accepted by silence?

This lens names every named vendor in your stack, surfaces the contractual reality (not the salesperson's reassurance), and flags where the AI clauses introduced in the last 18 months have changed what you signed up for. For attorneys using consumer AI tools outside any enterprise contract (the unspoken ChatGPT or Claude tab open during drafting), it names that as the exposure it is.

The deliverable is yours. Keep it, share it with your managing partner, file it with your malpractice carrier's next renewal packet, or work the remediation yourself. There is no obligation to engage Sterling for any work beyond the assessment. If we can help, you will know. If you do the work in-house from the assessment alone, that is also a good outcome.

The threat surface, named.

Four exposures sized specifically for solo practitioners and small law firms. None of these are hypothetical. All of them are showing up in current state bar advisories, malpractice carrier renewal questionnaires, sanctioned-attorney case law, and the legal trade press.

Threat 1: ABA Formal Opinion 512 already named the problem. State bars are publishing parallel opinions.

ABA Formal Opinion 512 (July 2024) addressed lawyers' use of generative AI tools and concluded that Model Rule 1.6 confidentiality, Rule 1.1 competence, Rule 5.3 supervision of non-lawyer assistance, and Rule 1.5 reasonable fees all apply to AI use. Several state bars have since published their own opinions or advisories with specifics for their jurisdiction (California, Florida, the District of Columbia, New Jersey, New York County, and others, with more on a steady cadence). The consistent through-line: the obligation does not change because the technology is new, and the lawyer cannot delegate the confidentiality duty to the vendor. The practical question for any small firm is whether the firm's actual practice today can be explained in front of the bar with reference to those opinions.

Sources: ABA Formal Opinion 512 on Generative AI, July 2024; State Bar of California Practical Guidance on AI (2023, updated); Florida Bar Ethics Opinion 24-1; DC Bar Ethics Opinion 388; NJ Supreme Court Notice on AI; NYCBA Formal Opinion 2024-5; state bar AI advisories tracker maintained by the Stanford CodeX center and ABA Center for Innovation.

Threat 2: Consumer-tier AI Terms of Service do not match what the duty of confidentiality requires.

OpenAI, Anthropic, and Google's consumer and prosumer tiers contain provisions for retention and, depending on plan, for using prompts and outputs to improve their systems. Opt-outs exist but are inconsistent across products and tiers. Enterprise agreements with no-training and zero-retention terms are available, but they are priced for organizational buyers and most solo and small-firm attorneys never sign one. The result: the practice tier that uses these tools most has the weakest contractual protection, the worst opt-out posture, and the lowest documentation of what was sent in. For a Model Rule 1.6 analysis, that is the worst of the available combinations.

Sources: OpenAI Enterprise Terms 2026 and consumer/ChatGPT Plus terms 2026; Anthropic Acceptable Use Policy and Claude enterprise terms 2026; Google Gemini and Workspace AI terms 2026; ABA Formal Opinion 512 (cited above) on the confidentiality implications of consumer-tier AI usage.

Threat 3: Practice management and document management vendors have quietly activated AI features the firm never opted into.

Clio, MyCase, PracticePanther, Smokeball, NetDocuments, iManage, and adjacent vendors have shipped AI summarization, drafting assistance, and clinical-style "suggested next action" features across 2024 and 2025. Many of these were activated by default, with the vendor's existing Terms of Service treated as already sufficient because the underlying data was already in the platform. The question for the firm is not whether the vendor's legal analysis is correct (it varies by vendor) but whether the firm's own posture documentation reflects an informed decision. Most do not. The bar's analysis under Rule 5.3 expects the firm to actively supervise the non-lawyer assistance, which includes vendor AI behavior, not passively accept whatever the platform activates.

Sources: vendor product release notes and Terms of Service updates from Clio, MyCase, PracticePanther, Smokeball, NetDocuments, iManage 2024 to 2025; ABA Formal Opinion 512 Section III on non-lawyer assistance and Rule 5.3; Stanford CodeX research on legaltech AI feature activation 2024-2025.

Threat 4: Trust accounts and IOLTA-adjacent vendor exposure can take down a firm faster than a confidentiality breach.

Every state bar has an IOLTA or trust-account rule with audit, record-retention, and reconciliation obligations. Many states run random audits. The trust-accounting software, the firm's bank, the e-billing platform that touches client funds, and any payment processor in the loop are each a vendor relationship with audit-relevant data. A breach, an unauthorized AI feature that touched trust-account data, or a vendor change-of-control that interrupted access at the wrong moment can each create a state bar disciplinary issue independent of any client complaint. The malpractice carrier is also reading this stack on renewal: questions about AI vendor use, payment processor choice, and trust-account software have been added to renewal applications across the major carriers (ALPS, Mercer Consumer, USI Affinity, Markel, the state bar mutuals).

