Firmtalk
← All posts
AI Strategy9 min readJune 26, 2026

The In-House AI Mandate: What Clients Will Demand by 2027

GCs at India's largest companies are quietly drafting AI-use clauses for outside counsel. The questions you will be asked in 18 months, and how to be ready before the RFP arrives.

By , Co-founder & CTO, Firmtalk
Modern glass-walled corporate office atrium with multi-storey workspaces visible through the facade

A four-clause schedule that nobody could answer

In March 2026 the General Counsel of a top-five Indian conglomerate, a group with revenue north of INR 1.6 lakh Cr and a panel of 23 outside-counsel firms, sent out a refreshed outside-counsel mandate. The body of the document was familiar. Schedule 4 was not. Four pages, eleven sub-clauses, headed “AI Use, Disclosure and Audit”. Every panel firm had ten working days to respond.

Six of the eight panel firms in our line of sight acknowledged receipt within the deadline. Two attempted a substantive reply. Neither could prove a single one of the answers they gave. One firm listed three AI tools in their schedule of disclosures; we knew, from a separate conversation with one of their associates, that there were at least eleven AI tools in active use across the practice. The firm was not lying. They simply did not know.

That mandate is the leading edge of what becomes a 2027 standard. We have now seen draft AI-use schedules from seven Indian GCs, five at listed companies, two at large unlisted groups. Two of the seven are already in execution copies. The rest are circulating for board sign-off in this quarter or the next. By the time the next panel-review cycles run in late 2026 and early 2027, an AI-use schedule will be the default rider, not the exception.

This piece is a heads-up to managing partners. Here is what is coming, here is what early GC drafts actually say, and here is what an 18-month preparation programme looks like if you want to be on the right side of the next short-list rather than quietly removed from it.

Why the in-house AI mandate is arriving faster than firms expect

Three forces are converging at once, and the firms we speak to are tracking roughly one of them.

One. DPDP 2025 has put client data under regulatory glare. The Digital Personal Data Protection Act made boards personally interested in where their data sits, who processes it, and what happens if it leaks. AI tools sit inside that question now. A GC who lets outside counsel feed corporate data into an unvetted model is, in the board’s eyes, a GC who has lost control of a sub-processor chain. The DPDP playbook covers the regulatory mechanics in detail; see our DPDP 2025 compliance playbook for the obligations that now sit upstream of these clauses.

Two. Board-level AI risk committees are forming at large Indian buyers. Of the top 50 Indian buyers of legal services that we track, 17 have stood up a formal AI risk committee in the last 12 months. Another nine have one in flight. That number was three when we wrote our 2025 governance note. The committee, once formed, asks the GC the same question every quarter: who outside the company is using AI on our matters, and how do we know what they are doing. The honest answer today is some version of we don’t. The committee dislikes that answer. The AI schedule is what comes next.

Three. Parent-company AI policies are cascading to Indian subsidiaries. A surprising number of the early Indian schedules we have read trace their lineage back to a US or EU parent. A consumer-goods major adopted the schedule its Swiss parent had issued nine months earlier, with three Indian-law amendments bolted on. A financial-services subsidiary received its draft from a London headquarters that had piloted it in the UK first. The cascade is mechanical and quick. Once a parent issues a global AI-vendor standard, the Indian sub has roughly two quarters before procurement is asked to enforce it.

The cumulative effect is that the 2027 panel-review season is the first one where AI-readiness will be a hard scoring criterion, not a polite section in the pitch. Firms that wait for the formal RFP cycle will find that the short-list was set months earlier.

What is actually in the AI use clauses

We have read seven draft schedules in full and parts of three more. The eight clause families below are not theoretical; six of the eight appear in every schedule we have seen. Two are still settling. None of the text below quotes any firm or company; the descriptions are our own paraphrase, calibrated across the sample.

