The job legal keeps asking you for — and why it's the right one to say yes to
Here's the request that lands in every IT or data team's queue eventually: "Can you make our contracts searchable? Legal spends hours hunting for renewal dates and indemnity language." It sounds like a search problem. It is actually a boundary problem, and that is exactly why it's a good first AI build — if you draw the boundary before you build.
The line that matters: your team owns retrieval and evidence, legal owns interpretation and risk. An AI workflow can pull every auto-renewal clause across 400 vendor agreements and link each one back to the source page. It cannot tell you whether a 30-day cure period is acceptable, and the moment it tries, you've shipped unlicensed legal advice through an IT project. The NIST AI Risk Management Framework exists to make that division of labor explicit rather than implied. Map who is accountable for the answer before you map where the data lives.
This is also why "responsible AI" can't be a slide your team owns alone. The PwC Responsible AI survey points at a pattern worth internalizing: the programs that hold up have a business owner attached to every control. In contract prep, that means a named lawyer signs off on the clause taxonomy and accepts the risk on interpretation. You run the pipe. They own the verdict. Write that down in one sentence and get both signatures before a single document is indexed.
The trap: AI doesn't fix a bad access model, it accelerates it
Say you're a 120-person SaaS company. Contracts live in a SharePoint library that grew organically: a few folders are locked to legal, most inherited "everyone in the company" permissions from a 2021 reorg nobody cleaned up. Today that sloppiness is invisible, because nobody manually browses to a folder they don't know exists. Index it for AI and the geometry changes. Now a sales rep types "what's our most-favored-nation pricing with our biggest customer" and gets a clean, cited answer in under a second — because the model honors the permissions it found, and the permissions were wrong.
That is the single most important thing to understand before you start. The Microsoft 365 Copilot data protection architecture is explicit that enterprise AI operates through existing identity, permissions, and sensitivity labels — it does not invent new ones. So the AI inherits your access model exactly as it stands. If the contract estate is over-shared, the model becomes a high-speed discovery engine for everything you accidentally left open. The pre-work isn't optional polish; it's the difference between a tool and an incident.
So before retrieval, do the unglamorous part. Re-scope the contract library to least privilege. Apply sensitivity labels to the categories that actually carry risk — MSAs, NDAs, anything with pricing or IP terms. Confirm auditing is on so you can answer "who saw this clause and when." The IBM Institute for Business Value AI capabilities research keeps landing on the same unfashionable conclusion: the data and operating foundation, not the model, decides whether these projects deliver. For contracts specifically that foundation is three concrete things — a current repository with nothing duplicated across five folders, a maintained clause taxonomy (renewal, liability cap, indemnity, termination, assignment, data processing), and a defined path for what happens when extraction is wrong.
What "done" looks like, and the five numbers that prove it
A contract-prep workflow is ready when it can do one thing reliably: take an approved question, return the relevant clauses, cite the exact document and page for each, and hand anything ambiguous to a named lawyer instead of guessing. Notice what's missing — no risk scoring, no "this clause is unfavorable," no recommendation. Evidence in, evidence out, judgment routed to the human who owns it.
Don't measure it with a vague "is it helpful" survey. Track five numbers and review them weekly for the first quarter: source coverage (what share of the contract estate is indexed and current), extraction accuracy (clause found and correctly classified), evidence-link completeness (every answer ties to a real source location — this should be near 100% or you stop), legal correction rate (how often the lawyer reverses an extraction, your honest accuracy signal), and permission exceptions (any time someone surfaces a contract they shouldn't see — this should be zero, and a non-zero number is an emergency, not a metric). When the correction rate is low and exceptions are flat at zero, you can extend the same pattern to procurement, finance, and customer-service teams who all want the same answers.
Monday move: pull the permission report on your contract repository before you scope anything AI. If "all company members" has read access to a folder with pricing in it, you've found your real first task — and it has nothing to do with a model. Document the control model with AI governance and training, and keep the line on what you won't automate visible so buyers and your own legal team know exactly where the tool stops.