| Internet-Draft | OMP Legal AI Profile | April 2026 |
| Adebayo, et al. | Expires 7 October 2026 | [Page] |
This document defines a domain profile of the Operating Model Protocol (OMP) for legal AI deployments subject to attorney supervision obligations under ABA Model Rule 5.3 Responsibilities Regarding Nonlawyer Assistance and California Senate Bill 574 (SB 574, effective January 1, 2026). These instruments impose principal accountability requirements on attorneys who use AI tools to assist with legal work product -- requiring attorneys to verify AI-generated material, ensure compliance with professional duties, and maintain evidence of supervision.¶
This profile specifies how OMP's deterministic routing invariant, Watchtower enforcement framework, and three-layer cryptographic integrity architecture satisfy the attorney supervision obligations imposed by Rule 5.3 and SB 574, and defines the domain-specific Watchtower configurations, Named Accountable Officer assignments, and Audit Trace schema extensions applicable to legal AI deployments. The profile is designated the CiteGuard profile.¶
The OMP core specification is defined in a separate Internet-Draft.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The deployment of AI in legal practice has accelerated substantially since 2024, driven by improvements in large language model capabilities for legal research, contract analysis, brief drafting, and citation generation. Law firms, corporate legal departments, and legal technology companies now routinely use AI systems to assist with work product that bears attorney signatures and carries professional and legal accountability.¶
Two instruments have crystallised the attorney supervision obligations that apply to AI-assisted legal work:¶
These instruments impose a structural evidence requirement: an attorney who relies on AI assistance for legal work product must be able to demonstrate, if challenged, that they supervised the AI tool, reviewed its output, exercised independent professional judgment, and corrected errors before the work product was submitted or delivered.¶
The Operating Model Protocol (OMP) [I-D.veridom-omp] is a deterministic decision-enforcement protocol that generates a tamper-evident Audit Trace at the point of every AI-assisted decision. Applied to legal AI deployments, OMP provides the evidence infrastructure that makes attorney supervision provable rather than merely asserted.¶
This document defines the CiteGuard profile: the domain-specific instantiation of OMP for legal AI supervision under Rule 5.3 and SB 574. The name reflects the profile's primary enforcement focus: ensuring that every citation, reference, and claim in AI-assisted legal work product is verifiably reviewed by a named supervising attorney before delivery or filing.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] [RFC8174].¶
This document uses the terminology defined in [I-D.veridom-omp]. In addition:¶
ABA Model Rule 5.3 requires that attorneys with supervisory authority over nonlawyer assistants make reasonable efforts to ensure that the assistants' conduct is compatible with the professional obligations of the attorney. ABA Formal Opinion 512 (July 2023) applies this obligation to AI tools used in legal practice.¶
The supervision obligation under Rule 5.3 has three components relevant to AI deployments:¶
California Senate Bill 574, [CA-SB574] effective January 1, 2026, imposes attorney supervision requirements specific to California practice:¶
Rule 5.3 and SB 574, taken together, define a structure that maps directly onto OMP's three routing states:¶
Under this profile, there are no AUTONOMOUS routing outcomes for AI-Assisted Legal Work Product interactions. Every such interaction MUST be routed to ASSISTED or ESCALATED.¶
Under the CiteGuard profile, the Named Accountable Officer for every ASSISTED and ESCALATED interaction is the Supervising Attorney. The Supervising Attorney MUST be a licensed attorney in the jurisdiction where the Legal Work Product will be used.¶
The following fields are REQUIRED in the Supervising Attorney record:¶
supervising_attorney_id: unique deployment identifier;¶
supervising_attorney_bar_jurisdiction: ISO 3166-2 codes for licensed jurisdictions;¶
review_timestamp: ISO 8601 UTC of the review action;¶
review_decision: one of APPROVED, APPROVED_WITH_CORRECTIONS, RETURNED_FOR_REWORK;¶
corrections_summary: REQUIRED if review_decision is not APPROVED.¶
Trigger: Any AI-Assisted Legal Interaction.¶
Action: FORCE_ASSISTED.¶
Rationale: Rule 5.3 and SB 574 impose non-waivable attorney supervision obligations. This Watchtower makes it architecturally impossible for an AI-Assisted Legal Interaction to proceed to delivery or filing without generating a supervision evidence record. It cannot be disabled for Legal Work Product interactions.¶
Trigger: Interaction payload contains client confidential information destined for an AI system outside an approved confidentiality boundary.¶
Action: HARD_BLOCK.¶
Rationale: SB 574 requires attorneys to ensure that confidential client information is not entered into public AI systems. Rule 1.6 applies independently. HARD_BLOCK ensures violations cannot occur without a blocking record.¶