Sources: ABA Model Rules of Professional Conduct 1.15 (Safekeeping Property); state bar IOLTA program rules (varies by jurisdiction); state bar published random-audit programs; malpractice carrier renewal applications 2024 to 2025 (ALPS, Markel, USI Affinity, and state bar mutual carriers); industry observation, trade press coverage of trust-account-related discipline 2023 to 2025.

The hybrid cycle, sized to your practice.

The general success.build/risk evaluation runs a two-hour cycle. Most solo and small-firm attorneys fit that shape. Litigation boutiques with active matters, firms with multiple practice areas, firms approaching a known disciplinary review, and firms preparing for a malpractice carrier renewal often want more depth and the longer cycle.

So the attorneys assessment is scope-selectable on the discovery call. Both options are free. We help you size the cycle to the firm's actual surface area.

  • Short cycle (about two hours of your time, roughly one week elapsed). Thirty-minute discovery call. Homework on your side: vendor list, a quick description of the AI tools in actual use across the firm (named, not generic), and any state bar AI guidance you are aware of in your jurisdiction. One sixty-minute evaluation session. A three-to-six page written sovereignty- posture document delivered within five business days. Best fit for solo practitioners, two-to-five attorney firms, and any firm with a focused question ("is our use of ChatGPT for drafting defensible," "what is our state's posture on AI in practice," "how does our trust-account software hold up").
  • Long cycle (about ten business days, ethics-opinion-shaped deliverable). Forty-five-minute discovery call. One week of homework on our side: we read the relevant state bar ethics opinions and advisories for your jurisdiction, pull the current Terms of Service for every named vendor, check for AI feature activation defaults across the stack, and structure the evaluation around Model Rule 1.6, your state's Rules of Professional Conduct, and any practice-area-specific layer (criminal defense Brady/Giglio production, family law minor data, immigration practice document handling, plaintiff contingent-fee practice trust accounting). One ninety-minute evaluation session with the managing partner or sole practitioner, the office manager or paralegal who handles vendor relationships, and the firm's IT lead if separate. A six-to-twelve page written deliverable within five business days of the evaluation session. Best fit for litigation boutiques, firms five-to-twenty-five attorneys, firms with multiple practice areas, and firms preparing for a known upcoming audit or renewal.

The choice is made on the discovery call, not before. Bring the question, we will help size the cycle. Either option is free. Either option produces a written deliverable that is yours to keep, share, or file.

Who this is for.

The fit is clearest for solo and small-firm attorneys in the $500K to $10M annual revenue band with one to twenty-five attorneys, where the practitioners themselves are the people reading vendor contracts and choosing AI tools. Larger firms typically have an internal general counsel, a compliance function, or a CIO who runs this work in-house; this page is not built for that buyer.

  • Solo practitioners across any practice area where the firm's tool choices, vendor contracts, and AI use are decisions the practitioner makes personally.
  • Two-to-five attorney general practice firms with mixed civil, family, real estate, and estate work.
  • Small litigation boutiques (plaintiff or defense, civil or criminal) with active matters and the corresponding work-product and Brady/Giglio obligations.
  • Small immigration practices handling sensitive client documents, family-status data, and matter files often spanning multiple jurisdictions.
  • Small family law and matrimonial practices with minor-data exposure, contested custody matters, and elevated confidentiality stakes.
  • Small estate planning and trusts-and-estates firms with intergenerational client relationships, multi-party engagement, and document repositories that span decades.
  • Growing-small-firm practices in the ten-to-twenty-five-attorney range that have added vendors faster than vendor governance has kept up.
Adjacent practice types we also work with
  • Of-counsel and part-time practitioners with a solo posture but smaller scope; the short cycle fits most of the time.
  • Bar-association legal aid programs and clinics where pro-bono and reduced-fee practice creates a different funding shape but the same Model Rule 1.6 obligation.
  • Legal-services 501c3s and other nonprofit-structured law practices (Legal Aid Society chapters, legal-services corporations, public-interest law firms) where the firm operates as part of a nonprofit cluster. The Model Rule 1.6 framing is held here; the cluster-stewardship questions across the related 501c entities route to the nonprofits and tax-exempt organizations assessment.
  • Independent legal-process and document-prep services operating under state-specific limited-practice rules, where vendor exposure is similar but the regulatory frame differs.
  • Solo and small-firm patent and trademark practitioners with USPTO confidentiality obligations layered on Model Rule 1.6.
  • Canon-law attorneys, religious-tribunal advocates, and attorneys serving faith-based institutions where the practice carries an additional tradition-specific obligation alongside Model Rule 1.6. The privilege-holding framing is held here; the tradition-specific institutional framing routes to the religious institutions and diaspora community organizations assessment.
  • In-house single-lawyer departments at small companies or nonprofits where the lawyer is also wearing operations, vendor management, and compliance hats simultaneously.
  • Mediators and arbitrators with confidentiality obligations under mediation statutes and arbitral institution rules that interact with vendor AI in ways most haven't reviewed.

