b'Self-hostinganAImodelprovidesthegreatestdegreeofcontroloverdatahandlingandsystem configuration,butitalsocarriesthehighestleveloftechnicalcomplexityandsecurityresponsibility. AlthoughStep3belowincludesthemainGAIsafeguardsassociatedwithself-hostedmodels,lawyers who choosetogothisroutemightconsiderworkingwithqualifiedtechnicalsupporttoensure their implementation is supported by a well-documented risk management plan. Step 3: Evaluate and Document the Applicable GAI Safeguards At this point in the evaluation process, a lawyer should clearly understand the level of data sensitivity a GAI tool will be used to process, as well as the structural category within which the GAI tool falls. Next, the lawyer should apply the applicable GAI tool safeguards provided in this Step 3 to confirm that the tool is appropriate for the type of data it will be used to process. Confidentiality of InformationRule 1.6 of the Illinois Rules of Professional Conduct ( ) is helpful on this point. Specifically,CommitteeComment[18]ofRule1.6listsfivenon-exclusivefactorsthatlawyersshould evaluate to determine the reasonableness of their efforts to prevent inadvertent or unauthorized disclosure of client confidential information: 1. The sensitivity of the information;2. the likelihood of disclosure if additional safeguards are not employed;3. the cost of employing additional safeguards;4. the difficulty of implementing the safeguards; and5. the extent to which the safeguards adversely affect the lawyers ability to represent clients (e.g., bymaking a device or important piece of software excessively difficult to use).Accordingly, as the sensitivity of the data increases, more GAI tool safeguards must be present to make a showing of reasonableness. This is particularly true where the additional safeguards do not create significant additional costs, implementation difficulty, or adverse impacts upon the lawyers representation. (a) Third-Party Managed GAI SafeguardsThis section describes the main categories of privacy, security, and compliance safeguards to consider when evaluating third-party managed GAI tools, including both Native Model Platforms and API integrations. In the next section, well cover the safeguards to consider with self-managed GAI tools.In Table 2 below, we identify the main risks associated with third-party managed GAI tools and show how those risks are typically addressed at different levels of privacy and security. Some of these safeguards are new and unique to artificial intelligence (such as not allowing Confidential Information or Sensitive Personal Information to be used in training models) while others are long-standing concerns in any cloud-based service. Yet, because GAI tools can process, store, and potentially reuse information in unique ways, even traditionalriskscantakenewformsanddeserverenewedscrutiny.Additionally,consideringthatGAI capabilities are becoming embedded into most technology systems attorneys already use, the approach outlined in this Guide should be applied broadly to most systems that store or process client data, even those which are not obviouslyartificial intelligenceapplications.Page | 12'