  • AI tool disclosure. A register, updated each quarter, of every AI tool the firm uses on the client’s matters. Tool name, vendor, version, scope of use, the matter types it touches. Two of the schedules ask for the register at firm level; five ask for it on a matter-by-matter basis. The firms that have an answer to this are the firms that have run an internal AI inventory in the last six months. Most have not.
  • Model approval. A right of prior approval over which models and which tool deployments touch the client’s work. In practice this looks like a positive-list mechanism: the client approves, in writing, a short list of permitted tools; anything outside the list requires advance sign-off. The administrative load is real, and firms that have not designed a simple approval workflow find themselves chasing email chains across 40 fee earners.
  • Training opt-out. A flat prohibition on the firm or its vendors fine-tuning, training, or otherwise using the client’s data to improve a model. The drafting is now mature; the clauses we have seen track the language US in-house teams have been using since 2024. The hard part is not the clause, it is the chain of contractual back-to-back agreements that sit between the firm and the model vendor. Few Indian firms have those agreements in writing today.
  • Audit rights. A right, on reasonable notice, to inspect the firm’s AI usage logs and policy compliance. The audit right is the clause that frightens firms most and, in our reading, will matter least day-to-day. Buyers will rarely exercise it. The presence of the right, however, forces firms to keep logs that would survive an audit, which is a change in posture.
  • Hallucination liability. The firm bears the cost, including consequential cost within agreed caps, of any error introduced by AI in its work product. This clause family is the most aggressively drafted and the most likely to be negotiated down. Expect carve-outs around partner review and agreed-tool exceptions. The first version is always harder than the version that gets signed.
  • Sub-processor list. A list of every downstream vendor in the chain. If the firm uses a research engine that uses a frontier model that uses a cloud host in a different jurisdiction, the client wants the whole chain on one page. Of all eight clauses this is the one Indian firms find hardest to compile in week one.
  • Data residency. Personal data and sensitive client data generated or processed on the matter stays on Indian infrastructure. The clause is short. The compliance burden is not, because most frontier models available to Indian firms today route through non-Indian regions by default. The vendor-side conversation that follows is the one most firms have not yet had.
  • Incident notification. A 24 to 72 hour clock to notify the client of any AI-related security or quality incident. The window mirrors the DPDP notification clock for a reason: GCs are trying to bring AI inside the same incident framework they have already built. Operationally this clause requires the firm to have an AI incident playbook with named owners, which almost no Indian firm has today.
What the clause says
  • Maintain a current register of every AI tool used on our matters
  • Use only models on our approved list
  • Do not allow our data to train any model
  • Notify any AI-related incident within 24 to 72 hours
  • Keep our data on Indian infrastructure end-to-end
What the firm must be able to prove
  • A single source-of-truth AI inventory, dated within the quarter
  • An approval workflow with sign-off records by named partner
  • Written DPAs with each AI vendor confirming the opt-out
  • A named AI incident owner and a written 72-hour playbook
  • A data-residency attestation from every vendor in the chain

What GCs are quietly testing for, before the contract

The schedule is the formal layer. The informal layer started earlier, and is where most firms are losing points without realising it. Three patterns recur in pitch processes we have observed since the start of 2026.

Pattern one. The pitch-meeting AI question. Twenty minutes into a pitch, the GC or head of legal ops asks, almost casually, which AI tools the firm used on the most recent matter of the same type. The right answer is a specific list with named tools and a sentence on how each was used. The wrong answer is some version of we use AI carefully and only where appropriate. We have watched four pitches where that wrong answer effectively ended the conversation, although the firm did not realise until weeks later when the mandate went elsewhere.

Pattern two. The AI lead question. The buyer asks who at the firm is the named partner for AI policy and governance. The expected answer is a single name and a title. The firms that name a partner and can describe what that partner has actually done in the last six months score well. The firms that name a committee, or worse, name nobody, signal that AI is not yet a partnership-level question for them.

Pattern three. The written policy question. A request, in writing, for the firm’s internal AI policy. Not a marketing document. The actual policy, circulated to fee earners, with a version number and a date. About a third of firms send a policy. The rest send a paragraph drafted on the spot, which buyers recognise instantly. The pattern is now well enough understood inside in-house teams that some GCs ask for the policy as a pre-condition to including the firm in a pitch at all.

We do not need every firm to be excellent at AI yet. We need them to be honest about what they are doing, and to have a system we can audit. Most cannot give us either.On Buyer Mandates

The compliance gap inside Indian firms today

Our 2026 benchmark sample covers 19 Indian law firms across 18 months. AI governance was not the central focus of the survey, but we asked a consistent set of questions on AI policy and inventory across all 19 firms, and ran longer structured conversations on the topic with 11 of them. The findings are uncomfortable, and they are roughly consistent with the smaller informal samples we have run since.