Why us.

Sterling Solutions is a Westchester-based small firm. We do not run on venture capital. We do not have a sales team pretending to be your friend. We do not have an exit horizon. We have published values (success.build/ethos) and a written anti-lock-in doctrine, and the architecture of our own platform proves it: every layer is swappable, every export is clean, your data is yours from day one and on the day you leave.

We are not a practice management vendor and we are not pitching one. The assessment is not a stalking horse for a system conversion engagement. If the conclusion is "your AI usage is defensible with these three documentation gaps closed," that is the conclusion. If the conclusion is "your practice management vendor's contract is much worse than you realized and the remediation path is renegotiation at the next renewal," that is the conclusion. We have no commission structure with any of the vendors we evaluate.

The privilege belongs to the client. The lawyer holds it in trust. The vendor stack a firm operates should reflect that hierarchy, not invert it. The same logic applies to our own work: the people we serve are not products, and the data we hold is in trust. We take the analogy seriously because it is not an analogy. It is the same duty shape, named in different professional vocabularies.

The same duty-shape repeats next door. At behavioral health practices and clinics, the therapeutic alliance is the asset and clinical confidentiality is the obligation; HIPAA, 42 CFR Part 2, and every behavioral health profession's ethics code name the same hierarchy Model Rule 1.6 names here. When the firm operates as a legal-services 501c3 or any nonprofit-structured law practice, the cluster-stewardship questions across the related 501c entities route to the nonprofits and tax-exempt organizations assessment. When the practice carries an additional tradition-specific obligation (canon-law attorneys, attorneys serving religious tribunals, faith-based institutional counsel), the tradition-specific institutional framing is held at the religious institutions and diaspora community organizations assessment. Different vocabularies. Same anti-lock-in doctrine for the data the privilege or the alliance or the stewardship duty is built on.

What this page is not.

This is not a pitch for a six-figure modernization engagement disguised as a free assessment. The assessment is the deliverable. If you read it, file it, do the work in-house, and never speak to us again, that is a good outcome and we are not chasing you for a sales call.

This is not legal advice. Sterling Solutions is a technology firm, not a law firm. The written deliverable identifies sovereignty and ethics-posture gaps and names the regulatory and Rules-of-Professional-Conduct categories they sit under. Decisions about specific actions with legal consequence (state bar inquiries, malpractice carrier communications, vendor contract renegotiation, client-disclosure obligations around AI use) should run through your own counsel or a peer attorney with the relevant subject-matter expertise. We are happy to coordinate with them.

This is not an audit shaped for a large-firm general counsel. Those reviews exist and they cost five figures and they are built for firms with internal compliance and risk teams large enough to receive them. This assessment is shaped for the solo or small-firm attorney who is reading their own vendor Terms of Service on a Sunday because no one else will.

Tire-kickers, briefly.

The evaluation is honest work. We do the homework on our end. We read the state bar advisories and ethics opinions that apply to your jurisdiction. We pull the current public Terms of Service for every vendor you name. We come to the evaluation session prepared. We ask the same of you: bring the partner or practitioner who actually owns the firm's vendor relationships and AI tool choices, and bring a real intent to read what we deliver. Curiosity is fine. Performative curiosity is not what this offer is for.

One discovery call.

Forty-five minutes for the long cycle, thirty for the short cycle. The AI tools and vendor relationships your firm relies on today are going to be the subject of a state bar inquiry, a malpractice carrier renewal question, or a client-disclosure conversation whether or not you have a written posture document on the shelf. The asymmetry between "having a written assessment ready before the question comes" and "scrambling once it does" is large, and it is not in your favor by default. Sterling is happy to help close it.

Book the discovery call →

Heads-up on the booking page: the booking widget currently shows 30-minute slots. For the short cycle, thirty minutes is the right length. For the long cycle, once you pick a time we will extend it to forty-five minutes on our end, provided the fifteen minutes before or after your selected slot are open on our calendar. If the adjustment does not work for you, email [email protected] and we will find a slot that fits.

success.build/risk/attorneys · [email protected] · scope-selectable on the discovery call

Sterling Solutions LLC
Purpose-built technology for community organizations. Platforms, AI, and development services designed for nonprofits, fraternal organizations, and professional associations.