Trigger: Output contains citations to legal authorities not yet verified against an accessible source within the current interaction.¶
Action: FORCE_ESCALATED.¶
Rationale: SB 574 requires attorneys to personally verify citations in filings. This Watchtower enforces that obligation structurally: AI-generated content with unverified citations cannot be approved without an attorney citation verification record.¶
Trigger: Output contains a citation, case name, or legal authority that cannot be located in accessible legal databases, or where the cited passage does not appear at the cited location.¶
Action: HARD_BLOCK for submissions; FORCE_ESCALATED for drafts.¶
Rationale: AI hallucination of legal citations is a documented pattern resulting in court sanctions and professional discipline. This Watchtower provides pre-submission enforcement. The CiteGuard Audit Trace records the unverifiable citation, the database query result, and the Supervising Attorney's disposition.¶
Trigger: Operator's bias detection module flags potential biased analysis, discriminatory framing, or stereotyped characterisation.¶
Action: FORCE_ESCALATED.¶
Rationale: SB 574 requires attorneys to remove AI-generated content that reflects bias. The Watchtower ensures bias flags generate a supervision record with Supervising Attorney disposition.¶
Trigger: AI output constitutes or is intended to constitute a final decision in a matter where an attorney or arbitrator is the designated decision-maker (arbitral award, legal opinion delivered as final determination).¶
Action: HARD_BLOCK.¶
Rationale: SB 574 prohibits arbitrators from delegating decision-making authority to AI systems. Rule 5.3 requires independent professional judgment. The AI system's analysis may inform the decision as ASSISTED input, but the decision record MUST reflect the human decision-maker's independent judgment.¶
The following fields are REQUIRED in the Audit Trace schema under the CiteGuard profile, in addition to the core fields defined in [I-D.veridom-omp] Section 7:¶
supervising_attorney_idsupervising_attorney_bar_jurisdictionreview_timestampreview_decisioncorrections_summarycitationswork_product_typeprivilege_review_flagconfidentiality_boundary_verifiedprofile_versionImplementations of this profile MUST satisfy the following two-property invariant:¶
These two properties mean that for any AI-Assisted Legal Interaction processed under this profile, an attorney facing a Rule 5.3 or SB 574 compliance inquiry can produce: (a) a sealed, tamper-evident record of the specific AI output; (b) the Supervising Attorney's identity, review timestamp, and decision; (c) citation verification records for every citation in the output; (d) Watchtower evaluation results; and (e) an independently verifiable integrity proof that the records have not been modified since sealing.¶
The OMP Proof-Point artefact generation mechanism (defined in [I-D.veridom-omp] Section 7.5) produces a self-contained supervision evidence package for any defined time window. Under this profile, the Proof-Point artefact for a legal deployment MUST include, for each AI-Assisted Legal Interaction: the full CiteGuard Audit Trace, the Supervising Attorney review record, citation verification records, Watchtower evaluation log, chain integrity proof (SHA-256 Merkle root), and RFC 3161 TimeStampToken verification output from the OMP Reference Validator [OMP-OPEN-CORE].¶
This artefact is designed to be self-contained: a disciplinary authority, court, or malpractice insurer with no access to the operator's systems can verify its integrity and completeness using only the OMP Reference Validator and the public key material of the Timestamp Authority.¶
CiteGuard Audit Trace records may contain information subject to attorney-client privilege or work product doctrine. Operators MUST apply the privilege_review_flag field. The existence of the Audit Trace does not waive privilege; the records were created as part of the supervisory process, not for disclosure to adverse parties.¶
The chain integrity proof (Merkle root and TimeStampToken) can be disclosed to demonstrate that a complete Audit Trace exists and has not been tampered with, without disclosing the content of individual records. This allows attorneys to assert the integrity of their supervision records without waiving privilege over their content.¶
The security considerations of [I-D.veridom-omp] apply in full to this profile.¶
Supervising attorney identity: Operators MUST ensure that supervising_attorney_id values cannot be spoofed or assigned to non-attorneys within the deployment system.¶
Review timestamp integrity: The review_timestamp field MUST be set by the OMP pipeline at the time of the review action. Operators MUST ensure the pipeline clock is monotonic and cannot be manipulated to backdate supervision records.¶
Citation database availability: WT-LEGAL-03 and WT-LEGAL-04 depend on legal database access. Operators MUST treat database unavailability as a C_d reduction event, routing interactions to ESCALATED where citation verification cannot be performed.¶
This document has no IANA actions.¶