Of the 19 firms, three maintain an AI tool inventory that they could produce on a single page within a working day. Eight could produce something within a fortnight. The remaining eight had no central record at all; tools were being procured at practice-group level, sometimes at individual-partner level, without firm-wide visibility.

Seven of the 19 had a written AI policy. Of those seven, four had circulated it to all fee earners; the rest had it sitting with the managing partner’s office in draft. Two firms had policies dated within the last six months. The rest had not revisited their text since the document was first written, which, in some cases, was 2024 in a world that no longer exists.

One firm in the 19 could produce an AI usage log on demand. One. The rest either did not log at all, or logged at the vendor side with no firm-side aggregation. The vendor-side log is not enough; under a typical AI schedule the firm is the responsible party and the audit is run against the firm, not the vendor.

The gap is most exposed at the mid-tier and growth-stage firms, the 50 to 150 fee-earner band that is now actively pitching for panel seats at the largest buyers. The top end of the market has started catching up in the last two quarters; the firms below them are roughly where the top end was in 2024.

The 18-month preparation programme

The work below is what we would set out for a 90 to 180 fee-earner firm starting from a typical baseline today. The sequence matters. Skipping straight to a client-facing attestation without first running an inventory produces a document the firm cannot stand behind in audit. Most of the work is operational rather than legal.

MonthsActionOwnerOutput
0–2AI tool inventory across practice groupsCOO, with named partner sponsorSingle-page register, updated quarterly
1–3Written AI policy v1, circulated to all fee earnersNamed AI partner + GC officeDated, versioned, signed-off policy
2–5Vendor-side DPAs renegotiated for training opt-out and Indian residencyProcurement + AI partnerBack-to-back DPA on file for each tool
3–6Usage logging turned on, firm-side aggregation in placeIT + COOMonthly usage report, partner-readable
4–7Client-facing AI attestation drafted and stress-testedAI partner + GC officeStandard rider, ready for pitch packs
6–10Pilot AI-clause negotiations with two existing clientsRelationship partners + AI partnerTwo signed schedules, learnings logged
6–12Firm-wide staff training, including senior associatesKnowledge management + AI partnerAttendance log, refresher every six months
9–14AI incident playbook with named on-call rosterCOO + risk partner72-hour playbook, two tabletop tests
12–18External readiness review and panel-pitch refreshManaging partnerRefreshed pitch pack, readiness scorecard

A note on cost. Running this programme inside a 120 fee-earner firm costs roughly INR 35 to 55 lakhs over 18 months, most of it absorbed inside existing roles. The largest line item is partner time, which, on a fully-loaded basis, dwarfs the technology and vendor cost. Firms that try to do this without a named AI partner typically underrun the budget by half and produce documentation that does not survive a buyer’s review.

The procurement side of the conversation is worth a separate read. Our legal-AI buyer’s checklist covers the questions the firm should be asking its own vendors before signing, which is the same set of questions the client will eventually ask the firm. The tool-by-tool ground truth is in our piece on the best legal AI tools for Indian law firms, which goes into Indian data residency and training-opt-out posture for each tool we tested.

The competitive read on outside counsel AI

The firms that prepare early will win panel mandates from buyers who, on technical legal quality, would otherwise be indifferent between three or four shortlisted firms. AI-readiness, in our reading of the next two pitch cycles, becomes the tie-breaker the way diversity reporting became the tie-breaker around 2020. Not the headline criterion, but the criterion that decides between equally credentialled bidders.

We watched one such tie-breaker resolve in February 2026. A large industrial buyer was re-pitching a disputes panel of six seats. Eight firms made the long-list. The legal-quality assessment, run by the in-house team and an external assessor, put four firms within two points of each other at the top. The tie-break paper that went to the AI risk committee scored the firms on three criteria: written AI policy, AI tool inventory, and incident playbook. The two firms that came lowest on legal quality but highest on AI readiness both made the final six. One firm with a stronger legal-quality score and no coherent AI answer did not. The partners at that firm only learned the basis three months later, through a back-channel conversation.

The asymmetric risk is on the firms that wait. Being on the panel is a multi-year revenue annuity. Being cut from the short-list, for a reason the firm did not know was being scored, is a quiet, expensive event that may not surface until the next renewal cycle. By then it is harder to fix.

What managing partners should do this quarter

Three actions, in order of escalating commitment. The first costs nothing but a partner’s morning.

One. Inventory what you have. Ask each practice head, in writing, to list every AI tool in use in their group, who is paying for it, and which matter types it touches. Set a 14-day deadline. The output is rarely flattering. It is also the document on which every later decision rests. Until the firm sees the inventory honestly, every AI policy conversation is theoretical.

Two. Name an AI partner. One person. A partner with enough standing to call vendor meetings, enough technical literacy to read a model card, and enough air cover from the managing partner to insist on policy compliance across practice groups. A committee will not do this work. A partner, with a quarter of their time blocked for this remit, will. The appointment itself sends a signal to clients in the next pitch.

Three. Run a 90-minute stress test against a draft client AI schedule. Take a representative AI schedule, of the kind we have described above, and walk it line by line against the firm’s current state. Score honestly. The output is a one-page gap memo with three to five changes that, if made before the next panel pitch, materially change the firm’s short-list odds. Most firms find the exercise sobering and useful in roughly equal measure.

The standing observation

The shift in legal AI governance is not, primarily, a legal shift. It is a procurement shift, accelerated by a regulatory shift, and arriving at a moment when most Indian firms still treat AI as a practice-level efficiency story rather than a partnership-level risk story. The buyers have already moved. The panel terms are being drafted now. The firms that will look prepared in eighteen months are the firms that started looking the question in the eye in this quarter.

None of this requires the firm to be a sophisticated AI consumer. It requires the firm to be a disciplined one. The differentiator in the 2027 panel-review season will not be which firm uses the best model. It will be which firm can tell the GC, on demand and in writing, exactly what it is using, on which matters, under which controls. That, today, is a much smaller club than the market thinks.

Private walk-through
Stress-test your firm against a 2027 client AI clause
We run a draft GC AI schedule against your current vendor stack, policy, and logs. The output is a one-page readiness scorecard with the three changes that would matter most before your next panel pitch.
Request the walk-through

A note on the data. The buyer-side observations in this piece draw on seven draft AI-use schedules we have read in full and three further drafts we have seen in part, between January and May 2026. The firm-side observations draw on the same 19-firm sample that sits behind our 2026 Indian Law Firm Benchmark, augmented by eleven longer structured conversations on AI governance. All buyer and firm examples are anonymised; client names are withheld at the request of the in-house teams concerned.

Firmtalk and this view. Firmtalk builds the operational layer that firms use to answer schedules of the kind described here: a single AI register, firm-side usage logging, policy distribution and acknowledgement, vendor-DPA tracking, and an incident workflow with named owners. Four of the seven firms we are currently helping prepare for 2027 panel cycles run this layer through Firmtalk. The other three run it on a mix of spreadsheets and shared drives, and have given themselves an extra two quarters to be ready.

Keep reading

All posts →
Densely-stacked old leather-bound books on warm wooden library shelves
AI Strategy11 min · May 5

The Best Legal AI Tools for Indian Law Firms in 2026

Eight tools across drafting, Indian legal research, contract review and practice operations. What each one is actually good at, where it will trip you up, and how to stack them.

Drone aerial of the new Mumbai Coastal Road at Worli Sea Face
Benchmark12 min · May 19

The 2026 Indian Law Firm Benchmark: Realisation, Utilisation, Partner Economics

Eighteen months sitting with operations leads at nineteen Indian law firms; nine shared P&L. The numbers most managing partners suspect, finally on the page.

Front view of a populated enterprise server rack with rows of green status LEDs
Governance9 min · Jun 5

DPDP 2025 for Indian Law Firms: A Managing Partner's Compliance Playbook

The Digital Personal Data Protection Act is now in force. What changes for client data, vendor due diligence and partner liability at Indian law firms, with a 90-day implementation checklist managing partners can actually run against.

Next

Run the firm with clarity.

Firmtalk puts realisation, utilisation, lock-up and partner economics on one page, across every matter, every partner, every quarter. Built for Indian law firms.

Request demo